Social engineering is a form of cyber-security hacking that leverages the weakest point of any security system: the End User. Essentially, by appealing to an element of human psychology, (curiosity, incentive, fear of getting into trouble, desire to be helpful etc.) a malicious actor gains access to personal, private or business information, through what is termed "Social Engineering".
The Official CHFI Study Guide defines Social Engineering as, "simply a means to commit fraud on another through a confidence trick or other means of disseminating false information."
While social manipulation is not a new concept, new technologies have enabled cyber-criminals to create sophisticated digital tricks to perform this manipulation online. Cyber-criminals can gain access to all your digitally stored information, simply by convincing you to give it to them. This is sometimes known as 'Human-Hacking'.
Social Engineering relies on the basic tactics of trust, manipulation and deception. However, the increasingly sophisticated digital criminal has an arsenal of different tactics used in social engineering attacks such as: baiting, phishing, whaling and more. Most of these scams fall under the same theme: the pretence of being a legitimate person or resource. This blog post will show you what to look out for, why it is done and how your organisation can combat the threat.
Why do cyber-criminals use social engineering?
Over the past few years, social engineering has become a cyber criminal's favourite method of attack. It has been proven to be the most successful way for a criminal to get “inside” an organisation.
Cyber criminals are using increasingly sophisticated tactics for human hacking scams. A social engineer will find out everything they about an individual or a business. This could be through the means of social media or finding the target's data online.
Avoiding the perils of Social Engineers requires constant attention, education and awareness of the methods that these hackers use. A business email compromise could have a dramatic impact on your business.
The Different Types of Social Engineering Attack
While Social Engineering often relies on a targeted and specific attack, these fall under a few common tactics. These are the types of social engineering attacks for all employees to be aware of:
Take a look through your endless inbox of marketing emails and you'll find a host of free stuff or 'special offer' discounts. While many of us are sceptical of just how 'special' these offers are, most employees can't resist the temptation of freebies. Problem is - nothing is ever truly free.
That's exactly why we're still seeing the old social engineering trick of 'Free Software' being wielded around, and employees still falling for it. The software being downloaded could actually be something that is out there for free. The risks, however, come with visiting the harmful website, which could result in a user downloading infected or compromised software.
Your employees can be even more at risk when visiting sites that are offering 'bundling' software, which means that they may have to download added software that they don't even need, just to acquire the one they want.
Encourage your employees to check if your company has already licensed the software. If not, then visiting the software vendor's website is a simple yet effective way of making sure that they are indeed offering this software, and that you're downloading from a legitimate source.
Quid Pro Quo
Similar to baiting, the quid pro quo technique relies on an exchange, however, this also involves an element of false impersonation. One of the most common types of quid pro quo, involves a criminal impersonating an IT service employee. They will spam call as many direct numbers that belong to the company they are wanting to target. The attacker will offer IT assistance to every victim, once the victim agrees, they will be requested to disable their AV program. This is so the “IT assistant” now has administrative access to install whatever malicious software they choose.
As TripWire found "office workers are more than willing to give away their passwords for a cheap pen or even a bar of chocolate." In this study, a staggering 90% of employees gave away their password for the promise of a cheap pen, demonstrating the clear need for greater cyber-security awareness!
Phishing is perhaps the most well-known cyber crime, yet it is in fact becoming increasingly successful. Phishing is the use of email to get a target to enter their private information, or click a link exposing them to malware. 2018 Figures show that 30% of phishing emails were opened by their intended target and 12% of users proceeded to click on malicious attachments that allowed attackers the opportunity to breach an organisation. The effectiveness of this social engineering tactic relies in the criminal researching their targets that they wish to impersonate or attack.
The constant advancements of phishing are one of the many reasons why they’re still successful and will continue to be until everyone understands how to spot them. Three of the more sophisticated phishing attacks are listed below:
1. Spear-phishing: This type of social engineering threat targets a specific individual, such as a CEO or IT manager. They then use their information to personalise the email attack, adding to its legitimacy. More often than not victims think nothing of it and will give the criminal access to their data. As spear-phishers only target an individual they can spend their time conducting research on the victim, utilising their digital presence against them.
2. Whaling: Unlike your traditional phishing, Whaling, is a much more targeted form of attack it has a more specific target. Whaling targets senior level employees such as executives and CEOs, pretty much anyone who has access to valuable data. By targeting the high-value member of an organisation, the hacker is likely to gain access to the entire company information, as well as the ability to impersonate the most legitimate members of the company.
3. Voicemail phishing and SMS phishing: This is another type of phishing, however, the scam takes place over the phone. A scammer will call the target up on the phone pretending to be from their bank or even from a government agency. They will fish for information, with the aim of retrieving your personal information to steal money or data.
Typical red-flags for phishing attacks, will be an email with a suspicious link, an email looking for bank or log-in information, an email from an 'employee' who you are not aware of.
Knowing the tell-tale signs and flagging suspicious emails as soon as possible will help reduce the immediate risk to the company.
This is a more unusual method of social engineering, which involves a legitimate or well-known website. The criminal will firstly pick out its targets such as employees of the business they want to attack. They then determine which websites these employees visit often, the 'watering hole' visited by the targeted employees.
The hacker will infect the 'watering hole' with malware. This code will redirect their chosen target to a separate website, where the malware is being hosted, the compromised website is now ready to infect the targets with malware upon their access.
Pretexting is perhaps the most blatant 'confidence trick' of Social Engineering. It is a form of impersonation which relies on the end user's lack of ability to distinguish whether they are a legitimate source. This usually takes the form of over the phone impersonation, where a malicious actor may for example pretend to be a client who requires access to the end user's private information.
Utilising a fake identity has become much easier for these malicious actors with the advent of more digital mediums of communication, it becomes harder to recognise a legitimate social profile, caller or email address. It is therefore always important to establish make sure you know who you are communicating with, before sending any sensitive information.
There are a multitude of other ways a scammer may pretend to be legitimate in order to try and trick the end-user into revealing private information. There are a number of common techniques used, including the following:
1. Requesting a Password Change: A common trick used by hackers is an email asking the employee to reset or change their password. This data is then entered into a fake domain visible to the hacker, giving them access to your account.
2. Fake IT Support: Impersonating the IT manager, similar to the above, a fraudster may request access to your account to, for example, install new software. Always ensure that these requests are coming from a genuine member of your team.
3. Fake LinkedIn Profiles: A fraudster may pose as a member of your organisation, and friend request legitimate members of the organisation. Once connected, they may begin to message employees to try and illicit information.
4. Name-Drop: Another known Social Engineering tactic is to look into someone's network, (often found through social media) and request information posing as a trust-worthy source. As soon as private information is requested, this should be flagged.
5. Insider threat: There is even the potential for a member of the company to launch a social engineering attack, using their insider knowledge to gain access to data that they should not have.
Risks of Social Engineering Scenarios
So, we know that social engineering is a major threat to business. But what is your business doing that is making you the ideal target?
Lack of security knowledge
When your employees know little about the range of cyber security threats out there, they are more at risk. Cyber criminals can easily manipulate your end users into giving away sensitive information and data. As well as being more prone to cyber threats, there is a major lack of knowledge when it comes to preventing cyber attacks.
Oversharing on Social Media
The door can be widely opened for cyber criminals when employees choose to browse Facebook, Twitter and other social platforms during work. Social media is the most common ingredient for a social engineering attack. One of the main reasons for this is that many employees are unaware of the potential risks that come from what is, for most of us, a daily activity. Add to that the lack of security awareness training focusing on social media use, and you have a recipe for a successful attack.
Oversharing on social media allows a potential attacker to pose as you, using your online information to perpetrate one of the above 'false identity' scams. They may also use your own information against you, to pose as someone that you may have a connection with.
Here are the top things your employees should avoid sharing on social media:
- Job role
- Work email address
- Screenshot of conversations
- Phone numbers and addresses
- Your financial status
Our curiosity always gets the better of us. Sometimes it can be through the means of a phishing email that is offering money or a simple advert that appears when you go to a website. A well timed email may grab an employee's attention, who attempting to be eager unwittingly exposes your company to a security threat.
The problem is social engineering attacks can be conducted in many different ways, which makes it more difficult for employees to spot them, especially if they are not educated on the topic.
Tactics to help prevent social engineering attacks
If you are concerned about your company becoming the victim of a Social Engineering attack, don't worry! There are many solutions you can use to build a comprehensive social engineering mitigation strategy.
Security Awareness Training
The most simple and most effective way to combat the threat of social engineering in your business is employee awareness. If employees are trained and aware of the types of social engineering scams discussed above, they are far less susceptible to falling for them.
Cyber-security awareness training for your team will dramatically reduce your company's susceptibility to Social Engineering. By promoting a culture of awareness and training, your risk of manipulation and the consequences are dramatically reduced.
Cyber security policy
Employees at every level of the business should have a set of clear guidelines in place that specifies how to prevent cyber attacks and what to do if they come across one. The policy should also include security best practices and other forms of security efforts. Read more about cyber security policies in our guide.
Regular phishing simulations
Phishing is the most successful and common type of cyber crime. It has been around for a very long time and still fools people everyday. Conducting regular phishing simulations in the workplace educates employees without the risk of losing valuable data. It allows you to see if there are any trends, and which employees are falling for the phishing attacks.
usecure offers intelligently-automated security awareness training, simulated phishing and policy management to help you build a comprehensive strategy to mitigate social engineering in your business.