No matter how secure your password or your security configuration, hackers and scammers know there’s always a vulnerability they can exploit: you!
People are a weak link in security because they can:
- Make mistakes
- Be tricked into causing harm
- Intentionally violate company security
Attackers know this well, and they increasingly exploit these vulnerabilities using social engineering techniques.
What are social engineering attacks?
Social engineering is the art of manipulating people into revealing sensitive information.
Social engineering attacks primarily operate on two fronts:
- Convincing someone to perform an unauthorized operation
- Convincing someone to disclose confidential information
Attackers use deceptive psychological manipulations to instill fear, excitement, or urgency. Once you’re in a heightened emotional state, they’ll use it against you to cloud your judgment.
Just one human error is enough to become a victim of a social engineering attack. And this vulnerability is why criminals often use these techniques.
How do social engineering attacks work?
Social engineering attacks are relatively simple. All an attacker has to do is convince an uninformed, stressed, or trusting person to do as they say.
These attacks are incredibly easy to execute and all follow a similar pattern.
The four phases of a social engineering attack are:
- Discovery
- Interact
- Exploit
- Clearing tracks
DiscoveryAttackers start by identifying their target, that is what they want to achieve. This usually includes credentials, data, unauthorized access, money, confidential information, etc. They then scout potential victims online. For example, they’ll look at your online footprint, see where you work, take note of what you share on social media, and so on. Once they know who you are, attackers use this information to create the perfect personalized attack. And because the attacker knows so much about you, you’re more likely to let your guard down.
Interact
As attackers learn more about their victims, they’ll look for potential points of entry. These could include your email address, phone number, and social media accounts – any way they can get in touch and open the door to an attack. For example, let’s say you’ve just got a new job title and posted it on LinkedIn. An attacker could easily spoof an email from a well-known industry website and ask you for an interview. It seems harmless and normal, so why wouldn’t you respond?
Exploit
The attacker carries out one of several types of social engineering attacks. For example, after clicking the link to set up an online interview, the attacker secretly installs malware on your device.
Clearing tracks
Once the criminals complete their mission, all tracks, such as the email address, will be deleted.
What are the most common types of social engineering attacks?
Social engineering works so well because we’re human. The principles of social engineering attacks are designed to focus on various aspects of human nature and take advantage of them. While not all targets succumb to every attack, most of us are vulnerable to one or more of the following social engineering principles:
Phishing Attacks
Phishing is the most common type of social engineering tactic and has increased more than tenfold in the last three years. Phishing attacks occur when attackers use any form of communication (usually email) to “fish” for information. These messages look identical to those from reputable sources like organizations and people you know.
For example, a scammer might send you an email claiming to be from your bank, stating that your account password has been compromised. Since the email looks legitimate and the message seems urgent, you quickly click the included link or scan the QR code and input your account information (which then goes directly to the malicious actor).
Spear Phishing
Regular phishing attacks have no specific target. But spear phishing attacks occur when attackers target a specific individual or organization. In 2015, a gang of cybercriminals carried out a $1 billion robbery. The Carbanak malware injected into the computers of administrative employees at a hundred global banks (including Italian ones) through emails allowed the criminal group to acquire data and useful information about the habits and security procedures of the banks under attack.
Whaling
Whaling is a term used to refer to company executives or “big fish” like the CEO and CFO. Since these individuals are in high-level positions in the company, they have access to sensitive information like no one else. That’s why impersonating them can be harmful to a company’s business and reputation.
Baiting
Baiting is a type of social engineering attack where scammers lure victims into providing sensitive information by promising them something valuable in return. For example, scammers will create pop-up ads offering free games, music, or movie downloads. If you click the link, your device will be infected with malware. Baiting scams also exist in the physical world. A common example is a USB stick: a curious employee will take the drive and plug it into their workstation, which will then infect the entire network.
Pretexting
Pretexting occurs when someone creates a fake character or abuses their real role. It’s what happens most often with insider data breaches. Edward Snowden famously told his coworkers that he needed their passwords as a system administrator. The victims, respecting his title, consented without a second thought. In these attacks, criminals leverage the trust that comes from their title, so they convince victims to provide them with sensitive data. They know that people will hesitate to question them or will be too scared to push back on these requests even if something seems off.
Quid Pro Quo Attacks
Quid pro quo translates to “something for something.” The most common version of a quid pro quo attack occurs when scammers pretend to be from an IT department or another technical service provider. They’ll call or message you with an offer to speed up your internet connection, extend a free trial, or even give you free gift cards in exchange for proving the software. All victims have to do is create or provide/verify their login credentials. When scammers receive this sensitive information, they’ll use it against the victim or sell it on the Dark Web.
Scareware
Scareware, or deception software, scares victims into believing they’re under an imminent threat. For example, you might receive a message saying your device has been infected with a virus. Scareware often appears as pop-ups in your browser. It can also appear in emails. Victims will click a button to remove the virus or download the software that claims to uninstall the malware. But in doing so, they’ll actually install the real malicious software.
Why are employees a target of social engineering?
For most people, job performance is more important than information security. People are under pressure during their work, and security is rarely considered when measuring success on job performance.
There is also a tendency for people to trust others, which is the opposite of what is required for good social engineering defense.
When organizational leadership and culture are not aligned with security goals, they can contribute to a chain of events that can lead to a security incident or data breach: for example, pressure from leaders pushing employees to complete their work can lead to a deviation from security procedures