Social engineering is a technique used to trick individuals to give away personal information through the internet. This information is then used for performing fraud or cyber attacks. When attackers target a system of a company or an organization, they need to have a way of taking down the system which can be difficult and take longer.
The social engineering attack methodology drastically reduces the time length required for this phase. This is because users and mostly the internal ones are the threat factors and can be manipulatively lured to divulge any information needed.
Social engineering attacks makes up for almost 33% of all data breaches. When this attack is avoided and ways of combating it found, cyber attacks would have reduced by a third. Some social engineers include;
Kevin Mitnick
Kevin is well known for different communications and computer related crimes. However, he is now reformed and is currently a security consultant who turned his illegal hobby into a security protection career. Of course, he served his jail term of 5 years for breaking into company networks. He was arrested in 1995. Besides computer security consulting, he is also an author.
Badir Brothers
Shaddle Badir, Ramy, and Muzher formed the Badir Brothers. Interestingly, these brothers were blind from birth. They were from Israel and they were involved in setting up computer fraud and phone schemes that highly involved vishing and social engineering.
They relied on braille-display computers. It is told that the 3 had formed a secret language that they could only understand since they were young. This was motivated by keeping their communications confidential. These clever brothers had also mastered different sounds and could figure out numbers dialed from just listening.
Frank Abagnale
Between the ages of 15 and 21, Frank was an impostor, a conman, and a check forger. He is famous for the book Catch Me If You Can and even thought to be the world’s widely known and greatest social engineer. This book was also adapted into a movie.
How Social Engineering Works
You might want to know how and why criminals use a certain form of social engineering. There is a wide range of social engineering methods. All social engineering attacks rely on information gathering as a first step. This may be finding more information about a company, an individual, or an organization.
What attackers want is to have details of internal operations, vendors, corporate structure, or some of the industry jargon used. A social engineer may also rely on social media sites to find more detailed information. This category is called the publicly available information.
Through social media, a social engineer may find details of important things like an employee’s corporate email. Through such information, the attacker can successfully conduct targeted attacks like spear phishing. This is after conducting a social engineering attack on a targeted employee and acquiring useful details like login credentials that can be used to gain access to the business’s internal system or network.
Through social engineering, useful and confidential information like credit card numbers, login credentials are exposed. Compromise of these details can lead to data breaches which cause leakage of personal details and violation of privacy.
Why Cyber Attackers Use Social Engineering
The main aim of implementing social engineering is always to conceal true identity. Through this, cyber criminals can present themselves as a trusted entity or source. After obtaining a sense of trust and manipulating a victim, social engineers trick victims into enabling them into gaining access or unauthorized intrusion into a company. Personal information and sensitive data are also given up in the process.
A social engineering attack can be used as the first step of another planned bigger cyber attack on a company. This bigger planned cyber attack may aim at installing malware into an organization’s system, infiltrate a system or even expose sensitive data publicly.
Social engineering exploits the quality of people willing to help. This is done by creating a sense of urgency. An example of this is an employee who urgently needs the C.E.O’s email to report on a certain urgent project or complete an urgent payment.
It is way easier to exploit human nature which comes out as a weakness in this case. Exploiting a certain quality in a person is easier than looking for vulnerabilities in a network and coming up with ways to exploit them. Users are the leading cause of cyber attacks.
Cyber attackers rely on six principles of influence to successfully conduct a social engineering attack.
The 6 Principles of Influence
Social engineering attacks exploit human nature. These are decision-making and human interaction aspects. The attack techniques exploit human psychology. The six principles are:
1. Reciprocity
This is a concept under returning a favor. It is human nature to want to do something good after they have received a good gesture. In this case, a cyber criminal may give you something for free and since you feel the need to return the favor, you will easily fall for the request to give access to confidential information.
The attacker manipulates human psychology. The attacker performs an act of kindness and you as the victim feel indebted to perform a reciprocate if the same action. The victim ends up giving away confidential information.
2 . Commitment and Consistency
Humans always feel that if they commit to something they must accomplish it. This commitment may be oral, in writing, or an idea. Social engineering greatly relies on this influence. At times the motivation for this influence may be removed but humans will still be committed since they agreed to provide results initially.
An attacker uses this technique to make an employee commit to providing details like login credentials or any other sensitive information. The victim will go through this request since they agreed to commit even if the act is illegal.
3 . Social Proof
Human beings will always do what others are doing. When an attacker provides proof of the information that another person or a colleague has agreed to do something, the victim will always be compelled to cooperate. This is accomplished through false evidence.
4 . Authority
This influence works through authoritative figures in companies. It is targeted towards figures like directors or C.E.Os for it to work efficiently. Picture this, you receive instructions from your C.E.O to send files or provide information that might contain sensitive data and should not be obtained by anyone.
You know it is not entirely right, but since the person asking is the C.E.O, you comply. This technique is called spear phishing. It uses authoritative titles to lure employees into giving away sensitive information. Again, this is the manipulation of human psychology. Everyone tends to obey those in authority.
Attackers will pose as authoritative figures like lawyers or directors to manipulate victims through social engineering.
5 . Liking
People are always persuaded by compliments or by likable people. Cyber criminals who use the liking technique also aim at using spear phishing.
To accomplish this, they might pretend to be a friend or a trusted colleague. The attacker might even compliment the victim to persuade them further. It is human nature to love compliments and to be persuaded by likable people.
6 . Scarcity
This is done by creating a sense of urgency. The cyber criminal creates a sense of scarcity to increase the amount of demand. In this case, a social engineer might create a situation where they convince you how urgently certain confidential information is needed.
Common Social Engineering Attacks
Phishing
This attack is conducted by tricking the victim to click a malicious link. After this, the attacker can obtain important details like credit card numbers, login credentials, or bank details. An attacker can pretend to be a trusted source through an e mail. This is done through e mail spoofing.
A victim can also click a malicious link online and download it into their systems. The link might be infected with a virus which when downloaded to the companies’ system destroys it. Phishing attacks misuse the need for urgency forcing victims to act fast. Although it doesn’t seem serious, phishing is one of the largest cybersecurity risks.
Quid pro quo
This attack uses the reciprocity influence. An attacker may pose as I.T support requesting details about the network and system after providing obvious I.T advice which may be new to a targeted employee.
The attacker may convince and even help the victim configure processes like turning off the computer firewall or anti virus software.
Pretexting
Attackers may lie about their identity to obtain certain confidential information or get privileged access. Attackers may ask for details about a certain site you are running and pretend that the site has a problem that needs to be fixed. The victim will give away all information thinking that they are dealing with a legitimate vendor of a certain product.
Spear phishing
This attack is similar to phishing but more targeted. The attack may aim at reaching a director or a certain employee who may have access to sensitive data. Through spoofing emails or injecting them with malware or ransomware, sensitive data can be breached.
Tailgating
This attack can be accomplished through piggybacking. An attacker follows a legitimate user to the secure area. The attacker can’t be allowed access but through following the legitimate user, both get access to a resource. Of course, the legitimate user was lured to do this.
Ways of Preventing Social Engineering Attacks
1 . Training employees
Users are the leading enablers of cyber breaches, knowingly or unknowingly. This is why you need to educate all employees on the common types of cyber attacks and how to mitigate them.
You need to educate them on the processes to take when they think they are experiencing a cyber attack. Such pieces of training should be conducted regularly and business owners should also conduct drill cyber incidences to observe how they will be handled.
2 . Establishing security protocols
Your organization should have well-thought computer security policies, protocols, and guidelines. You should also have an information risk management program that may serve as an incident response plan. These procedures will outline measures of handling cyber security or data breaches if they occur.
3 . Scrutinizing all information in your network
All information that is sent to your system whether e mails or vendor links should be actively scrutinized. Your employees should be trained on how to inspect all e mails and even physical devices that they want to plug into their computers.
You can also implement software and systems for doing these tasks. Doing this will enable you to catch malicious attacks before they are executed.
4 . Having social engineering drills
You should test the cyber security reliance in your organization. You should set up social engineering situations that emulate real attacks. You can send phishing emails and see how employees engage with them.
You should also monitor if they will download the attachments. You can also try conducting piggybacking and see if a user can be lured. After a drill, you can increase test attacks since you will have ways of improving your system.
5 . Implement multi-factor authentication
Know something, have something, or be something. You can implement these three procedures when dealing with sensitive systems or your internal network. This can be a biometric system when entering the server room or even having a password to access a system. One entity will not provide access, a user has to use multiple entities.
6 . Safely disposing of your organization’s waste
Social engineers rely on anything meaningful to find useful information. This can be even going through your organization’s dustbin. From such information, they are then able to scam you through legitimate information and easily conduct a spear-phishing attack. Shredding important documents may be a way of mitigating this risk.
7 . Employing a third-party risk management framework
Third-party vendors process a lot of confidential information. Cyber criminals will always target such vendors. Before you start working with any vendor, always ensure you vet them well according to their cybersecurity posture.
Always have a framework for conducting such procedures. You can also involve cyber experts like Cyber Ninjas to help you in such processes.
8 . Detecting data leaks
Your organization needs to constantly scan for any leaked credentials or data exposure. You should to do this actively since it may be hard to automatically know when your organization’s data has been leaked and maybe being used wrongfully.
9 . Implementing operations security
You should do this to identify what amount of information an attacker can gather. Through an OPSEC, you will identify actions that may favor a hacker.
10 . Reviewing your organization’s response protocol
You should review protocols that you put in place to combat social engineering. This will help in maintaining important procedures and doing away with unhelpful ones.
11 . Testing your social engineering attack resilience
Having secure protocols which have not been tested may be as good as having none. Testing will evaluate if your protocols serve the purpose.
12 . Have good physical security
Not all social engineering attacks are conducted offsite. An attacker can come to your organization’s environment and conduct a social engineering attack. This is why you need to ensure your organization is well guarded and secure.
Always remember that social engineering attacks can be the first step to a larger attack. You do not want to be out of business or left cleaning up the aftermath of a cyber attack. It is important to have in place working cybersecurity controls to secure your business.
How cyber-secure is your business? Find out with our free cybersecurity health check.
It’s a 30 minute Zoom call that walks through a checklist to assess your current cybersecurity levels and provide a short report with some advice and recommendations.