Social engineering is a set of tools and practices which rely on social manipulation and social psychology, and are used to get people to perform certain actions.
When utilized by cybercriminals, social engineering consists of manipulative techniques, designed to ultimately lead a target to give away information, grant access to protected environments, or perform certain actions.
In a corporate setting, cybercriminals could want details of you or your company, for a variety of purposes. They could be competitors, disgruntled former employees, or people who want to harm your business through blackmail or extortion. They can also be thieves, looking to access your company’s customer data, money or business intelligence.
In this article, we will focus on the harmful methods of social engineering, and the different ways in which employees can be targeted with a social engineering attack. We explain what a social engineering attack may look like and where you could run into one. What are the warning signs, and how can you prepare yourself and your company?
What is Social Manipulation and Social Exploitation
Let’s begin by discussing the psychological aspects of social engineering. Social engineering is rooted in social manipulation and social exploitation and largely relies on the underlying condition of humans to trust other people and believe that they are being earnest and have no bad intentions. In everyday life, people don’t necessarily have the need to not trust other people, or not take their word for granted.
Social engineering is about psychological manipulation, and it’s based on people either willingly, or unknowingly, performing a certain action. It most often taps into human’s primal emotions such as fear, urgency or greed in order to get their targets to quickly comply with their requests.
The innate desire of people to believe what they see is real, and people are who they seem to be or say that they are is used as leverage. That is why, in order to fight social engineering, the first thing you need is a dash of disbelief. No need to go overboard and start suspecting everyone around you – most people are still good people! But remember, social engineering is based on the idea that you don’t know it exists or that you could encounter it, and are urged to act upon it without delay.
The Social Engineering Framework
In their research paper, Mouton et al. discuss the eight phases of a social engineering attack framework. They are as follows:
1. Attack formulation
The first phase consists of identifying the goal and in accordance, identifying the target necessary to fulfill the goal.
2. Information gathering
In this stage, social engineers asses and identify potential information sources and begin the information gathering and assessment.
In the preparation phase, social engineers analyze the information and develop an action plan to begin approaching the target.
4. Develop a relationship
In this stage, the social engineers establish a line of communication and begin to build a relationship. Notice that according to the framework, social engineering includes three phases before the target is contacted in the first time. This is a good reminder of how much work and analysis goes into devising a social engineering attack – once the target is approached, social engineers have studied their target and devised their strategy well.
5. Exploit the relationship
In this phase, the target is “primed”. The exploitation stage uses different methods of manipulation to evoke the right type of emotions and prime the target to the right emotional stage. Once the target is in the right stage, the social engineer will start bringing out information from the target. The goal of emotional priming is that the target will feel good about giving out information, instead of feeling guilty about it or threatened to do so. Giving out information will thus not only be voluntary but feel good as well.
In this stage, the social engineer returns to the target and maintains the desired emotional state. The goal is that the target will not feel like anything in the relationship was odd, and they will not understand that they have been under attack. It is important for the social engineer to continue the communications to an extent, so that the target won’t get alarmed, realize they have been taken advantage of and because of this, possibly contact authorities.
7. Goal satisfaction
After a successful social engineering attack, social engineers will exploit the information they have gathered. After the social engineering attack, the social engineer will either return to the target for more information or slowly close the connection.
Methods of Social Engineering
Social engineers often draw on one or several compliance techniques. These are some of the methods a social engineering attack is likely to draw upon:
- Friendship or liking: people comply easier when the request comes from a friend or someone they like. Social engineers will seek common ground and establish a friendship to get the target to comply with their request.
- Commitment or consistency: once a person is committed to something, they are more likely to comply with “follow-up” requests, which are in line with the original request they agreed to. In social engineering, this could mean asking for a simple, easy thing first, and then slowly continuing with more detailed and personal requests. Once the target has complied with the first request, they are much more likely to agree to the rest
- Scarcity: People are more likely to agree to a request if they feel the offer is scarce or will only be available for a short period of time. Social engineering uses this technique to use the target’s fear of missing out against them.
- Reciprocity: People are likelier to comply with a request if they have been treated well by the person making the request. For example, the social engineer could have done the target a small favor, in order to use their need for reciprocity against them.
- Social validation: people are more likely to comply with a request if they consider it the socially correct thing to do. The social engineering attack could be framed as a socially-expected request, such as participating in a donation or joint effort.
- Authority: Many people are especially trusting towards official authorities inside of an organization such as IT Support, Management or Security. This is called the principle of authority – one of the six principles of persuasion. If a social engineer camouflages as an authority or a legitimate entity, the target is more likely to comply with the request.
Corporate Social Engineering Attack Scenarios
Social Engineering attacks exist in many forms and employ a wide variety of techniques, but their main purpose is almost always to circumvent security measures by exploiting a human entry point. Understanding these attacks will help employees identify potential attack vectors and verify their authenticity.
Below we’ve listed a few of the more common attack scenarios.
Cybercriminals can use a set of different methods to steal someone’s credentials. Once credentials are stolen, the cybercriminal is able to access sensitive corporate data through the target’s device or accounts. The credentials can either be stolen or they can be changed. Cybercriminals can camouflage as the target and contact their HelpDesk or head of IT and claim they forgot their password, asking for the old password or a new password to be set and shared with them. They can also use investigative methods to find out answers to the target’s security questions and in this way log in as the target, without the target even realizing it.
Advanced Persistent Threats
APT is a complex computer network attack. The attack starts with targeting specific organizations and people and trying to get them to unknowingly give access to the cybercriminals. In APT attacks a cybercriminal or a cybercriminal group gains access to a network without authorization and manages to go unnoticed for a lengthy period. The cybercriminal first gains entry. This can happen via an email or a file, such as a CSV or an excel file. The entry can also be gained through a network or a file. In this attack, malware is inserted into an organization’s network. Once the cybercriminal has compromised a system and accessed the target’s network, they will then utilize additional tools in order to fulfill their objective.
The malware inserted into the target’s network is likely to create additional points of compromise. This is in the event that the initial point of compromise is closed, but the cybercriminals are able to continue with their attack. The malware can seek additional vulnerabilities and additional network access. Once the network access is sufficient for the cybercriminals, the cybercriminals gather target data. This includes data such as passwords and account names, after which the cybercriminals are able to access the data. The malware will collect data and extract it off the network so that it is in full control of the cybercriminal. Evidence of the APR attack will then be removed so that the target will not recognize an attack that has taken place. The cyber-attackers can lay dormant until next time they want to continue with another data breach attack.
Corporate financial scams can play out in a variety of ways, ranging in complexity. Fraudulent invoices are the most common form, where an organization receives faked invoices for services delivered. While most finance departments are well aware of these attempts, the email attachments which potentially contain malware are often opened without thought, opening an attack vector for follow up.
In attempts to directly siphon money out of an organization, cybercriminals often employ a technique known as ‘Whaling‘. Posing as an executive from within the organization, they request an urgent money transfer to be fulfilled. Poorly prepared these attacks are easy to recognize, but with extensive social engineering a cybercriminal will be able to convincingly pose as a certain individual. They’ll use anything related to travel schedules, public appearances or other engagements as a leverage point to urge the target into compliance.
Through APT attacks cybercriminals may also attempt to gain access to accounting systems to alter existing contracts or legitimate invoices. By changing payment terms, amounts and most importantly, the recipient, cybercriminals are able to extract money in a hard to detect manner.
Tech Support Impersonation
Cybercriminals often rely on the authority of the IT Support department to compromise a computer system. They may randomly approach targets through phishing emails with fake support tickets or go as far as spoofing an inside phone line to approach a target by phone. Someone who has recently submitted a support request will become an easy target without giving it too much thought. They’ll gladly click any link or open any attachment the attacker presents to them in hopes of having their technical issues resolved.
How to Prevent Social Engineering Attacks
As security systems are evolving and become more secure, cybercriminals increasingly lean on the ignorance and lack of education of humans. This means that in order to combat security tests and social engineering, companies need an educated and informed workforce alongside reliable cybersecurity measures.
When it comes to social engineering, the greatest threat to cybersecurity is human error. 90% of all breaches happen because of employee mistakes. This is why when preventing social engineering, it must focus on educating and training employees and making them aware of different types of attacks they are likely to run into. Educate and train yourself, your co-workers and employees. Because all it takes is one employee to fall for a scam, and the entire company can be at a risk.
The most important things you need are education, skepticism, and consistency in training. The education phase consists of understanding different techniques used by social engineers and making sure you give out information online with caution. The second matter, skepticism, is about building a state of mind where one can practice smart caution when receiving emails or talking with people online. The third stage is the most complex to follow through, as in order to prepare against social engineering attacks, you would need to encounter them in real life as well.