What is Social Engineering?
Social engineering is, hands down, one of the most dangerous threats to businesses and individuals alike. In a nutshell, a social engineer is someone who uses social interactions with individuals to either get something from you (such as your password) or get you to do something (like make a wire payment). They may be disarming in their approach and make you feel comfortable, or they may present themselves as someone of authority and convey a sense of urgency.
Either way, social engineering attacks are about getting you to like and trust them, or to make you feel like they’re a person of authority and you must comply with whatever they ask for.
Imperva, a world-renowned cybersecurity organization, describes social engineering as:
[…] a broad range of malicious activities accomplished through human interactions. It uses psychological manipulation to trick users into making security mistakes or giving away sensitive information.”
Or, as the FBI puts it more succinctly, it’s “targeted lies designed to get you to let your guard down.”
Types of Social Engineering Attacks
Social engineering attacks, which Verizon reports were used in 33% of the data breaches in 2018, can occur:
- Via face-to-face interactions,
- Over the phone (vishing, or what’s known as voice phishing),
- Over SMS text message phishing (smishing),
- Using email phishing tactics (such as phishing), or
- By using any combination of these and other avenues.
These types of attacks don’t require a bunch of technical skills or hacking techniques. It’s about “hacking” or exploiting a person rather than technology itself. However, using technology certainly makes pulling off these attacks a lot easier for the cybercriminals who use them.
Frank Abagnale, the world’s most famous con man-turned-security consultant whose life and crimes were the basis of the movie “Catch Me If You Can,” said in an interview with that while social engineering at its core is still the same, it’s just that criminals are now using different methods of attack.SearchCloudSecurity
Some people used to say that I’m the father of social engineering. That’s because when I was 16 years old, I found out everything I needed to know — I knew who to call and I knew the right questions to ask — but I only had the use of a phone. People are still doing the same things today 50 years later, only they’re using the phone, they’re using the mail system, they’re using the internet, email, cloud. There’s all this other stuff, but they’re still just doing social engineering.”
Social Engineering Attacks Is All About Getting to Know You
In the digital world, social engineering attacks involves cybercriminals learning as much information as they can about a company and a target individual (i.e. you). They then use that information to get you to do something you shouldn’t (such as providing sensitive personal information or making a wire transfer).
Essentially, they treat you like a research project and learn about you through a variety of tactics, including:
- Searching for information about you on Google and other search engines: The more they know about you, the easier it is to relate to you and make you trust them. This disarms you and makes you more likely to comply.
- Tracking down your social media pages to learn about you: If a hacker knows what you pin on Pinterest, what you watch on YouTube, what groups you’re a part of on Facebook, or even what photos you like on Instagram, etc., they can craft more believable phishing emails to trick you.
- Seeing who you’re connected to (via LinkedIn and your company website) and learning your organization’s hierarchy: Cybercriminals want to make their jobs as easy as possible. If they know that you’re Sally and you work as an accounts payable employee, and that your company typically works with Org X as a vendor, they might be able to get away with impersonating that organization to get you to make a fraudulent payment.
- Going through your trash: No, I’m not speaking metaphorically here. I meant that literally. Some social engineers have been known to go dumpster diving to gain valuable information about you or your organization. This is an example of why it’s important to properly dispose of personal, proprietary, or otherwise sensitive information.
Breaking Down the Social Engineering Attack Life Cycle
To talk about the lifecycle of a social engineering attack, we’re going to use the terms as identified by Imperva. The social engineering life cycle includes four distinct phases. These types of attacks include one or more of these steps:
- Investigation: This step is all about research and gathering as much information about you and your company as possible.
- Relationship Building: This next phrase is about using social tactics and psychology to manipulate or deceive you. Armed with knowledge about you and your organization, they’ll reach out to develop a connection and to engage with you.
- Play: This next step is when they really put the plan into motion to exploit the interaction. It’s about expanding their influence on you to get you to provide information or to perform an action.
- Exit: This is where they take a moment to get rid of evidence — to wipe away their digital fingerprints, metaphorically speaking — to make their getaway and get the hell out of dodge (ideally, without you even knowing that something’s wrong until after they’re long gone).
How Social Engineering Attacks Occur
As you’ve learned, social engineering involves a malicious actor researching you and your organization to learn about you so they can use that information to dupe you into sharing information or doing something that you shouldn’t.
Social engineering isn’t an impatient man’s game. Unlike traditional phishing attacks, which can involve sending out mass emails to thousands of people with the hope of tracking even just one into clicking on a malicious link, social engineering attacks are more targeted. Cybercriminals can spend a few hours or even days, weeks, or months preparing to make their move.
So, how does one of these attacks occur? Often times, it boils down to finding the right person to target and finding — or creating — the right opportunity.
According to Abagnale in an interview with WIRED:
Every case involving cybercrime that I’ve been involved in, I’ve never found a master criminal sitting somewhere in Russia or Hong Kong or Beijing. It always ends up that somebody at the company did something they weren’t supposed to do. They read an email, went to a website they weren’t supposed to. So they opened the door that allowed the person to get in.
It’s not that these people are that talented but they wait knowing that with a company of 10,000 employees someone is bound to open the door. They just wait for that door to be open.”
Not sure what we mean? Let’s dig a little deeper.
An Example of Social Engineering in Action
Let’s imagine that you’re an accounts payable employee named Tina. You’re sitting at your workstation when, suddenly, you get a call from Drew Stevens, a representative at one of your company’s vendors. He tells you that there’s an issue with the last payment that was made, saying that they never received it.
You feel mortified. While you’re apologizing and quickly try to find the receipt from the last payment, Drew continues talking, reassuring you that it’s fine but that they really do need the payment to be made quickly if your company is to continue using their services. He continues on, saying that it was probably just a hiccup with the paperwork — that their company recently changed banks and sent the updated payment info to all of their customers, yet, somehow, the new bank account info never seemed to make it to you and another customer.
He sighs but laughs, saying it’s just one of those things. Technology, right? Gotta love it.
He’s friendly, confident, charming, and understanding. He reassuringly says that he doesn’t want to make additional work for you because they know you’re probably already so swamped! So, to make it easy, he’s just sent you the new banking info and would really appreciate it if you could go ahead and make the payment ASAP so your organization’s service doesn’t lapse.
You check your email, and there’s a message waiting from Drew, just like he said. In it, there’s an invoice attached. You open it immediately and use the information in the doc to go ahead and make the payment.
Drew thanks you and tells you that he’s received the payment. He smoothly wraps up the conversation, telling you that he’s going to go ahead and sent a receipt for the payment and that he’s glad you both were able to work together to rectify the situation so quickly. You exchange goodbyes and hang up.
A few weeks later, your boss comes in to ask about the payment to this unknown account. You tell him that you were being proactive and wanted to take care of the situation quickly by making the payment.
But the payment was already made, your boss says, and it turns out that the company just suffered a data breach that was tracked back to your workstation.
What you didn’t know is that the invoice you opened from Drew was actually a malicious file. Now, not only have you sent a payment to a fraudulent account, but you’ve also opened up your company’s network and IT systems to a hacker.
See Social Engineering Attacks in Action for Yourself
All of this just sounds too obvious, right? There’s no way that someone could be fooled by something so simple. Unfortunately, that’s not the case. Nearly two in 10 people fall for these attacks all the time.
Want to see some real-life “people hackers” in action? Watch as social engineer David Kennedy tricks a company into providing credit card information. He spoofs his phone number to make it appear as though he’s calling from inside the company.
Social engineering prevention
Social engineers manipulate human feelings, such as curiosity or fear, to carry out schemes and draw victims into their traps. Therefore, be wary whenever you feel alarmed by an email, attracted to an offer displayed on a website, or when you come across stray digital media lying about. Being alert can help you protect yourself against most social engineering attacks taking place in the digital realm.
Moreover, the following tips can help improve your vigilance in relation to social engineering hacks.
- Don’t open emails and attachments from suspicious sources – If you don’t know the sender in question, you don’t need to answer an email. Even if you do know them and are suspicious about their message, cross-check and confirm the news from other sources, such as via telephone or directly from a service provider’s site. Remember that email addresses are spoofed all of the time; even an email purportedly coming from a trusted source may have actually been initiated by an attacker.
- Use multifactor authentication – One of the most valuable pieces of information attackers seek are user credentials. Using multifactor authentication helps ensure your account’s protection in the event of system compromise. Imperva Login Protect is an easy-to-deploy 2FA solution that can increase account security for your applications.
- Be wary of tempting offers – If an offer sounds too enticing, think twice before accepting it as fact. Googling the topic can help you quickly determine whether you’re dealing with a legitimate offer or a trap.
- Keep your antivirus/antimalware software updated – Make sure automatic updates are engaged, or make it a habit to download the latest signatures first thing each day. Periodically check to make sure that the updates have been applied, and scan your system for possible infections.