In the beginning, social engineering was an art of social science. It is used to change people’s behaviour and make changes in society. It looks at a lot of groups, including government, media, academia and industries.
Nevertheless, with the development of technology and people’s concerns about security, social engineering has started to be used. Cyber criminals use it to trick humans by using deceptive techniques or information that disguises their intentions. Now, social engineering is an active element of the attack layout of cyber attacks. Whether insider threats, spear-phishing, smashing, or vishing – all of these attacks involve social engineering element as a starting factor.
What is social engineering in cyber security?
The definition of social engineering is explained as exploiting human psychology to manipulate people and influence them into performing actions or divulging confidential information. It is often used as a social science concept in psychological warfare or computer security, and it can be highly effective. Corporations spend millions on prevention mechanisms because they know how devastating it can be when social engineers compromise their assets.
So, social engineering is the art of three things?
Social engineering is an effective means of cyber attack that potential threat actors and competent malicious social attackers apply to their target to obtain their desirable access, data, or assets. Depending upon the attacker’s goal, the objectives may vary; however, generally, these attacks’ primary targets are employees, colleagues, friends, or often the business owner and the board members.
Social engineering attack lifecycle consists of the following phases:
- Target Analysis – It involves preparing the attack layout by analysing the target. This is possible by identifying the victims, gathering background information and opting for relevant attack vectors that are likely to be successful.
- Hook – This phase involves preparing the hook that is engaging to win the trust in the quickest possible time. This would lead to deceiving the victim quickly to click the link, submit information or similar event.
- Play – It involves extending the initial foothold to allow information access over longer periods. This is mainly done to exfiltrate data by carefully bypassing any alerting mechanisms to avoid suspicion of monitoring controls. For instance, bigger data files are usually split into parts and compressed in different forms to avoid suspicion.
- Closure – This is the exit phase where attackers try to delete their footprints by removing malware traces, changing timestamps and removing other traces. It is done to avoid getting caught or any information that would help the victim to trace back.
The attack practice of social engineering happens in a few phases. The cyber criminals initially investigate the target to find out the necessary information to identify potential weak points, missing security controls, vulnerable protocols, etc. That could later help them prepare social engineering tactics before proceeding with the actual social engineering attack.
Afterwards, the criminals move further to prepare the attack plan through various social engineering tactics that likely help them gain the victim’s trust and facilitate breaking into the security mechanism. Generally, victims are targeted through calls, online activities, and often time in-person to assist in gaining or escalating privileges and disclosing sensitive information such as personal identifiable information (PII), financial information, etc. The attacker does not rely upon a single source to gather information; he/she approaches another staff or authority of the targeted organisation to collect more data and add credibility to the information provided by the first source.
What are the impacts of Social Engineering?
Businesses around the globe suffer the most from social engineering attacks. According to some reports and statistics, 98% of cyber attacks rely on social engineering. As cybercrime is becoming more lucrative in nature, the impact of cyber attacks goes beyond data theft or financial loss. Any social engineering scam can have a daunting effect on the businesses’ reputation, finance, or operational failure.
It is more convenient to manipulate humans than compromising tools and defence mechanisms that require technical competencies. Attackers prefer social engineering because it requires less effort to give a false sense to the human mind than the tools. It is easy to disguise and hide under the legitimate persona to take the money out or install a backdoor into any system while having a minimum detection chance.
A successful social engineering attack results in an attacker gaining authorised and authentic access to the target’s system. Once the attacker has open access as of the employee or individual, he/she can infiltrate the system, network, or data with their malicious activities or even exfiltrate the data. This data exfiltration leads the business compromise and becomes the cause of data theft, data leakage, modification. In addition to it, in worse cases, it sometimes drives to ransomware.
Currently, most businesses are aware of the negative effect and possible consequences of successful cyber attacks on the company or organisation. They are often unaware of how severe an impact any social engineering attack can hold on the business in both short and long-term scenarios.
Short term effects on business:
Some of the social engineering attacks have the power to disrupt your infrastructure or business immediately.
For example: If any of the staff or employee has fallen for the social engineering attack and downloaded a malicious software, file, or click the malicious website, it is possible that the malicious software (malware) infiltrates the internal environment and encrypts the data or files for ransomware.
In such circumstances, the business might suffer the short-term effect of financial loss that the organisation has to pay for the ransomware and decryption of the files.
Long term effects on business:
The long-term effects of social engineering on any business type are more long-lasting and not apparent than the short-term impact.
After a successful social engineering attack, if the attacker has gotten his hands on the customer data or any personal information, the customer trust and reputational damage must occur. Additionally, in this situation, it impacts the organisation to fulfil the legal requirements and lawsuits in penalties that vary from €20 million (about £18 million) to 4% of annual global turnover. This gets more severe in large amounts of data theft that takes a year to regain the reputation and customer trust and settle down the lawsuits.
Similarly, in the earlier mentioned case of a ransomware attack, the short-term impact can turn into the long-term effect if the attacker has gotten access to another network or infrastructure and plans to maintain his foothold or install a backdoor and C2C server to steal or spy on organisation activities. It is especially beneficial in the case of supply chain attacks. The advanced threat attackers choose to hide their identity after gaining access to the network and complete their suspicious mission while remaining in the environment for months and sometimes for years.
Lastly, in the cause of frequent successful social engineering attempts, the clients and customers may not like to risk their data privacy and continue the business with such that does not hold a good reputation. This would likely result in benefiting the competitor with potential customers.
What are the types of social engineering?
Generally, the attacker uses open-source intelligence (OSINT), which includes publically available information collected from the company website, social and shared networks, forums, newspapers, etc. It helps them identify the potential staff or victim from the targeted organisation to prepare a plan for the initial attacks to extract sensitive information and further access points. Social engineering attacks are carried out via many different techniques and can be performed anywhere where human interaction is involved.
It includes targeting the victim through the digital sphere as well as in the physical arena. The most effective and common types of social engineering attack are:
Phishing is one of the most used and common forms of social engineering attack that malicious attackers carry out through infected emails (famous as phishing emails). In 2020, 22% of the breaches involved phishing attacks. For phishing scams, attackers trick the target into disclosing sensitive data such as credentials, financial or personal information or grant access to legitimate assets. The malicious hacker achieves the phishing attack goal by directing the user to compromise the security via embed malicious software (commonly known as malware) in link or attachments and redirection to a malicious website.
Phishing attacks have a variety of techniques that helps the threat actor to achieve his goal. Some of the main methods are:
Business Email Compromise (BEC)
In BEC phishing attacks, the attacker impersonates the legitimate person, often the senior and executive staff, and manipulates the target to initiate fund transfer, payment, or other financial giveaways and sometimes gain secrets or sensitive data business records, financial records, trade secrets, etc.
Business Email Compromise attacks are on the rise, as hackers have found a way to intercept and alter emails sent via business mail servers. These attacks can lead to identity theft, data breaches, financial loss or other negative consequences for an organisation.
Spear phishing is a more targeted attempt as compared to simple phishing emails. Unlike random phishing emails, spear phishing is more sophisticated and complicated because attackers perform research on the targeted organisation to pull out specific employees with particular roles, responsibilities, and access. It targets the particular employees of the organisation who have privilege access or information.
Whaling is another type of phishing attack, also known as CEO Fraud. It’s a cleverly crafted phishing attack aimed at senior executives that often disguises itself as a legitimate request for information, such as an invoice or banking statement. Cyber criminals behind this fraud are using social engineering techniques to encourage victims to perform secondary actions like initiating wire transfers.
It is a phishing attack method carried out by attackers over text messages or messaging apps to deceive the victim and tricking them into giving sensitive information, credentials, etc. Most of the time, attackers use smishing to bypass multi-factor authentication, and often the SMS content has embedded malware, fraudulent websites in it.
Vishing is another common technique of social engineering attack. The thing that makes it distinct from phishing is that it is carried out over phone calls. In vishing, the attacker indulges you in communication to ask out your banking credentials or organisation information by impersonating as the technical support officer or banking officer and sometimes as a colleague to collect personal and other information of his interest.
This form of social engineering attack relies upon the pre-communication between the attacker and victim. In pretexting, the social attackers usually indulge the victim in a legitimate story or scenario and disguise themselves as an authorised person.
The critical part of the pretexting is the story creation that the attacker uses to engage the victim in the communication and convenience them to share information or give away their credentials or accesses.
This social engineering type, baiting, heavily target the victim’s psychology by enticing them with curiosity or greed. Unlike phishing attacks, baiting can be performed digitally as well as physically. Baiting on the internet is performed by tricking someone with too good to be true offers or similar attention-seeking opportunities for the victim in exchange for some information.
In this, the attacker fools the target by offering them a discount, giveaways, free opportunities of goods and services in exchange for login in the credentials or distributing infected devices or physical media.
Quid Pro Quo
The other form of social engineering attack involves the quid pro quo technique. Contrary to the baiting, quid pro quo relies on a mutual exchange; it could be a credential exchange for money or solving any issue and any service. Most of the time, the attacker targets the IT or technical support individuals by impersonating a security researcher or a technical person of any organisation offering free services or materialistic things in exchange. They often trick the target into switching off the security controls (turning off the anti-virus, anti-phishing solution, allowing them physical access to any data centre, system, etc.) to download malware or extract information.
Also known as piggybacking, tailgating involves gaining access to a restricted area by unauthorised means. This type of social engineering attack involves stealing or borrowing the authorised access by tricking the person into giving his ID card, social security number, laptop, system to extract valuable data or install malware. It also involves having improper authorised access through following the legitimate person in official premises or tricking the security approval while sowing the familiarity or made-up stories to get past the front desk or screening.
This social engineering method involves simple techniques to get login credentials or other interesting information by watching over someone’s screen through passing by or looking over someone’s shoulders or behind either memorising it or writing it down.
Is phishing social engineering?
Phishing is one of the most common techniques used by social engineers to lure victims into giving away confidential information, access, or click over the malicious link.
Phishing vs social engineering
Social engineering is a broad domain in cyber security that relies on human hacking instead of exploiting technical, software, or code flaws. Phishing is one of the tactics used in the social engineering domain. Phishing involves subconscious manipulation through explicit emails encoded with suspicious attachments or web URLs [link] and targeted emotional email content with a sense of urgency to commit security mistakes or give out valuable data.
What are examples of social engineering techniques?
Human emotions are wild, and they can both make or break anything, which benefits the most social engineer attackers. Social engineering has always been the most loved tool of the ill-intentioned attackers, and they have been doing this for ages.
Here are some examples of social engineering attacks used repeatedly by attackers to gain access and benefits in terms of finance, access point, etc., or commit the different types of a cyber attack.
Grabbing human attention with a sense of urgency is the most used case in the social engineering attack. Often attackers hit their target to perform urgent action, and they craft the scenario and email tone that presents the urgency and need to act quickly.
In 2016 the world witnessed a great example of a phishing attack when the Democratic National Convention employees fell for a spear-phishing attack. The hacker prepared and sent an email that occurred to the victim as Google sent it to rest the password. Since the email has a clickable link to reset the password and the content shows malicious activity going on the subject’s email account. This phishing attempt successfully tricked the people into changing their account’s password to stop the action urgently. People started believing in the provided information, resulting in granting access to their accounts.
The other social engineering attempt was made on one of the cyber security companies named RSA SecurID in 2011 when the phishing email was sent out to some employees with an excel document attachment claiming another company’s recruitment plan. When employees opened the excel document, they exploited the flash vulnerability and installed the infected system’s back door. This minor negligence caused the company to pay a penalty of $66 million.
Similarly, in 2014 one of the internet giants of that time, Yahoo, had become the victim of social engineering through a simple spear phishing attack targeting the company’s semi-privileged staff. The tricked employee came under the fraudster attempt and accessed the attacker he used to download the yahoo user and customer database.
In 2017, the Yahoo breach affected 3 billion user accounts placed over the dark web on the sale at $350 million.
The human emotion of greed convinces them to trust, which cybercriminals never forget to target.
In 2020, the efficient manner of social engineering attacks targeted the people through a tweet. The attacker managed to post carefully baiting tweets from high profile people offering to pay back to the community and telling people to send the amount to the account and get back the double fund within 30 minutes. The tweet’s urgent and helpful tone deceived many people, and they ended up transferring the fund to the attacker account only to find out it was a social engineering scam.
Social engineering attackers never miss taking advantage of the critical event by initialising the campaign to induce human curiosity and phishing attempts.
In 2019, the threat attacker began a scam campaign on the Boeing 737 Max aircraft crash with phishing emails to disclose the critical information leaked on the dark web about future plane crashes of similar nature. In the deception of protecting and restricting people to travel in those aeroplanes, the attacker distributes malware in the form of attachment, claiming to have leaked data about the plane crash.
What are the six principles of social engineering?
Social engineering attack layout base their structure on the art of persuasion. These six key principles of persuasion established by Robert Cialdini, a famous behavioural psychologist, are:
- Reciprocity – By nature, humans tend to return a favour.
- Commitment and Consistency – If people commit, it is highly likely they will honour that commitment. Therefore, even if you may have observed that people continue to honour the original word by removing certain motivations after commitment.
- Social Proof – Just because other people around you are doing, people do similar things.
- Authority – Humans tend to follow authoritative personalities
- Liking – If you like someone, he/she can easily persuade you.
- Scarcity – Scarcity generates demand – as simple as that.
Why is social engineering dangerous?
Social engineering has a disastrous effect, and it is dangerous as any other cyber attack because of the tactic and attack nature. The frequency of social engineering attacks targeting small, mid-size to large enterprises has been increased worldwide. The defensive security tools and software are being introduced now and then, but that does not significantly decrease the social engineering attack vector.
Social engineering is more dangerous than any other cyber attack because of its attack nature and its influence on the human mind to obtain the desired result or action. Such a high ratio of social engineering attacks is the influence that social engineers create to manipulate the minds instead of fooling the tools or using any control breaking technologies.
We have discussed the types and techniques of social engineering attacks in this article. Now we must understand how attackers craft their strategies to trick the mind and make the individual follow their direction.
Social engineers use the same social science phenomena in cyber security to influence behaviour to change how one behaves under certain circumstances. Attackers often use the reverse social engineering tactic to trap the target into their activity and use the fundamental human behaviour to exploit the weaknesses. Sometimes they do this by trapping the human into the context of curiosity, sometimes with greed or sometimes with the offers mentioned earlier, yet some great strengths can be turned into significant weaknesses and help social attackers become successful in their attempt.
Let’s understand it this way.
Simple human nature manipulation: One of the human nature that makes the individual fall for a phishing scam or social engineering scam is the habit of filtering out and skim through the information. Most of us are not interested in reading long content or information. We tend to find out only the critical data or knowledge. In doing so, we often click malicious websites or download documents that result in successful social engineering, especially phishing attempts.
Assistive human nature manipulation
Humans have a helpful nature; many are soft-hearted and always up to help others. This is something cyber criminals do on their identified subject. They use their assistive spirit of helping others and craft phishing attack or baiting attack while asking for help.
Familiar nature manipulation
Cyber criminals trick their targets by creating normal circumstances. Human nature guards down the restriction for the people they know or sometimes in some familiar matter. This benefits the attacker to make the scenarios, building relationships or friendship with the victim to later take advantage of it.
Emotional nature manipulation
Human creatures follow emotion, and in the feeling, they make the right and wrong decision or often overlook some of the things. Emotional manipulation is another psychological deception that benefits the most in crafting the social engineering scam.
Is social engineering illegal?
Social engineering is a common cyber-attack vector that has been enlisted in many cases related to cyber crime. To perform social engineering, you need to manipulate human minds with charisma and trust. Hence, as they give up sensitive information like system or finance credentials which later can be used by hackers for abusing security controls of an organisation or performing fraud through identity theft.
All these approaches are illegal because it manipulates people’s minds into doing something awful without noticing any consequences beforehand. This makes them believe anything about how much good this will bring their lives when there might not even have such potential benefits.
Cybercrime is a slippery slope and can lead to fines, prison time, and other consequences. Social engineering often leads to serious penalties for the person committing it—especially when people get attacked by phishing or spear-phishing attacks that result in a financial loss on their behalf. The suspected perpetrator typically has losses of his own monetary assets reimbursed as well if he’s caught doing such damage, so be careful not to commit internet fraud!
Social Engineering is a criminal act if it’s carried out without the consent of an organisation- but only when they have given that permission can they legally be subject to this type of test.
Social engineering toolkit
The Social-Engineer Toolkit (SET) is a free tool used to make believable attacks to trick the victim. The SET has custom attack vectors, payloads and scripts that allow you to prepare and plan for social engineering assessments in no time.
Social engineering prevention
There is no denying that technologies such as Artificial Intelligence, Machine Learning, etc., are the marvel of human mind creation. They are the best that happen to facilitate the digital sphere and security arena. Defence and monitoring tools are the excellent investment any business can make to protect its cyber environment from invasion and malicious intruders, known-unknown attacks. Still, they are nothing if the human mind cannot intercept the threat coming to it.
It is not like tools, technologies, and defence mechanisms do not block the external threats or provide a safe path to interact with the outside environment; the fact is they fail when it comes to human-to-human hacking. For a robust defensive foundation and internal threat prevention, it is necessary to be aware of the human minds with various security education, training, and awareness.
Social engineering methods have been evolved with time and technologies. However, cyber criminals’ behaviour has remained constant to trick individuals and employees with basic fraud and mind manipulation techniques. There is so one bullet to kill the switch of social engineering attacks. The only way to restrict the attacker from launching a successful social engineering scam is to understand the significance of this threat and how it can be manifested.
The covid-19 has already boosted the cyber attack, let alone in 2020, 33% of all breaches involved social engineering attacks. At the same time, it has been estimated that this ratio will increase by the end of 2021. Organisations can control this cyber risk by considering all the prevention listed below, appropriate training, and proper security controls to secure both the digital and physical landscape.
Here are the following practical and advisable ways to prevent the social engineering attack from befalling over the people, process, and technologies:
- Classify the critical assets and data that are important and must be protected from exposure.
- Develop policies and guidelines to handle data within and outside of the organisation.
- Classify the employees, partners, vendors having access and privileges to critical data.
- Implement framework and security policies for vendors, third-parties who have privilege access, leading to severe disruption or consequences in a successful social engineering scam.
- Implement zero-trust architecture for every classified person to access sensitive data.
- Invest in a social engineering awareness campaign for employees, partners, board members, third-party vendors to help them understand the importance of data they handle, access they have, and responsibilities to prevent insider threats, spot suspicious phishing attempts, and any social engineering attack.
- Perform social engineering tests by an outside party against employees to learn their defensive capabilities.
- Enhance the security culture by frequent screening on random events.
- Perform risk assessment, black box penetration testing to identify security gaps within the organisation to lead for actionable recommendations to improve security across the organisation.
- Collect the report to find out positive and negative areas for improving security and employees’ training.
- Always double-check the URL before clicking on it.
- Never download or open any attachment in the form of an image, documents from an unknown and untrusted source.
- Always thoroughly read the email to find social engineering indication.
- Select diverse and anti-social engineering centred technologies and tools to block the threats
- Invest in security incident and event management systems or SIEM solutions to ensure strong logging and monitoring processes and controls.
- Consider using host-based IDS or IPS solution to detect known attacks that might have been engaged by accessing signature or behaviours.
- Set-up VPN to ensure your organisation privacy on a broad level
- Install proxy servers to monitor and administer internet traffic content.
- Enforce regular backup policy so if anyone falls for the social engineering scam leading to compromise/corruption of systems; organisations have other ways to protect their essential data.
- Keep the system updated with anti-virus, anti-malware, anti-phishing and email services.
- Ensure the confirmation policy in case of personal or financial information request with a high sense of urgency
- Limit the amount of employees’ information to be shared on the social network.
- Do not share credentials, financial or personal information in any unverified or untrusted communication.
- Install spam filters and email security products to minimise the phishing scam coming to your emails.
- Some tips include generic recommendations as part of the security awareness training. Security awareness initiatives and training program are important steps in educating your employees to be aware of cyber risks.
- Do not share trade, business secret through email or call.
- Keep your browsers and applications up to date.
- Never use the link to get directed to your bank website; always type the URL.
- Stay up to date on the ongoing social engineering and phishing attack type.
- Enable multi-factor authentication so if your credential got leaked or stolen, it adds an added layer of protection and greater difficulty for attackers to attempt to access your account.
- Think twice before involving in any offer or free service from any source. Cross-check it by searching and asking for a more credible resource.
- Never initiate the payment based on an email request, always verify it by contacting the company or the person directly. In addition to it, do not use the contact information given in the email. Verify the contact information too.
- Enforce automatic locking of devices to restrict physical intrusion.
- Impose no-sharing rule on all kind of devices, hardware, USB, and drives.
- Never share your password with anyone, not with the IT staff in any case.
- In case of already shared credentials, reset all of your passwords and inform your bank, the organisation, to block the unknown and even authorised access till the matter is resolved.
- Learn social media safety tips for students and parents here.
Without a doubt, social engineering in any form can facilitate intruders to have authorised access or get confidential information without any technical effort or breaking digital system controls. It has been the most used and most effective cyber attack method for evaluating the computer age and becoming more versatile and sophisticated with the new smishing, vishing, quid pro quo techniques etc. It is now a significant threat to all industries and businesses-whether they are startups or large enterprises. As we’ve seen many times before on television shows (and you might agree!), these attacks don’t always require some high-tech equipment to succeed; sometimes, it only takes an email from someone pretending to be from your company asking them for their password!
If you haven’t considered your social engineering vectors yet, we’re happy to discuss them!
Shahrukh, is a passionate cyber security analyst and researcher who loves to write technical blogs on different cyber security topics. He holds a Masters degree in Information Security, an OSCP and has a strong technical skillset in offensive security.