Social engineering is the use of manipulation tactics and deception to gain information. It is also the use of tactics to influence behaviors, which can help attackers gain information as one step in a cyberattack.
Some describe social engineering as exploitation or taking advantage of human nature. It uses human inclinations towards trust, weakness, or ignorance to execute the attack. One of the most common forms of social engineering is a phishing attack, discussed further in this article. (Click here to jump down to the most common types of social engineering.)
What are the Four Phases of Social Engineering?
- Research & Investigation
During this phase, the “social engineer” investigates a target and gathers all the knowledgeable information necessary to build a hook. The target can be a person who serves as a point of entry to an organization or the organization itself. At this point, the person doing the social engineering makes himself familiar with the target (or a person within the organization), gathers all necessary background information, and makes a plan to engage.
- Hooking The Target
Here, the social engineer establishes a connection with his (or her) target. Building trust is important for the attacker. The level of rapport necessary will depend on the goal of the attacker and his approach. The link between him and his target can be as simple as a telephone conversation or as complex as building an entirely personal relationship between the two.
- The Interplay
This is when the exploitation occurs. The attacker uses what is gained in the first two phases – information and rapport – to execute the attack and gain access. The attack can be as simple as following the target into a restricted access building or leaving an infected USB stick in an unsuspecting place. In another instance, the attack might also be in the form of a seemingly trustworthy and personable phone call requesting sensitive access to critical information.
At exit, the attacker hopes he has performed his exploit without being noticed. Without suspicion, he will be given the opportunity to return and commit to further exploitation at a later date.
What is Social Engineering Used for?
For malicious attackers, social engineering is used when it is easier to exploit human nature over software or network vulnerabilities in order to trick users into divulging sensitive information. For ethical practitioners, social engineering is part of the open-source intelligence or penetration testing toolkits and is used as an information-gathering or physical security vulnerabilities testing tool.
Why is it Dangerous?
It is easier to exploit vulnerabilities in human nature, such as trust, kindness, and ignorance, than finding ways to hack software and systems. For this reason, social engineers often find ways to become invested in their targets on a personal level, looking for holes in the human armor. This is dangerous because it approaches people themselves rather than using only technology as the target. Targeting employees at a company puts the entire organization at risk.
What are the Most Common Techniques of Social Engineering?
Phishing: Phishing is, without doubt, the absolute most common form of social engineering attack as it is the easiest to engineer, execute, and create results. In 2020 Social-Engineer.org reported that phishing attacks accounted for 96% of all human-related attacks.
So what is phishing? Phishing is a form of attack that primarily targets email users. A typical phishing email uses what looks like a common sender – like a bank, telecommunications company, or other billing company, and a generic greeting to the “customer” to reel the victim in. Sometimes, if the phishing attack is advanced, it will be coded to greet the customer by name to further its task.
The attacker may dress the email in the proper graphics and lingo of the company to make it seem as authentic as possible to the victim and include a link within that the victim is to click on for further information.
The email will read something like:
“Dear _______, there seems to be a problem with your account which requires your immediate attention. To access your account, please click the link below.”
This is where it is important to think before you act. Often, people don’t think beforehand, and they go ahead to click the link, which is where the trouble begins.
Baiting: Baiting involves offering something to a user to pique their interest. Two forms of baiting usually occur; phishing and physical baiting. In phishing, baiting usually occurs in the form of a promise – like a prize to be won that is sent to the user’s email. “Click this link to claim your prize!”
In physical baiting, the social engineer usually leaves a flash drive or USB stick behind that entices the user to plug it into their computer with the intent of infecting the computer with malware. Company employees may find themselves curious about the flash drive enough to see what’s on it.
Pretexting: In pretexting, the social engineer usually tells a story that compels the user to act based on the exploitation of his trust or emotional connection. The social engineer will send an email in the guise of a trusted friend, co-worker, or organization. The email usually presents a problem to be solved when it concerns a friend or might even request a donation to a particular cause. The email will usually include a link to a portal where information can be entered to be phished from the user.
Pretexting can also occur in the form of a phone call in what is known as vishing or “voice phishing,” where the social engineer uses the call to gather the same information over the phone by pretending to be someone in power. They might call and pretend to be an official from another office or a third party service provider looking for access to systems that include information important to a recent transaction.
Types of Social Engineers
In addition to the malicious actors who are hackers, identity thieves, and others that use social engineering to manipulate people out of their personal data, there are also sales professionals, recruiters, law enforcement, governments, security professionals, and ethical penetration testers that use social engineering. They may be deploying the same tactics but under legal circumstances. These are the professionals who seek to gather information to create results for their clients, organizations, or even society as a whole.
Tips for Protecting Yourself from Malicious Actors
- Pay attention: Make sure you keep an eye out for the sender on all emails. Even if it looks like you’re receiving an email from a friend or co-worker, it may not be what it looks like. Verify that the email is coming from a trusted source.
- Beware of email hijacking: Even if the email is from a trusted source, it may still be a social engineer who sent you a baited or pretexted phishing contact. Don’t click any links in the email. Instead, hover your mouse over the link and ensure the connection is redirecting you to where it says it’s going. You can also use a search engine to search any links you may be unfamiliar with.
- Get confirmation when possible: If you’re not sure the contact is coming from a trusted source, ask for proof, “Did you send me that link this morning?”
- Secure your devices: Be sure your company’s devices are installed with the latest antivirus and antimalware. Use the proper password and user access management hygiene for all devices and device accounts. We’ve compiled the best security practices you’ll need to secure your Windows and macOS devices.
- Educate yourself and your team: Your employees are on the front line when it comes to social engineering, and education through security awareness training is essential.
Protect your Team and your Business with Carbide
It is important for your business’s long-term viability that you mitigate risks of security breaches. Our information security management platform and team of security experts are here to help you build your security program and educate your team on security best practices. Book a demo to learn how our information security platform can help you stay secure and win business.