Social engineering is the use of manipulation tactics and deception to gain information. It is also the use of tactics to influence behaviors, which can help attackers gain information as one step in a cyberattack.
Some describe social engineering as exploitation or taking advantage of human nature. It uses human inclinations towards trust, weakness, or ignorance to execute the attack. One of the most common forms of social engineering is a phishing attack, discussed further in this article. (Click here to jump down to the most common types of social engineering.)
During this phase, the “social engineer” investigates a target and gathers all the knowledgeable information necessary to build a hook. The target can be a person who serves as a point of entry to an organization or the organization itself. At this point, the person doing the social engineering makes himself familiar with the target (or a person within the organization), gathers all necessary background information, and makes a plan to engage.
Here, the social engineer establishes a connection with his (or her) target. Building trust is important for the attacker. The level of rapport necessary will depend on the goal of the attacker and his approach. The link between him and his target can be as simple as a telephone conversation or as complex as building an entirely personal relationship between the two.
This is when the exploitation occurs. The attacker uses what is gained in the first two phases – information and rapport – to execute the attack and gain access. The attack can be as simple as following the target into a restricted access building or leaving an infected USB stick in an unsuspecting place. In another instance, the attack might also be in the form of a seemingly trustworthy and personable phone call requesting sensitive access to critical information.
At exit, the attacker hopes he has performed his exploit without being noticed. Without suspicion, he will be given the opportunity to return and commit to further exploitation at a later date.
For malicious attackers, social engineering is used when it is easier to exploit human nature over software or network vulnerabilities in order to trick users into divulging sensitive information. For ethical practitioners, social engineering is part of the open-source intelligence or penetration testing toolkits and is used as an information-gathering or physical security vulnerabilities testing tool.
It is easier to exploit vulnerabilities in human nature, such as trust, kindness, and ignorance, than finding ways to hack software and systems. For this reason, social engineers often find ways to become invested in their targets on a personal level, looking for holes in the human armor. This is dangerous because it approaches people themselves rather than using only technology as the target. Targeting employees at a company puts the entire organization at risk.
Phishing: Phishing is, without doubt, the absolute most common form of social engineering attack as it is the easiest to engineer, execute, and create results. In 2020 Social-Engineer.org reported that phishing attacks accounted for 96% of all human-related attacks.
So what is phishing? Phishing is a form of attack that primarily targets email users. A typical phishing email uses what looks like a common sender – like a bank, telecommunications company, or other billing company, and a generic greeting to the “customer” to reel the victim in. Sometimes, if the phishing attack is advanced, it will be coded to greet the customer by name to further its task.
The attacker may dress the email in the proper graphics and lingo of the company to make it seem as authentic as possible to the victim and include a link within that the victim is to click on for further information.
The email will read something like:
“Dear _______, there seems to be a problem with your account which requires your immediate attention. To access your account, please click the link below.”
This is where it is important to think before you act. Often, people don’t think beforehand, and they go ahead to click the link, which is where the trouble begins.
Baiting: Baiting involves offering something to a user to pique their interest. Two forms of baiting usually occur; phishing and physical baiting. In phishing, baiting usually occurs in the form of a promise – like a prize to be won that is sent to the user’s email. “Click this link to claim your prize!”
In physical baiting, the social engineer usually leaves a flash drive or USB stick behind that entices the user to plug it into their computer with the intent of infecting the computer with malware. Company employees may find themselves curious about the flash drive enough to see what’s on it.
Pretexting: In pretexting, the social engineer usually tells a story that compels the user to act based on the exploitation of his trust or emotional connection. The social engineer will send an email in the guise of a trusted friend, co-worker, or organization. The email usually presents a problem to be solved when it concerns a friend or might even request a donation to a particular cause. The email will usually include a link to a portal where information can be entered to be phished from the user.
Pretexting can also occur in the form of a phone call in what is known as vishing or “voice phishing,” where the social engineer uses the call to gather the same information over the phone by pretending to be someone in power. They might call and pretend to be an official from another office or a third party service provider looking for access to systems that include information important to a recent transaction.
In addition to the malicious actors who are hackers, identity thieves, and others that use social engineering to manipulate people out of their personal data, there are also sales professionals, recruiters, law enforcement, governments, security professionals, and ethical penetration testers that use social engineering. They may be deploying the same tactics but under legal circumstances. These are the professionals who seek to gather information to create results for their clients, organizations, or even society as a whole.
It is important for your business’s long-term viability that you mitigate risks of security breaches. Our information security management platform and team of security experts are here to help you build your security program and educate your team on security best practices. Book a demo to learn how our information security platform can help you stay secure and win business.