What Is Social Engineering And How Does It Work
On the TV show Jimmy Kimmel Live!, a segment called “What is Your Password?” shows what happens when a correspondent on the street asks people what their online passwords are. Surprisingly, some people do give out their entire passwords after being prompted with questions. Although the segment is funny, it also shows you how easily a hacker could use social engineering against you.
So what exactly is social engineering? Social engineering is a cyber-attack technique for obtaining confidential information or accessing a system through manipulation. An attacker exploits human vulnerabilities instead of technological gaps through tactics like phishing, baiting, tailgating, and pretexting, to name a few.
What Exactly Is Social Engineering?
Social engineering is the term used to describe a wide range of malicious activities which can be accomplished through human interactions. In cybersecurity, psychological manipulation is used to trick users into committing security missteps, giving away sensitive data, or allowing intruders into a system unknowingly.
Coined by well-known hacker Kevin Mitnick in the 90s, social engineering is a tactic that has long been implemented by con artists and identity thieves over the centuries. The idea is to take advantage of human cognitive biases, like our tendency to trust people who seem likeable or our no-questions-asked communication approach with authority figures.
Even if all your other defenses are shored up and you have correct security processes in place, an experienced cybercriminal can still find a way around by attacking the weakest link in the security chain: individuals. In fact, most of the major cyberattacks on US corporations over the last few years always include an element of social engineering.
NineBall’s Process: An Example of Social Engineering in Popular Culture
One clear example of social engineering appears in the film Ocean’s 8, where the hacker character called NineBall needs to construct a blind spot by the women’s restroom at the MET. She succeeds in her task when she finds out through Facebook that one of the security company employees loves dogs — specifically, Wheaten Terriers. In fact, he even has one at home that he takes to compete in dog shows.
NineBall creates a phishing advertisement for a Wheaten Terrier dog show and her target actually clicks on the link, even if he wasn’t sure about it. While he is distracted with a page full of cute dog photos, NineBall gains access to all the security cameras at the MET and downloads the data she needs to create a blind spot.
As we see in the fictional (but plausible) example above, social engineering attacks happen in more than one step. Instead of using brute force methods on the system to breach it, NineBall motivates her target to compromise himself voluntarily. Here is how most attacks happen:
- Research: The attacker will spend time investigating their target for background information, usually on a rich source like social media. From there, they establish potential points of entry or weak security protocols.
- Infiltration: Once they are ready, the attacker can initiate an interaction or establish a relationship. It could take a face-to-face meeting, one email, or months of chatting on the phone or on social media. This is done to gain the victim’s trust and exploit their weaknesses.
- Disengagement: After an attack and the user performs the desired action, the hacker will disengage as they have already gotten what they need. In some cases, an attacker may leave behind malware in the system that could continue to gather information for years, undetected.
Why Social Engineering Can Be Dangerous For Your Organization
Social engineering is such a dangerous threat because it relies on human errors instead of software or operating system vulnerabilities — and no person is exempt from error. We all have cognitive biases which allow us to fall prey to social engineering attacks and often, we’re not even aware that we have those social biases.
Some people are more vulnerable than others, such as older people who are not very familiar with technology and have assets they can part with. And even if you did have the tech know-how, it’s difficult to protect yourself from manipulation because the brain itself isn’t proofed against “hacking”.
In an organizational setting, hackers target people who can allow them to bypass technical security controls, which is unpredictable and much harder to identify than a malware-based intrusion. Once they gain access through someone who has authorized access like an employee, they can infiltrate the organization’s systems and steal data, credentials, client information, source code, and emails.
Common Techniques Used By Social Engineering Attackers
There are different ways a criminal can successfully infiltrate your organization through social engineering. Certain techniques done in-person, over the phone, and online have proven to be successful over the years. Let’s review a few common tactics employed by social engineering perpetrators:
| Phishing | Phishing is one of the most popular and enduring social engineering attacks. It is designed to motivate people into opening malware attachments, clicking links to malicious websites, or revealing their personal/financial information. For example, the phishing email makes itself look like a business you trust and alerts you to a policy violation, requiring you to enter your credentials and password to a nearly identical (but illegitimate) malicious website. Some phishing attacks are also customized to lure you with something you’re interested in, like your favorite artists, politics, or philanthropies. Phishing can be conducted as vishing (voice call phishing) or smishing (text message phishing). Spear phishing is another form where the attacker puts in more time and effort to impersonate a specific individual or enterprise. |
| Baiting | Baiting is a technique that utilizes enticing but false promises to lure users into a trap where the attacker can steal information or install malicious software into the user’s device. It is similar to phishing but is unique because it promises something good for you. A bait can be an attractive add that takes you to a malicious site or a physical medium like a flash drive. Often, provocative labels are attached to a malware-infected USB key and left around office bathrooms and break rooms so someone can pick it up and plug it into their computer. |
| Pretexting | Pretexting is a tactic where the perpetrator obtains information by pretending to be an authority figure with the right-to-know, like a police officer, tax official, or a bank manager. They ask questions to confirm the victim’s identity and gather personal data in doing so. As attackers do plenty of research to make their pretext look authentic, the scheme is often effective and difficult to spot. |
Examples of Social Engineering Tactics In Action
While you may recognize a social engineering attack on paper, it can be tricky to spot when it happens to you in real life. A good way to picture exactly how cybercriminals take advantage of human emotions and biases is to familiarize yourself with what kinds of scams have been pulled off in the past. Here are some examples of how attackers manipulate people through human nature:
Helpfulness
Hackers are fully aware that humans want to trust and help each other. They may target a handful of employees with an email that looks like it was written by their manager, asking them to send confidential information urgently. Employees may fall for it because they think they are providing their “manager” with assistance.
Another simple (and successful) way to do this is to pretend to be the victim and claim you have trouble logging in. Often, a company employee would try to help you out by giving you a new password or an access token.
Greed
Say you received an email from an investor asking you to transfer them $10 so they can grow it into $10,000 with no work on your part. Sounds too good to be true? It is and cybercriminals count on human greed to make the scheme work. Victims are asked to provide their bank account information so the funds can be transferred only to find their money gone.
A similar case is the classic Nigerian 419 scam, where a “Nigerian prince” needs the victim’s help to transfer money out of his country in exchange for a large portion of the funds.
Curiosity
Events capturing a lot of news coverage may attract your notice. When the second Boeing MAX8 plane crashed, cybercriminals took advantage of the chaos and sent emails with attachments which supposedly contained leaked data about the crash. Once the target clicks on the attachment, however, it automatically downloads an Hworm RAT virus on the victim’s computer.
Sometimes, the victim may also get messages on social media platforms like Instagram, claiming they were added to a list of people with the Worst Instagram Wall. As the attack takes a personal approach, the victim may grow more curious and click the link.
Fear
A popular scenario occurs during tax season, when many targets are anxious and stressed about filing taxes. An attacker will leave a voicemail claiming that you are under investigation for tax fraud and that you must call immediately to prevent arrest. The victim allows them to access their phone once they respond to the call.
Some attackers may send you a text message that looks like it came from your credit card provider, telling you that you need to confirm your card information in order to protect your account as soon as possible. A sense of urgency creeps in as you panic and rush to text back without thinking through it.
How To Protect Yourself From Social Engineering
It is not easy to disentangle yourself if you become a social engineer’s target. Prevent cyberattacks by growing your awareness of social engineering tactics, as well as sharpening your intuition and common sense to spot their techniques. Here are some cybersecurity tips and habits you might want to practice:
- Never reveal your passwords or login credentials to anyone; a legitimate technician would be able to access your account without you giving your details.
- Avoid sharing personal details which can be used to guess your password-reset security questions such as the name of your pet, your school, your place of birth, or your mother’s maiden name.
- Don’t trust anything that sounds too good to be true, like a big monetary reward in exchange for information or a small amount of money.
- Never open a suspicious-looking attachment from someone you trust. Similarly, don’t plug unfamiliar USBs into your computer.
- Deploy a trusted antivirus software to block malware and detect potential phishing attacks.
- Always check the URLs of website links sent to you, as well as the grammar in the messages you receive. Oftentimes, it is a scam if something about these details seems “off”.
- Do research on the source of any suspicious emails, SMS, or phone calls as social engineering attacks usually get flagged.
- If you’re an organization, plan regular security awareness and cybersecurity training sessions to review your existing protocols and update employee knowledge.
Boost Your Security With Abacus
Abacus Managed IT Services can help equip your organization with the most advanced IT security technology and know-how. Contact us today to learn more.
