Definition of social engineering
Social engineering is an umbrella term used to describe the use of psychological manipulation as an attack vector for perpetrating malicious activities. With social engineering attacks, deception is used to trick individuals into breaking personal and organizational security protocols to support criminal activities.
Social engineering targets and exploits human error, trust, or weakness rather than trying to circumvent cybersecurity systems. This is why it is sometimes referred to as human hacking.
Unsuspecting individuals have otherwise logical decision-making practices altered by social engineering, leading them to do things they normally would not do.
Cybercriminals know that a carefully crafted email, voicemail, or text message can convince people to:
- Allow control over computer systems
- Click malicious links or open malicious files that install malware
- Transfer money
- Share confidential or personal information (e.g., login credentials, bank account numbers, credit card numbers, social security numbers)
A social engineering attack is often just the first stage of a larger cyber attack. Cybercriminals use social engineering to gain access to systems, then unleash malware or ransomware or break into systems to steal sensitive information.
How social engineering works
Social engineering attacks can usually be broken down into four steps.
Step one: Investigation to prepare for the attack
A social engineering attack begins with an investigation. Cybercriminals know that the efficacy of social engineering hinges on connecting with the victims. Therefore, the investigation step of an attack includes time spent learning how to best engage victims by:
- Gathering background information on the target or organization with online research or dumpster diving
- Identifying any events or worries that can be leveraged, such as tax deadlines, holidays, or a health crisis
- Determining the best social engineering attack method
- Developing a targeted strategy
Step two: Setting the hook by deceiving the victim and gaining a foothold
Once the plan is in place, the social engineering attack is launched. The person executing the attack will pose as a legitimate person, engage the victim, and develop their trust. The social engineering attack narrative is laid out during the hook step, and a foothold is gained (e.g., malware is downloaded and installed, or the victim is driven to act).
The key elements of the hook step of a social engineering attack are:
- Taking control of and guiding the interaction
- Engaging the target and earning their trust
- Spinning a fake, but plausible story
- Earn a victim’s trust
- Motivating the target to act through fear, compassion, or ignorance
Step three: Make the play to achieve the goal
With the hook set, this step in the social engineering attack reels in the catch when the opportunity arises. The goals of social engineering vary, but include:
- Accessing and exfiltrating sensitive information
- Convincing the target to send money
- Disrupting the network
- Expanding the foothold through lateral movement across the network
- Gaining access to critical resources
- Modifying systems to enable access at a later date
Step four: Exit the scam by closing the interaction
The final phase of a social media engineering is the exit, which is ideally (for the attacker) executed without arousing suspicion. A successful exit leaves no trace.
Elements of the exit step of a social media attack include:
- Covering tracks
- Drawing the relationship to a natural end or scaring the victim into staying silent
- Removing all traces of malware
Social engineering attack techniques
The following are several of the many social engineering techniques used to compromise enterprise IT systems.
Baiting
With baiting, false promises are made to targeted individuals to lure them into a trap. The most common form of baiting uses strategically located USB drives to disperse malware when unsuspecting users insert them into their computers. Other baiting approaches promise an individual a reward, something enticing for free, or a special offer for sharing information or to lead them click on malicious links.
Business email compromise
A business email compromise (BEC) occurs when an executive’s (e.g., CEO or CFO) email is used to trick individuals into giving an attacker their target, which is usually sensitive information, money, or other valuable assets.
Phishing
The leading malware infection vector, phishing, is a widely used social engineering technique that is executed in several ways. Regardless of the type of phishing attack, the outcomes are usually the same—individuals unwittingly share sensitive information or download a malware payload.
Bulk email phishing
Bulk phishing emails are sent to many recipients and usually appear to be sent by a recognizable, reputable business or organization (e.g., bank, online store, or phone company). The emails are designed to mimic the organization’s branding, and the messages are carefully written to make users think they are legitimate requests.
However, the senders’ requests lead users to a security breach, such as sending credit card information in response to a request to update it or sharing bank account information to update an account at an online store.
Short message service (SMS) phishing, or smishing
SMS phishing, or smishing, is phishing via text message.
Spear phishing
A spear phishing attack is a well-researched phishing exploit that targets specific individuals or organizations. The messages use details about the organization or people to make the email appear more authentic.
Vishing
Vishing involves the social engineering perpetrator leaving urgent or menacing voicemails in an attempt to coerce the recipient into falling for the ploy.
Pretexting
Pretexting is when a social engineering attacker assumes the identity of a trusted, important entity such as a bank, utility, or health care representative to drive the target into the trap.
Quid pro quo
Quid pro quo social engineering scams lure targets by promising something in exchange for information. For instance, they might tell someone that they have won a prize and require them to provide personal information to claim it.
Scareware
Scareware makes users think something is wrong with their system. Threats are sent to users, telling them about the alleged issue and explaining that the only way to resolve it is to fill out a form, which requires sharing personal information or other sensitive data.
Tailgating
Tailgating, also referred to as piggybacking, is a form of physical social engineering. Unauthorized individuals follow authorized team members into restricted areas under false pretenses, such as picking up a special delivery, explaining that they lost their keycard, or having their hands full and being unable to handle the door.
Watering hole attack
A watering hole attack is derived from the term “to poison the watering hole.” What it means to users is that an attacker creates fake sites to attract users to sites with malware or infects existing websites that the target group is known to visit.
Traits of social engineering attacks
Social engineering is based on finding individuals’ weaknesses and preying on their emotions. Following are common traits of a social engineering attack and how they use emotions as a weapon.
Leverages curiosity
Cybercriminals scour current events to find angles to trick individuals into falling for their social engineering ploy. For instance, a communication might use a recent headline story and craft related messages with catchy details, enticing a curious individual to respond to find out more.
Plays on fear
Social engineering plays on individuals’ susceptibility to fear, especially of authority figures (e.g., the Internal Revenue Service or Federal Bureau of Investigation).
Fear-based tactics often involve the social engineering perpetrators contacting targets pretending to be an FBI agent working on an investigation or an IRS representative following up on a tax return.
Social engineering ploys also target victims’ fear of missing out (FOMO) to help create a sense of urgency.
Exploits greed or desperation
Social engineering tactics commonly use people’s desire or need for a deal or something free (i.e., greed or desperation) to hook them. Offers that pitch a small investment for an outsized return or a high-end item for a very low price are used to entice people to send money, share bank account information, or provide credit card information.
Takes advantage of helpfulness
Most people are innately prone to help others in need. Humans want to trust and help one another.
Social engineering exploits leverage this tendency to trick people into compromising situations, such as sharing credentials because of an “IT emergency,” sending money to a relative who “has had an accident,” or clicking on a malicious link to “take a survey” to help a friend. Often, these tactics layer on a sense of urgency, motivating the individual to act quickly and depriving them of time to think through the risks.
Preventing social engineering attacks
Social engineering attacks are extremely difficult to prevent, because they exploit innate human weaknesses, which are far more challenging to program than cybersecurity technology. Tactics recommended by cybersecurity experts to increase users’ vigilance and deflect social engineering attacks include the following.
Access control policies
Access to all IT resources can be protected with access control systems. In addition to authentication systems, access should follow the principle of least privilege and grant the minimum access required.
Autorun disablement
Users’ systems should have autorun disabled to put a speed bump between a careless user and malicious software delivered as part of a social engineering attack.
Backups
All systems and data should be automatically backed up on a regular basis. Backups should be stored offsite and separate from the main network. Because many social engineering efforts often result in a ransomware attack, it is crucial that organizations have backups that cannot be reached if a user’s system is breached.
Cybersecurity technologies
Cybersecurity solutions that enable defense against social engineering attacks include:
- Anti-virus software
- Endpoint detection and response (EDR)
- Extended detection and response (XDR)
- Firewalls
- Intrusion detection systems
- Intrusion prevention systems
- Secure email gateways
- Spam filters
Email awareness
Users need to be hyperaware of emails from unknown senders.
Users should be trained never to open emails and attachments from suspicious sources; their definitions and identification of “suspicious” should be updated and reinforced regularly.
Social engineering perpetrators often co-opt legitimate emails to deliver malicious payloads. Users should also be trained to identify suspicious emails that come under the guise of a legitimate sender. When in doubt, users should check with the person they think sent the message to confirm its authenticity.
Multi-factor authentication (MFA)
The extra layers of protection MFA provides keep cyber criminals from gaining access with credentials. Social engineering ploys commonly seek to procure users’ credentials.
Screen lock
Screens should be set to lock automatically after a short period to prevent a social engineering attack by someone who sees an unlocked screen and uses it to gain access to the system. Users should also be trained to manually lock their screens when they leave them, especially laptop and desktop computers on users’ desks.
Unlock screens should require users to authenticate using an authentication factor, such as a personal identification number (PIN), password, or biometric identification (e.g., fingerprint or facial recognition).
Security awareness training
Regular security awareness training should always include a component focused on social engineering. This provides users with much-needed guidance on how to identify and avoid attacks as well as detect and respond to attacks that are already underway (e.g., how to report a possible social engineering attack). Social engineering training should be detailed and explain specifics, such as how seemingly mundane data (e.g., birthday or phone number) can be used by a cybercriminal to execute an attack.
Social media and online presence hygiene
Part of security training should be making users aware of how social engineering tactics leverage social media to target them. Social engineering perpetrators search the internet and social media to find information for spear phishing attacks. The more information users post, the more fodder they give social engineering attackers.
Software updates
Keeping software patched is a cybersecurity best practice. It is especially important to keep anti-virus and anti-malware software updated.
Tips from experts include setting automatic updates and downloading the latest signatures every day. Users’ systems should be periodically checked to ensure updates are applied and scan for possible infections.
USB device warnings
Like CD-ROMs before them, USB drives continue to be a highly effective social engineering attack vector. Users should be educated that USB drives purchased online, such as those to make hardware such as a camera or keyboard operative, can compromise data, applications, and networks.
Social engineering exploits the weakest link
Social engineering is widely used by cybercriminals because it is a highly effective way to bypass complex and cumbersome cybersecurity systems (e.g., anti-virus software, firewalls, intrusion detection systems, and intrusion prevention systems), allowing them to access protected systems. Compared to these cybersecurity systems, people are an easy target. In fact, people are widely considered to be the weakest link in an organization’s security.
In addition, social engineering attacks are lucrative. The return on investment for social engineering for cyber criminals is very high. At the same time, the cost to organizations is often higher (e.g., financial loss, a data breach resulting in lost or compromised sensitive information, and legal and compliance consequences). Regular and robust security training is absolutely critical to combat social engineering attacks.