In cybercrime, as in real life, the most dangerous attacks are the ones you don’t expect. That can unfortunately be the case with social engineering. This very sneaky type of cyberattack is when the attacker devises a “social interaction” that uses deceptive tactics to manipulate people or organizations into divulging confidential or personal information that they then use for fraudulent purposes. Frequently the attacker will gather this information over time, in small batches to stay under the victim’s radar, with the ultimate goal of collecting enough information to cause damage to the organization or the person.
The attacker may come across as legitimate and respectable, and usually has credentials to verify their assumed identity. They may approach you or someone in your organization as a repair person, or they may say they are a client or prospective client or may pose as a new employee. They ask questions that subtly give them enough information to invade your network, or they move from department to department, sharing a bit of what they have learned to strengthen their credibility, to ultimately penetrate your network security.
What makes social engineering so dangerous is even though the small batches of information collected may be harmless on their own when compiled, the attacker has enough information to create a complete and detailed picture of their victim or the targeted organization.
How They Do It
The successful social engineering attacker will identify and research the prospective victim to get the necessary background information and then find the best way to get his or her foot in the door.
Once that preliminary work is done, the attacker will introduce themselves to the victim, tell their story, and manipulate that engagement to set up the attack. Then the data collection begins. This is the most time-consuming part of the scam as the attacker slowly extracts data from the organization and expands his or her relationship with the victim.
When enough information has been extracted, the attacker will bring the relationship to a seemingly realistic end and then get out. At that point, all that is left is to engage their malware or ransomware to complete the extortion of valuable company information.
Why It Works
The reason social engineering works is that it is based on the Six Principles of Persuasion, by American Psychologist Robert Cialdini. These principles help people influence or persuade others. Being aware of these principles and recognizing their use may help prevent an astute individual or organization from falling prey to an attacker.
The Six Principles include reciprocity (offering free trials or giving information to get information); scarcity (offering a limited amount of time to make a decision, or the “offer ends soon” technique); authority (quoting data or using testimonials to look like an expert); commitment and consistency (relying on the victim’s need to “honor” the agreement after establishing a commitment from them); consensus (taking advantage of the herd mentality, or “others are doing it.”) and finally liking (because it’s harder to say no to someone you like, the attacker ensures that he or she comes across as a likable person.)
Know the Methods
There are many methods that attackers will use to court their victims. Here are a few of the most common.
Phishing is frequently used to make the victim afraid of an urgent problem that the attacker can help them avoid, or it creates enough curiosity to prompt the victim to click through, such as a message that your credit card has been charged, so “please click here to view the receipt.” Frequently there’s a prompt to “log in” to get the repair started, or to “verify your account.” Because the victim is frightened by the warning, they will unknowingly trust the attacker and enter their login credentials without verifying the source of the email.
Spear Phishing is like phishing, but more personal. In this case, the attacker has done their research and has planned the attack carefully. The attacker usually poses as someone you know, like a coworker or friend, who needs help with something, or innocently sends a fun video to click on.
Text messaging is also frequently used in spear phishing. The attacker may start with a brief “Hi, it’s (coworker’s name) and then wait for the victim to respond. Each response is a “small commitment” that draws the victim in, to get them to take the bait and click on the eventual scam.
Scareware does just what it sounds like. It scares the victim into thinking something is wrong by sending unrelenting notifications that the victim’s computer has been compromised. The victim is then instructed to download a program to “fix” the problem, sometimes sending the panic-stricken victim to a website that infects their computer. Scareware also can be sent through emails, so beware of emails including warnings and offers on services or tools that prevent being scammed.
Baiting creates curiosity in the potential victim, using methods like free app offers, interesting downloads, engaging ads, etc.)
Water Holing takes advantage of the victim who visits certain websites often. The attacker checks out those websites, looking for vulnerabilities, and then adds malicious code that can penetrate the victim’s system. This tactic is taking advantage of the person who will not click on unknown links but will click on a link to a site they frequent.
Pretexting involves the attacker’s contacting the victim, establishing some level of authority, and then asking for personal and sensitive information under the guise of performing an important task.
Tailgating is a unique approach as it takes place in person. The victim literally gets lured into letting the attacker into the building, or the attacker sneaks in behind someone who works there.
Quid Pro Quo, an exchange of goods or services, is used by an attacker to find a victim inside an organization who needs tech support, claiming to be the needed expert to fix the problem. They then convince the victim to unknowingly download software that is harmful to the individual or the business.
Let’s Talk About How to Prevent It
The main thing to remember about preventing social engineering is to remain suspicious of anyone or anything that comes across your computer. Slow down and stay calm when you see something out of the ordinary. Here are some ways you can protect yourself and your organization:
Don’t fall for it. As the old saying goes, if it looks too good to be true, it probably is. Attackers are looking for victims who are naïve enough to fall prey to their scam.
Don’t open it. Do not open attachments or click on links in emails from sources that you do not recognize.
Empower your employees. Keeping your staff knowledgeable on the latest risks and the latest information on cybersecurity and how to prevent attacks is crucial for any organization. Knowing the signs of a potential threat, what not to do, and who to contact are three basics that you and every member of your team should know.
Use MFA. Multifactor authentication is a must today, as it is a great tool to strengthen security and keep attackers out of your accounts. There is a small nuisance factor in having to use it each time someone logs in, but it is well worth it to keep your important data secure.
Update your software consistently. Empowering your IT team to keep your antivirus protection and other software up to date helps prevent attackers from getting into your system.
Finally, remember that social engineering tactics make the potential victim feel frightened and rushed to make a decision (a big mistake) by an arbitrary deadline. It takes advantage of emotions and manipulates the victim into reacting quickly without thinking. Slow down and pay attention to who is asking, and what they are asking for. Verify that what they are saying is true by contacting your internal IT solutions team, or a trusted resource outside your organization. Take your time and stay skeptical. Need help implementing security measures in your organization? Reach out to us today to talk about it.
