We all know about the attacker who leverages their technical expertise to infiltrate protected computer systems and compromise sensitive data. This type of malicious actor ends up in the news all the time. But they’re not the only ones making headlines. So too are “social engineers,” individuals who use phone calls and other media to exploit human psychology and trick people into handing over access to the organization’s sensitive information. Social engineering is a term that encompasses a broad spectrum of malicious activity.
Social Engineering is the malicious act of tricking a person into doing something by messing up his emotions and decision-making process.
According to Digital Guardian, “Social engineering attacks typically involve some form of psychological manipulation, fooling otherwise unsuspecting users or employees into handing over confidential or sensitive data. Commonly, social engineering involves email or other communication that invokes urgency, fear, or similar emotions in the victim, leading the victim to reveal sensitive information, click a malicious link, or open a malicious file.”
For the purposes of this article, let’s focus on the six most common attack types that social engineers use to target their victims. These are phishing, pretexting, baiting, quid pro quo, tailgating and CEO fraud.
Phishing is the most common type of social engineering attack. At a high level, most phishing scams aim to accomplish three things:
- Obtain personal information such as names, addresses, and Social Security Numbers;
- Use shortened or misleading links that redirect users to suspicious websites that host phishing landing pages; and
- Leverage fear and a sense of urgency to manipulate the user into responding quickly.
No two phishing emails are the same. There are at least six different sub-categories of phishing attacks. Beyond that, we all know that phishers invest varying amounts of time crafting their attacks. Hence why there are so many phishing messages with spelling and grammar errors.
A recent phishing campaign used LinkedIn branding to trick job hunters into thinking that people at well-known companies like American Express and CVS Carepoint had sent them a message or looked them up using the social network, wrote ThreatPost. If they clicked on the email links, recipients found themselves redirected to pages designed to steal their LinkedIn credentials.
Pretexting is another form of social engineering where attackers focus on creating a pretext, or a fabricated scenario, that they can use to steal someone’s personal information. In these attacks, the scammer usually impersonates a trusted entity/individual and says they need specific details from a user to confirm their identity. If the victim complies, the attackers commit identity theft or use the data to conduct other malicious activities. More advanced pretexting involves tricking victims into doing something that circumvents the organization’s security policies.
An attacker might say they’re an external IT services auditor, so the organization’s physical security team will let them into the building. Phishing uses fear and urgency to its advantage, but pretexting relies on building a false sense of trust with the victim. This requires building a credible story that leaves little room for doubt in the mind of their target. It also involves choosing a suitable disguise. As such, pretexting can and does take on various forms.
Many threat actors who engage in pretexting will masquerade as HR personnel or finance employees to target C-Level executives. As reported by KrebsOnSecurity, others spoof banks and use SMS-based text messages about suspicious transfers to call up and scam anyone who responds.
Baiting is, in many ways, like phishing.
The difference is that baiting uses the promise of an item or good to entice victims. For example, baiting attacks may leverage the offer of free music or movie downloads to trick users into handing in their login credentials. Alternatively, they can try to exploit human curiosity via the use of physical media.
Back in July 2018, for instance, KrebsOnSecurity reported on an attack targeting state and local government agencies in the United States. The operation sent out Chinese postmarked envelopes with a confusing letter and a CD. The point was to pique recipients’ curiosity so they would load the CD and inadvertently infect their computers with malware.
As computers shun the CD drive in the modern era, attackers modernize their approach by trying USB keys. A controlled experiment performed by the University of Michigan, the University of Illinois, and Google revealed that a staggering 45-98% of people let curiosity get the best of them, plugging in USB drives that they find.
Like baiting, quid pro quo attacks promise something in exchange for information. This benefit usually assumes the form of a service, whereas baiting usually takes the form of a good.
One of the most common quid pro quo attacks is when fraudsters impersonate the U.S. Social Security Administration (SSA). These fake SSA personnel contact random people and ask them to confirm their Social Security Numbers, allowing them to steal their victims’ identities. In other cases detected by the Federal Trade Commission (FTC), malicious actors set up fake SSA websites to steal those people’s personal information instead. It is important to note that attackers can use quid pro quo offers that are even less sophisticated. Earlier attacks have shown that office workers are more than willing to give away their passwords for a cheap pen or even a bar of chocolate.
Our penultimate social engineering attack type is known as “tailgating.” In these attacks, someone without the proper authentication follows an authenticated employee into a restricted area.
The attacker might impersonate a delivery driver and wait outside a building to get things started. When an employee gains security’s approval and opens the door, the attacker asks the employee to hold the door, thereby gaining access to the building. Tailgating does not work in the presence of specific security measures such as a keycard system. However, in organizations that lack these features, attackers can strike up conversations with employees and use this show of familiarity to get past the front desk. Colin Greenless, a security consultant at Siemens Enterprise Communications, used these tactics to access multiple floors and the data room at an FTSE-listed financial firm. He could even set up shop in a third-floor meeting room and work there for several days.
Last but certainly not least is CEO (or CxO) fraud. In this attack, cybercriminals first spend time gathering information about an organizational structure and key members of the executive team. Similar to pretexting, attackers leverage the trustworthiness of the source of the request – such as a CFO – to convince an employee to perform financial transactions or provide sensitive and valuable information.
CEO fraud is also known as executive phishing or business email compromise (BEC) and is a type of spear-phishing attack.
For CEO fraud to be effective, an attacker familiarizes themself with the org chart and general purpose of the organization. After identifying key players and targets within the company, an attacker gains control of an executive’s email account through a hack.
Impersonating the CFO, for example, the attacker will contact someone in the accounting or purchasing team and ask them to pay an invoice – one that is fraudulent, unbeknownst to the employee. This request will typically come with a sense of urgency as attackers know time is money and the longer it takes to complete the request, the higher the chance that the employee will catch on. According to the FBI, BEC attacks cost organizations more than $43 billion between 2016 and 2021.
As the attacks discussed above illustrate, social engineering involves preying on human psychology and curiosity to compromise victims’ information. With this human-centric focus in mind, organizations must help their employees counter these attacks. They can incorporate the following tips into their security awareness training programs.
- Do not open any emails from untrusted sources. Contact a friend or family member in person or by phone if you receive a suspicious email message from them.
- Do not give offers from strangers the benefit of the doubt. If they seem too good to be true, they probably are.
- Lock your laptop whenever you are away from your workstation.
- Purchase anti-virus software. No AV solution has a 100% detection rate, but they can help to defend against campaigns that use social engineering tactics.
- Verify any urgent requests that come from a contact within your organization to confirm they are valid, particularly before transferring money or divulging information.
- Create a risk-aware culture to ensure employees are on alert. Social engineering attacks typically rely on naivety and human error to be successful. Ensure security is a part of your organizational lexicon so employees can prevent attacks, and know where to report incidents should they occur.