What is Social Engineering?
Social engineering is a technique used to exploit human complacency to gain access to private information, access, or other forms of valuable assets. Within the narrower context of cybercrime, these ‘human-hacking’ techniques focus on luring unsuspecting users into sharing secrets, spreading malware, or giving access to restricted systems. These techniques can be executed by hackers through online, in-person, telephone, and other interactions.
Scams executed through social engineering techniques are built around how people think and act — depending on the community targeted. As such, social engineering attacks are especially useful in manipulating a user’s behaviour (e.g. greed). And once an attacker understands the motivations behind their target victim’s activities, they can easily change the course of their decision making processes in support of other malicious objectives.
Typically, Social Engineering attacks are executed to achieve one of two goals:
- Sabotage: The disruption or corruption of data to cause harm or inconvenience
- Theft: Obtaining valuables like information, access, or money
With our growing use of technology and submission of data to different online platforms; everyone’s information can be considered valuable to somebody out there. As such, most users may not fully realize the full value of the data that they share online and thus find themselves unsure of how to best protect their digital presence.
How Does Social Engineering Work?
Social engineering attacks crucially rely on the ‘social’ connection between attackers and victimized users. Through social engineering techniques, attackers focus on motivating their users to willingly compromise themselves by sharing sensitive information or access. To achieve this, most attackers utilizing social engineering techniques often follow a four-step process (or lifecycle):
- Preparation: Collect relevant background information about the targeted user and their community. Usually from Open Sources such as social media and other forms of gray literature.
- Infiltration: Establish and cultivate a working relationship with the target either through intimidation to perpetuate fear-driven response, or through positive interactions to garner trust. Both ultimately lead to the same end goal of eliciting compliance.
- Manipulation: Exploit the weaknesses and trust cultivated with the target. This is often used to advance a further (often malicious) agenda, or to cultivate more information and greater access to restricted systems.
- Disengagement: Retract all established communications and interactions with the targeted user once the initial objective has been achieved.
Social Engineering is the oldest intelligence technique known to mankind, and specifically targets the human element in contrast to a technical one. The process can take place over an indeterminate period of time ranging from a few days, to months, and onward to years that all point towards a singular category of objective — to get you to do something.
Traits of a Social Engineering Attack
The key traits of a social engineering attack focuses on triggering a heightened emotional response from the targeted user to illicit a response. Some of the traits that attackers try to trigger are:
As a target, You are far more likely to take irrational or risky actions when placed in an irrational emotional state. And once in that state, attackers will use it to further drive three sensations of either urgency, fear, and/or trust.
- Urgency: Time-sensitive opportunities or requests are another reliable tool in an attacker’s arsenal. Attackers using Social Engineering techniques often will use time pressure to force targets to compromise themselves under a ruse of a serious problem that needs immediate attention. Alternatively, they may leverage on a person’s sense of greed to respond to a reward that may disappear if they do not act quickly. Both approaches focus on paralyzing the target’s ability to think critically.
- Fear: Panic driven responses reduce the targeted user’s ability to think clearly about their actions. When placed in a compromising situation that threatens one’s safety, most people will place survival above all other priorities and will not be able to think rationally.
- Trust: Believability is essential to a successful social engineering attack, and in human terms this refers to trust. Attackers focus on exploiting the belief they cultivate in their targets.
Types of Social Engineering Attacks
Almost every type of cybersecurity attack (read more about cyber attacks herehere and herehere) leverages some form of Social Engineering. Some of the more common methods used by social engineering attackers:
- Phishing attacks are methods used by attackers posing, usually, as a trusted institution or figure in an attempt to persuade the exposure of sensitive data or gaining access to restricted systems. There are two types of phishing attacks. The first are mass phishing attacks, which are widespread social engineering campaigns designed to catch any unsuspecting persons through casting a wide net. The latter are targeted phishing attacks, otherwise known as Spear Phishing attacks, which are sophisticated, personalized attacks against high-value targets (i.e. celebrities; government officials) and individuals with access to these powerful individuals — otherwise known as Gatekeepers of Information.
- Baiting is an attack that leverages our innate curiosity to lure people into sharing sensitive information about ourselves. These attacks usually are in the form of ‘freebies’ and leverage the fundamental human nature of greed.
- Favors are attacks that exploit human empathy in order to convince unsuspecting users to share sensitive information. The oldest version of this attack would be the ‘Nigerian Prince Scam’.
Spotting and Preventing Social Engineering Attacks
Defending yourself from social engineering attacks requires a degree of proactiveness. Remember, social engineering attacks leverage on human behavior and are designed to lure users into taking action before considering the risks involved.
A key step towards defending yourself against social engineering attacks is first to detect it. Some means of doing so can include some of the following techniques.
- Determine and be aware of your emotional state: Knowing your emotional state when you are faced with a suspected social engineering attack is a good way to increase your awareness before making any critical decisions. Think of this as a red alert alarm that tells you to remain calm and engage the situation rationally.
- Determine the identity of the sender and verify the source of the message: A fundamental practice in cybersecurity, or security in general, is to Trust but Verify. Knowing the real identity of the sender and the original source of the message is the first step towards verifying the authenticity of the initial engagement.
- Determine if anything is out of place: Before responding to the suspected attack or campaign, take a moment to see if there is anything out of the ordinary. In some instances, you may need to take a closer look. The increasing ease of acquiring the skills needed to fake a website, spoof an email or impersonate an accent over the telephone means you need to trust your gut. Pause and look for clues that may spell a con.
Safe Communication and Account Management Habits: Establish strong practices when handling emails and other online activities. Some of these practices include:
- Never click on links in emails or messages unless you are 100% sure of the source
- Use Multi-Factor Authentication (MFA) with all accounts
- Use strong passwords and a password manager
- Be cautious when building online friendships
Safe Network Use Habits: Establish strong networking practices and ensure attackers cannot retrieve information about you from levering a vulnerability in the technologies you use. Some of these practices include:
- Never let strangers connect to your primary WiFi network at home or at work
- Use a Virtual Private Network (VPN) whenever going online
- Properly secure all network-connected devices and services
Safe Device Use Habits: Reinforce the security of your devices, and your gateway to the internet. Some of these practices include:
- Use comprehensive internet security software
- Don’t ever leave your devices unsecured in public
- Update your software whenever possible
- Regularly check if your online accounts were exposed in a data breach
Almost every type of cybersecurity attack leverages some form of Social Engineering. Advanced phishing campaigns (read more herehere and herehere) can leverage social engineering techniques to establish a mirage of credibility, and reinstates the old saying:
“If you tell a lie big enough and keep repeating it, people will eventually come to believe it”
So the next time you receive a phone call, text message or email asking you to do something simple. Just take a moment. Pause. And have a think.