Social Engineering

Human error is a well-documented vulnerability in cybersecurity and a boon to threat actors engaging in any number of different cybercrimes.  Research indicates that human error has been a leading cause of data breaches in recent years, with some estimates suggesting that it is responsible for up to 80% or more of such incidents.  While some mistakes may be the result of a momentary lapse in judgment, others are the result of falling for increasingly sophisticated social engineering tactics. Social engineering relies on psychological manipulation, which is an exceptionally effective method that threat actors use to gain access to sensitive information. It’s also incredibly dangerous because social engineering attacks often use legitimate tools designed to deceive an individual, allowing them to slip past common security layers. In this blog post, we delve into the various forms that social engineering attacks can take, the different phases of an attack, and the reasons why they are so effective. We also provide tips for both individuals and organizations on how to protect against such attacks.

What Is Social Engineering and How Does It Work?

Social engineering attacks are a type of cybercrime designed to exploit human weakness by using psychological manipulation to trick individuals into divulging sensitive information or performing actions that may be against their own interests. Financially motivated, the goal of these attacks is usually to gain access to confidential information or systems that the threat actors can then leverage for fraudulent or malicious purposes.  

While there are numerous types of social engineering attacks, they all tend to involve tactics such as building trust and rapport with a target, using authority or legitimacy to coerce a response, or exploiting human emotions such as fear, greed, or curiosity. For example, a threat actor may pose as a legitimate authority figure, such as a technical support representative, and use this position of authority to convince a target to disclose sensitive information or download malicious software. Alternatively, they may use fear or urgency to convince a target to take immediate action, such as clicking on a link or opening a file that contains malware. Other attacks, like a recent PayPal payment request scam, will forgo using a link prompting a user to call a phone number instead.  These tactics are designed to bypass an individual’s natural defenses and exploit their trust, willingness to help, and momentary lapse in judgment.

Types of Social Engineering Tactics

There are many different tactics that attackers may use in a social engineering attack, and it is important to be aware of the most common ones to protect against cybercrime.   

1. Phishing Attacks — Phishing is the most common type of social engineering attack and   involves tricking individuals into revealing sensitive personal information through fake emails or websites.
2. Spear Phishing — A form of phishing, spear phishing is a “targeted” attack where a threat actor might send fraudulent emails purporting to be from a reputable and trustworthy source in order to deceive or reveal vulnerabilities or sensitive information from a particular individual or company.
3. Whaling — A targeted phishing attack used by cybercriminals alleging to be an executive or senior official with an organization for the purposes of deceiving senior members of another organization for the purposes of stealing money, sensitive information, or otherwise gaining access to computer systems.
4. Smishing — Short for SMS Phishing, Smishing occurs when the attacker tricks the user into clicking a link, disclosing sensitive information, or downloading a trojan, virus, or other piece of malware using the text—or SMS—features on their cellular phone or mobile device.
5. Vishing — The equivalent of a phishing attack using a telephone or VOIP (Voice Over Internet Protocol) network in an attempt to scam a victim into revealing personal details used for identity theft, credit card fraud, and more.
6. Baiting — Baiting uses email or other communication channels to offer something appealing in order to entice the victim to reveal login credentials or financial information, for example.
7. Piggybacking/Tailgating — Piggybacking, also known as tailgating, is when an unauthorized individual gains access to a restricted area by following someone who has legitimate access. This type of security breach can be a serious threat, as it allows the attacker to bypass security measures and enter a building, computer system, or other restricted area without being detected. 
8. Pretexting — Pretexting manipulates victims by using the pretext of a fabricated scenario, such as a need to confirm their identity, to convince them to share sensitive information which may be used for identity theft, or to carry out secondary attacks that exploit an organization.
9. Business Email Compromise (BEC) — BEC is a highly-targeted spear phishing attack that relies on name recognition to guide victims into completing a request to either transfer money or divulge confidential or sensitive company details. 
10. Quid Pro Quo — A quid pro quo scam occurs when the attacker offers the target something in exchange for some action or information, such as offering tech support in exchange for access to secure information.
11. Honeytraps — Honeytraps, otherwise known as romance fraud, involve attackers feigning a romantic or sexual relationship with the victim in order to coax them into wiring money or providing sensitive information.
12. Scareware — This type of malicious software creates the illusion that a user’s computer is infected with a virus or other malware and uses fear-based tactics to motivate the victim into taking action.
13. Watering Hole Attacks — In this attack, an attacker compromises a specific website or group of websites likely to be visited by a particular group of individuals with the goal of infecting the visitors’ computers with malware.

The Stages of a Social Engineering Attack

Like most types of cybercrime, social engineering attacks come in a myriad of forms although most follow a similar pattern that can be broken into four phases:  Discovery and Investigation; Deception and Hook; Attack; and Retreat.  

Phase one:  Discovery and Investigation.  Threat actors identify targets who have what they’re seeking, which may include credentials, data, unauthorized access, money, confidential information, etc.  Once the targets have been chosen, the threat actors begin building a profile of their targets’ digital footprint using various tools and techniques that allow them to collect and analyze large amounts of data quickly and efficiently, such as search engines, social media scraping tools, and data mining algorithms.  These digital profiles are subsequently used to tailor social engineering attacks in ways that are most likely to deceive their targets.

Armed with a detailed profile of observed online behavior, interests, and connections the threat actor moves on to phase two:  Deception and Hook. The goal in this phase is to leverage details about a target’s interests and connections to either create personalized phishing emails or messages designed to gain the target’s trust. They may also use information about the target’s online behavior to predict their actions for additional attack customization.

Cue phase three:  Attack.  At this point, the victim has taken the initial bait and may end up clicking a link that secretly installs malware, calling a phone number and giving up credentials, other sensitive information, or even allowing a threat actor posing as a support technician to gain access to a device using remote access tools.  

Final phase:  Retreat. The threat actor attempts to remove any trace of their presence.  They  take all of the information from one attack cycle and either use that to become more effective in the next cycle or as a point of entry for larger, more complex secondary attacks that target organizations.

The Effectiveness Of Social Engineering Attacks

Attackers gravitate towards social engineering to commit cybercrimes for a few primary reasons, the first of which is that it’s highly effective. The fundamental strength of social engineering as an attack method is that it exploits the human psychology behind trust, fear, greed, or curiosity, and aims to leverage that very exploitation to coax targets into divulging sensitive information or performing actions that may be against their own interests.  Because these attacks rely on natural behaviors and tendencies, they can still be successful against individuals who are aware of the risks and have received training on how to protect against them.  The second is that it’s an easy, low-cost way for them to gain network access without having to invest in more complicated techniques like cross-site scripting, brute force attacks, man-in-the-middle, etc.  And third is that these attacks can bypass the very technical safeguards (e.g. firewalls and antivirus software), that are designed to protect against technical attacks, such as malware or hacking. This means that even well-secured systems can be vulnerable to social engineering attacks.

Social Engineering Attack Prevention: Tips for Individuals and Organizations

Individuals can take several steps to prevent threat actors from building a profile of their digital footprint. 

1. Limit the amount of personal information that is shared online.  Threat actors often use publicly available information to build a digital profile of their prey. By limiting the amount of personal information that is shared online, individuals can reduce the amount of information that is available to threat actors.
2. Use privacy settings on social media.  Most social media platforms offer privacy settings that allow users to control who can see their profile and posts. By adjusting these settings, individuals can limit the amount of information that is visible to the public.
3. Be cautious when sharing personal information.  Individuals should be cautious when sharing personal information, such as their name, address, or phone number, online. They should also be wary of providing sensitive information, such as passwords or bank account numbers, in response to unsolicited requests.

Organizations can also take steps to protect themselves. Namely:

1. Implement awareness training programs.  By educating employees about the risks of social engineering attacks and how to identify and prevent them, organizations can help protect against these types of attacks.
2. Use technical safeguards.  Technical safeguards such as multi-factor authentication, firewalls, and antivirus software can help protect against social engineering attacks by adding an extra layer of security.
3. Implement policies and procedures.  Organizations should implement policies and procedures that outline how employees should handle sensitive information and how to identify and report potential social engineering attacks.

Social engineering attacks are a growing concern for all, as they can be difficult to detect and prevent. By understanding how they work and taking steps to protect against them, individuals and organizations can reduce their risk of falling victim to this type of cybercrime by using the above guidelines and precautions.