Social engineering describes the way in which victims are manipulated into sharing information, downloading malware, and sending money across to criminals. Unlike malicious software packages, the human brain cannot be patched – at a base level, everyone is equally vulnerable to social engineering. And while public perception of social engineering hasn’t developed much since the days of the Nigerian prince scam, attackers have been able to benefit from sky-high levels of data breaches to stress-test some of the most nefarious and manipulative techniques yet.
Social engineering can take a number of different forms, depending on the attackers’ approach. For attacks against organizations, posing as a trusted brand or partner is one of the most lucrative. In 2019, cybercriminals levied AI-based software in order to impersonate the voice of a chief executive.
The CEO of a UK-based energy corporation received a phone call from his boss – or so he thought – asking him to urgently transfer a sum of €220,000 ($243,000) across to a Hungarian supplier. While this represents a rare instance of attackers leveraging AI, most social engineers are still aware of the power of posing as a trusted organization. Along the same lines are attacks that aim to mimic governmental and authority figures. The trust granted to governmental institutions presents a fruitful opportunity for attackers to abuse: posing as the IRS can also give social engineering attacks a time-limited or punitive edge, pushing victims into acting without due thought.
Social engineering methods largely prey on two groups of emotions. The first entails fear, and urgency. Decades of evolution have seen cybercriminals finely hone their fear-inducing techniques. An unexpected email stating that a recent credit card transaction was not approved, for instance, places the brain under higher amounts of stress as the victim assumes their card was used fraudulently. This panic sees them click on the associated link, input their credentials on the convincing bank login page, only to be redirected to a legitimate page. None the wiser, the victim has just handed their banking credentials over to fraudsters. While profitable for attackers, finances aren’t the only way of inducing panic: small website and business owners may receive a message falsely claiming an image on their site violates copyright law, which sees them hand over personal information – or even money in the form of a fine. Some urgency-based attacks even use the facade of limited-time deals, in order to pressure victims into clicking ASAP.
The other form of social engineering attack appeals to greed; the Nigerian Prince attack is the traditional example of this. Here, the victim receives an email from a person claiming to be a fleeing member of a Nigerian royal family. The sender needs someone’s bank account to send across his millions, but first requires his victim’s banking information. The victim, keen to take advantage of the millions to be deposited, may be persuaded to send a relatively small advance fee or their details. In the cybercrime industry, this attack is ancient – but in 2018 was still making hundreds of thousands of dollars.
Social engineering covers a broad range of attack patterns, each of which take their own approach to manipulating victims.
Phishing encompasses one of the most notorious types of social engineering attacks. These attacks see a victim receive messages that aim to manipulate them into sharing sensitive information, or downloading malicious files. Scammers recognise that the inbox is the most vulnerable area of every organization, and messages are crafted with increasing legitimacy, mimicking known organizations, friends of the recipient, or credible customers.
There are five major forms of phishing attack; the most dangerous of which is the spear phishing technique. This tactic targets a specific individual – usually one that’s granted privileged access to sensitive information and networks. The attacker will conduct a lengthy investigation into the targeted individual, often using social media to track their behaviors and movements. The goal is to create a message that believably was sent by someone the target knows and trusts – or that makes references to situations that the target is familiar with. Whaling refers to this process being leveraged against high-profile individuals such as CEOs. Spear phishing can be strengthened to near-infallibility with Business Email Compromise (BEC) – allowing malicious emails to be sent from the authority figure’s genuine email account.
The next two types of phishing refer to the medium through which the victim was contacted. While phishing generally brings to mind emails, attackers are more than willing to utilize any form of potential contact with victims. This can include vishing – such as the aforementioned CEO voice dupe – and the inclusion of an (apparent) person on the other end of the line can further instill a sense of urgency within victims.
IBM released data that showed vishing’s inclusion in a campaign increased its chance of success by up to 300%. Smishing, on the other hand, sees attackers use text messages to achieve the same goal. The manner in which these various messages and emails reach their victims is as multifaceted as the attackers themselves: the most basic form of which is bulk phishing. Very similar emails – usually off a template – are sent to millions of recipients at once. Bulk attackers know that phishing is merely a numbers game – send them to enough people, and eventually someone will fall victim. These emails are as generic as possible, appearing to originate from global banks and large online companies. Common topics are bogus password reset emails and requests for credit care updates. Search engine phishing, on the other hand, attempts to generate ‘organic’ victims; attackers build malicious websites that then rank high enough in Google search results that victims assume they are legitimate. On social media platforms, angler phishers pick off victims by masquerading as the official accounts of trusted companies. Upon a customer contacting them, these fake accounts will take advantage of their queries and concerns in order to collect their personal information and credit card details.
Whereas phishing often relies on high-pressure urgency tactics, baiting attacks lure victims into acting against their best interests. In 2020, the FBI issued a warning to US-based organizations; it was discovered that notorious cybercrime group FIN7 had been using malicious USB drives to deliver ransomware to multiple organizations. These USBs had been sent as PR and public safety notice packages; one seized package had been found imitating the US Department of Health, referencing Covid-19 guidelines, and another was attempting to imitate an Amazon gift package, replete with fake gift card and the malicious USB.
Tailgating, or piggybacking, stems from ideas around physical perimeter security. Here, an attacker closely follows a legitimate and authorized person into the area that contains valuable assets. Digital tailgating is one of the simplest forms of cyber attack, relying heavily on employee carelessness. This can look like an employee leaving their device unattended while nipping to the bathroom in their local library – this is legitimately how the FBI took down Ross Ulbricht, the owner of drug-selling website Silk Road, in 2013.
Pretexting attacks involve the attacker creating a believable yet fake situation for the victim. Once they’ve bought into the lie, victims become a lot more manipulable. For instance, many pretexting attacks center around the victim being impacted by a security breach – then offers to fix the issue, either by their ‘IT support’ taking remote control over the victim’s device, or by ponying up sensitive account information. Technically, almost every attempt at social engineering will involve a degree of pretexting, thanks to its ability to make a victim more malleable.
Quid pro quo Attacks
Quid pro quo attacks use the baiting method – dangling a desirable good or service – in front of the victim’s face – but only upon the victim giving away personal information in return. Whether it’s fake contest winnings or a ‘which Disney princess are you’ quiz, the info handed out by these attacks can contribute to more severe attacks further down the line.
Scareware describes any form of malware that aims to scare its victims into sharing info or downloading further malware. While fake tech support messages are the traditional example, newer attacks fully utilize feelings of fear and shame. Recently, email addresses were stolen from a recruitment website, and fake job offers were sent to each; clicking on the attached document would initiate the download of a Trojan virus. The attack specifically targeted corporate email addresses, knowing that employees that fell victim would hesitate to tell their employers they had been infected while seeking alternative employment.
Watering Hole Attacks
Finally, watering hole attacks see attackers target popular legitimate webpages. By injecting malicious code into sites commonly frequented by targets, attackers are able to indirectly catch victims with drive-by downloads and credential theft.
Social engineering attacks are so successful thanks to their ability to go unnoticed as such. Therefore, recognizing an attack – preferably before it’s ensnared you – is a key part of attack prevention. Here are the 6 main identifiers of an attempted social engineering attack:
One of the easiest ways to impersonate a legitimate business is email spoofing. Here, the attacker’s address will be almost identical to the genuine organization’s – but not quite. Some characters may be changed slightly or outright omitted; this can get incredibly sneaky, such as switching an uppercase ‘I’ to a lowercase ‘l’.
Generic greetings and sign-offs
Bulk phishing emails will almost always use a generic greeting such as sir or ma’am, Genuine marketing material, however, usually begins with a name, as trusted organizations will normally utilize the contact details included in their database. This form of contact from trusted organizations will also extend to the end of the email, as the sender’s signature will often include contact information. The combination of generic greeting and a lack of contact info is a strong indicator of phishing.
Spoofed hyperlinks and websites
One of the easiest ways to compromise a device is via a website loaded with malicious code. Thanks to modern devices’ formatting of hyperlinks, any text can be linked to any URL. While it’s possible to check this on a PC by hovering over the link and assessing its validity, mobile and tablet users are more at-risk of unwittingly clicking through. Making the rash of spoofed hyperlinks worse is the ability for attackers to closely mimic legitimate websites, adding layers of believability to an attack. A spoofed URL will follow the same pattern as a spoofed email address: a variation in the spelling or domain, such as changing .gov to .net, are some of the most successful techniques.
It’s very common for marketing material and other messages to include attached documents. Attackers make use of this by directing the victim to a genuine document – or hosting site – that in turn directs the victim to a malicious page. This technique is commonly levied against teams of employees that regularly cooperate on work. If a legitimate document includes a link to a malicious file, it’s not only more believable to its victims, but also side-steps basic inbox security mechanisms.
Spelling and layout
The most obvious indication of phishing attacks: poor grammar and spelling. Reputable organizations almost always dedicate time to verifying and proofreading customer correspondence. At the same time, the poor grammar associated with the social engineering art of human hacking attacks acts as an inherent filtering mechanism. Attackers don’t want to waste their time dealing with suspicious people: those who fall for the poor grammar and spelling are vulnerable enough to be easy prey.
Unsolicited emails that request the user to download and open attachments should set alarm bells ringing. When combined with a tone of urgency, it’s important to redirect this panic to a sense of caution. In instances of business email compromise, it’s possible even for incredibly short messages to unleash widespread pandemonium: receiving an email from a high-up executive declaring ‘I need this document printed, on my desk in 10 minutes’ could fool an intern into overlooking the grammatical error out of fear.
While it’s common to view phishing attacks as a purely individual problem, there’s growing demand to view social engineering prevention as a collective effort. After all, attackers are simply weaponizing users’ natural responses to fear and panic. Protecting an organization – and its users – comes down to three key areas.
#1. Security Awareness Training
First and foremost: giving employees the tools to defend themselves. Security awareness training should be relevant to their users, while emphasizing a few unilateral rules. Employees need to understand not to click on links in any emails and messages. Instead, they need to build the habit of simply seeking out a legitimate version. Modern internet speeds make this an easy fix.
Password hygiene is, at this point, a reminder that every employee has heard a thousand times over. Given the dozens of online accounts every person now holds, unique and complex passwords are only truly feasible via the use of a password manager. Supporting employees in this way can go a long way to limiting the blast radius of successful attacks.
Finally, employees need to understand that everyone is vulnerable. The leak of personal information via social media is what drives the hugely successful whale phishing industry. While it’s good to keep in mind that schools, pets, and places of birth should be kept out of the public eye, some employees may find it easier to set up security questions that are memorable but technically untrue. For instance, setting the security question ‘where did you go to school?’ with ‘Hogwarts’ could throw any prying attackers completely off.
#2. Access Control Policies
Controlling access to each endpoint is a vital part of social engineering prevention. From user to authentication processes, there needs to be tight control over who accesses what. End-users need to lock computers and devices whenever they step away – this should be reinforced and automated via short sleep timers. When devices are in use in public spaces, they need to be kept in the employees’ possession at all times. All authentication needs to be reinforced with MFA. This can completely negate the threat of BEC and login credential theft.
Ultimately, simply verifying identity with a fingerprint or phone can make the difference between a spoofed email that’s caught – and a BEC attack that wreaks millions in damages.
#3. Security Technologies
Employees must be thoroughly supported with a comprehensive suite of security technologies. For instance, if an email program’s spam filtering is still allowing suspicious emails into inboxes, third-party filters can help monitor and prevent social engineering attacks with a URL blacklist approach. While inbox-based prevention is important, what’s perhaps more so is the implementation of high quality browser security. This ideally will combat rootkits, Trojans, and credential-stealing spoofs, offering far deeper-reaching protection than partial URL recognition.
LayerX’s user-first browser extension offers a single, comprehensive approach to combating social engineering attacks. Browser sessions are monitored at the application layer, lending full visibility into all browsing events. Every web page can go a step beyond the ‘block or deny’ process, with in-depth analysis allowing real-time threat neutralization. This way, granular enforcement can prevent even highly advanced BEC attacks from delivering payloads. Rather than relying on a step-behind approach via DNS block lists, LayerX’s future-proof approach marries cutting-edge threat intelligence with deep enforcement at every endpoint.