Social engineering is an IT security threat in which psychological manipulation is used to trick people into divulging information that should not be provided.
What is Social Engineering?
Social engineering is a method of cyberattack in which the emotions of the victim – fear, sense of urgency, potential gain – is used to manipulate people into providing information or taking actions that they would otherwise hesitate to take.
Criminals who implement social engineering attacks are patient.
They will work slowly to gather all the data they need, accessing the information on a company’s website, as well as on personal and professional social media profiles.
These nefarious criminals will even phone the target company pretending to be a legitimate contact in order to surreptitiously gather necessary information.
The information they gather is then used to perpetrate scams that are so well-developed that they seem legitimate.
Social engineering attacks can often take weeks or months to play out.
Social Engineering in Organizational Setting
Social engineering in the organizational setting is used to create more effective attacks.
Specific people in the organization are targeted (based on the research gathered) to successfully trick recipients into wiring money, releasing password information, or clicking on links that result in ransomware threatening your network.
Why Is Social Engineering So Successful?
By doing a little more homework, cybercriminals are able to craft email messages that elicit an emotional response from the recipient. Common tactics include:
Eliciting Fear. Posing as the CEO and expressing displeasure to someone in the finance department regarding an unpaid invoice. The ensuing fear response over being in trouble with the boss may cause that person to wire money without ensuring that the invoice is real.
Creating a Sense of Urgency. Pretending to be a colleague who desperately needs information to finish a project. The sense of urgency created can cause the recipient to divulge the information without making sure the sender was really who they claimed to be.
Demanding Action Now. Pretending to be a vendor, coworker, or boss who needs something done quickly that would require opening a file or clicking on a link.
In each case, the success of the attack comes from the personal knowledge the perpetrator has gained about the person used in the attack.
The criminal knows enough about the sender to make the request seem legitimate while creating a false sense of urgency or fear to cause an immediate response (click the link, send the money, provide the secure information).
There’s No App for Human Error
Security is about trust.
Do you know who you’re communicating with?
Do you know where you’re really sending money or information to when responding to email messages?
Every organization struggles with addressing the one gap in security they can’t patch with software or an app: the human element.
A better understanding of social engineering and how to thwart social engineering attacks is necessary.
9 Examples of Social Engineering Attacks
Social engineering attacks are multi-step attacks that first trick you into taking some action (inserting a flash drive, clicking on a link). This action is followed by either insertion of malware into your system or theft of information that can then be used to:
A common social engineering tactic, baiting lures the victim into a trap by making false promises. During the pandemic, this form of social engineering attack became very common as people were desperate for information about cures and treatments. Cybercriminals would offer false promises to pique a victim’s curiosity. The victim either clicks on what turns out to be a malicious link or navigates to a website and enters personal information that can then be used against them. People fall for baiting attacks because they are designed to look authentic. For example, one common baiting attack during the pandemic was a website that looked like it was ArriveCAN. A current list of COVID-19 related scams is available on Canada’s public safety page.
In most cases, baiting is used to insert malware into the network. While physical forms of baiting do exist – leaving a flash drive in a conspicuous place like the parking garage or elevator and labelling it as something an employee would be curious about (company payroll, for example), most baiting happens online.
Phishing is one of the most common methods of social engineering. The most insidious thing about phishing scams is that they create a sense of urgency to act that cuts through common sense. An employee receives a message that appears to come from his boss, telling him to wire money, send information, or click on a link RIGHT NOW. The employee feels pressured to act to avoid getting in trouble at work. One of the best ways to thwart this type of attack s to have policies in place that prevent that kind of action – requiring employees to follow up before revealing proprietary information or requiring two people to sign off on wire transfers or requiring requests of that nature to be issued in some way other than email (in person, on the phone, etc.). Policies that prevent employees from getting in trouble for being cautious – and perhaps reward them for being so – can also help minimize phishing threats.
Spear phishing is a more targeted and sophisticated version of phishing in which the cybercriminal has done research to gather personal details about the person they are impersonating or targeting. The messages include details that have been gathered from social media, incorporating information about their job position, personal information about their family, or other details to make the request more reasonable. Cybercriminals are willing to take their time, gathering information for weeks before initiating the attack, and they are often more successful. For example, the spear phishing attack might be in the form of an email from the CFO to the CEO, referencing a shared activity found on Facebook, and then requesting authorization for a payment. The inclusion of personal details will make it seem more legitimate and the recipient is likely to lower his or her guard.
Malware attacks, often referred to as Scareware, tries to trick the person into believing they have already been infected with malware and scaring them into taking rash action to protect themselves. Of course, when they act, by clicking the link, they either divulge private information that the cybercriminal uses, or they really do introduce malware or ransomware into the network. The victim may be pushed into buying and installing software that promises to fix the problem or linking to an online source that then steals credentials.
Pretexting is exactly as its named: a pretext is used to initiate contact. The cybercriminal impersonates a client, employee, or vendor in order to gain the trust of their victim, then exploits the victim once they believe they are dealing with a legitimate party.
Quid Pro Quo
Quid pro quo means “a favor or advantage granted or expected in return for something.” A quid pro quo attack uses the same tactic, promising something for your information – often something that seems legitimate, such as a gift or giveaway in exchange for submitted information. The victim is attracted to the possibility of earning money, winning a prize, or getting a gift card in exchange for participation and is eager to provide the information, which the cybercriminal then takes.
Tailgating is a more physical form of security breach. The person who follows you through a secure access only door, taking advantage of politeness, is using this form of attack. Once in the restricted-access area, they can wreak havoc. These criminals often combine pretexting and tailgating to achieve their goals, playing on social courtesies to gain access.
Vishing is another form of social engineering attack designed to use emotion to get access to personal information. The attacker will leave a voicemail pretending to be the CRA or some other institution. The voicemail indicates that you are in some form of trouble and that you must immediately provide specific information in order to resolve the issue. Recipients of these calls are scared or worried and respond.
Watering hole attacks have the goal of reaching as many people as possible and exploit weaknesses in popular websites in order to perpetuate the attack. A site that has failed to patch a known vulnerability may leave many people at risk of being victimized.
How To Prevent Social Engineering Attacks
How do you help your employees avoid being exploited by social engineering attacks?
First, you keep as much of the email from reaching them as possible. Then, you hold employees accountable for having restraint.
Implement firewalls and virus protectors as a first-layer solution.
Add threat detection and malware detection to sift out more attacks.
Keep all of your security solutions up to date. Patch immediately. Maintain your licenses.
Purge user access the minute an employee leaves.
Use a hosted email solution and email security protocols that keep the worst of the attacks from reaching the recipients.
Hold employees accountable for breaching policies designed to prevent such attacks from succeeding.
Establish policies to prevent immediate actions that might compromise security:
Require two people to authorize a wire transfer.
Have strict policies regarding what kind of information can be transmitted by email; require the recipient to verify by phone and provide the information by phone if legitimate, to avoid data loss.
Limit information access to only essential personnel.
Have offsite data backup and recovery solutions so that if the worst does happen, you can quickly recover and minimize downtime for your customers.
Use multifactor authentication – Multifactor authentication is a crucial security layer that requires more than one authentication method to verify a user’s identity and allow access. It blocks all access to a device, network, or terminal unless two of three factors are provided: something you have, something you know, or something you are. These independent identity authorizations include a password, a security token or code, and often, a biometric verification such as a fingerprint. MFA alone could prevent up to 99.9% of phishing attacks.
Train your employees (and train them again, and again). Focus on the following:
In the spirit of reconciliation, we acknowledge that we live, work and play on the traditional territories of the Blackfoot Confederacy (Siksika, Kainai, Piikani), the Tsuut’ina, the Îyâxe Nakoda Nations, the Métis Nation (Region 3), and all people who make their homes in the Treaty 7 region of Southern Alberta.