Social engineering is the act of manipulating people into revealing confidential information. Fraudsters may impersonate someone else or steal other people’s identities to create a false sense of trust in their victims.
Social engineering is often the primary method of infiltration in a larger criminal scheme. Tricking people is usually easier than finding a security vulnerability in a target company’s security measures. Social engineering helps to acquire administration passwords or other highly classified data, to install malicious software in company servers, and more. It’s one of the most effective attack methods because it targets the human link, thus bypassing even the most advanced forms of security. It’s also dangerous because it’s much harder to detect. After all, the victim doesn’t even realize that he was scammed.
How does a social engineering attack look like?
Most successful social engineering attacks are planned in advance. The attacker has to gather enough data about the victim, for example, their credentials and position in the company. Nowadays, this isn’t hard to do – much of this necessary information is publicly available via LinkedIn, the company site that displays an internal chain of command, etc. All of this makes it easier for a perpetrator to impersonate someone in an interaction with an employee.
After the fraudster has enough data to spin a story, they move in with a plan, initiating contact with the victim. This can happen either online or in person. The social engineer creates a convincing reason why they need documents, administrator rights, passwords, or other sensitive details. They may present themselves as a server room technician reacting to a call, etc. If done convincingly, the fraudster can often make the victim believe their story, giving them a way in.
Once the perpetrator acquires a target, they have to cover their tracks. The goal is not to raise suspicion, making it seem as if nothing ever happened. Scamming disguised as “business as usual” is what an example of social engineering attacks looks like in real life.
If you’re thinking this only happens in movies, you couldn’t be more wrong. In 2013, when Yahoo employees fell for an email message sent by a social engineer, hackers compromised every single customer account at the company. That’s more than 3 billion Yahoo Mail accounts that ended up for sale on the dark web. It’s one of the most massive breaches of all time, and it was the result of social engineering. Check our tips how to protect your identity online.
Top 6 Types of social engineering attacks
Social engineering has many forms depending on whether it’s performed in person or online. It will always exploit human interaction as a weak point, but there are some nuanced differences. Here’s 6 social engineering examples:
Baiting relies on the victim to go into a trap on their own due to curiosity or greed. The results may vary – for example, the fraudster may lead the target to a malicious website, installing malware on their computer.
There are real-world examples when attackers leave flash drives with company logos with notes like “payment logs.” Most people will grab a free flash drive, and they will be curious to look at the files on it, which means they will happily plug it into their drives. Once that happens, the flash drive launches a pre-configured script on the drive that will compromise their computer, often logging keystrokes or stealing data in the process.
A common online example of baiting involves ads that lead to malicious sites, download links that are disguised malware, etc. In simple terms, baiting is like leaving a rake out in the open and hoping that someone will step on it.
Phishing scams are the most popular form of social engineering and use email or message genuine-looking campaigns that invoke a sense of urgency or fear in victims. This tricks users into clicking on malicious links, sending money to scammers, or opening attachments with scripts.
An example would be an email from your bank that asks you to log into the new version of their site and requiring an immediate password change. Once you type in your login credentials, your data ends up in the attackers’ hands and may be used to clear your real bank account or get some more information from customer support.
3. Email hacking and contact spamming
The principle behind this sort of attack is twofold. First of all, the attacker acquires an email address and its login credentials. This often happens as a result of massive data breaches. The fraudster then logs in and sends an email to your contacts by pretending to be in distress and requiring you to open a file or send some money. The recipients, seeing that their close friend is in trouble, won’t doubt the legitimacy of these claims – something they will come to regret later.
Vishing is a form of phishing, but it uses interactive voice response systems to recreate a legitimately sounding copy of some institution’s IVR system. The victim is usually prompted to call it and verify some information. Typically, multiple password verifications will be rejected to retrieve several passwords belonging to the same user, which could compromise even other accounts belonging to the victim. In most extreme cases, IVR could be combined with impostor customer service agents that double down on the information stolen.
5. Spear phishing
Spear phishing is a heavily-targeted social engineering attack that targets particular individuals or enterprises. This type of attack tailors the email message to appear as close to real as possible using information like the victim’s exact employment position, work functions, daily routine, etc. Planning this type of attack might take weeks or months to successfully pull off, but if done skilfully, it can do great damage. A spear-phishing message might be worded exactly like many other requests and even sent through common channels, thus deceiving the victim about its authenticity. The above-mentioned Yahoo Mail attack was a high profile spear-phishing attack.
Tailgating exploits a common workplace courtesy when fraudsters gain access to unauthorized areas by simply walking behind someone who has access. Out of common decency, most people will hold the door (or even open it, believing the attacker has lost their ID or access card). There are many workplace realities a skilled social engineer can use to his advantage. For example, due to fire hazard regulations, people need to be able to quickly leave the building.
7 tips on how to protect yourself from social engineering
- Think before you act. Attackers create a sense of urgency because they want their victims to recklessly make snap decisions. You should always stop and verify. If your friend is suddenly asking you for money, call him on the phone, ask if he really sent the message.
- Check the message for legitimacy. If you received an email and something about it seems off, it probably is. Verify the domain names, they could end in .co or .con rather than .com. Typos, other spelling errors will be a clear giveaway that it’s an attempt at a phishing scam.
- Don’t trust senders you don’t know. If you’re not expecting anything, don’t open any files you’ve received. Especially if they are marked with urgent flares.
- If you didn’t participate but have won in the lottery, or a Nigerian prince is offering you money, then chances are you’re being scammed. Trust that if something seems too good to be true, it probably is.
- If you’re unsure if some website is genuine or a phishing attempt, look for CA certificates, especially if you’re connecting to banking sites.
- Use 2FA authentication as a measure, should your password end up out in the open. You can periodically check your account for the latest security breaches and learn whether you’re affected. Scammers can use credential stuffing to take over your accounts, which can be used for contact spamming.
- One of the ways how an organization can prevent social engineering attacks is to have an active risk management division. Actively monitoring weak points in your business infrastructure for infiltration routes and reinforcing the security in those areas is just one of the ways it could be done. Providing employees with information about the subject can help them recognize undergoing social engineering attacks and prevent the impact of a coordinated attack.