Social Engineering is the name given to the behavioural techniques that cybercriminals use to manipulate their victims into giving up confidential information or allowing hackers access to secure areas.
Social engineering relies on old-fashioned deception methods rather than technological skill to achieve its goals. Much like a good poker player, hackers use their knowledge of human psychology to coax individuals to do what they want them to. This could be infecting their computers with malware or clicking a link to an infected website.
It is this exploitation of human emotions and behaviours rather than IT vulnerabilities that defines Social Engineering.
Social Engineering is dangerous because Social Engineering works. Though it may seem less sophisticated than other cyberattack techniques, Social Engineering can be devastatingly effective. Instead of spending months hacking networks remotely they can be in the network in minutes, simply by tricking someone into letting them into the building. As the saying goes: ‘It’s not dumb if it works’
For all businesses the risks are higher for a number of reasons:
- They hold lucrative customer data
- There are simply more people to target
- Hackers know they can leverage corporate hierarchy to their advantage.
For example, hackers can play on employee emotions like obedience - if a they can successfully spoof an email from an employee’s boss they can be confident the employee will respond promptly to whatever requests it contains.
Leaving aside the damage to customer trust, GDPR now means that compromised customer data can leave your business in a dangerous financial position too - as many businesses have learned to their cost…
Security is only ever as strong as the weakest link. The pervasive nature of spam means that your workforce are going to be tested daily by hackers looking exploit the weakest link. Social Engineering can take many forms from fake lottery wins to elaborate wire transfer fraud. The fundamental emotional weaknesses that hackers play on, are common to all humans - namely; Greed, Fear, Obedience and Helpfulness.
When harnessed successfully these emotions can be used to gain access to confidential data, networks and buildings - quickly and without detection.
Most cyber-attacks have some form of social engineering built into them. Therefore, it’s worth becoming familiar with the basics so you can protect yourself and your business.
This may be one of the most common forms of Social Engineering out there. This method involves sending generic emails to a wide audience while attempting to convince users they come from a legitimate source that the user would trust. Hackers understand that there are popular brands that most of us use and trust. So they fake email addresses and content in the hopes of manipulating individuals to click on malicious links or downloads.
Just like on the motorway this involves following close behind someone. By walking just close enough to a staff member entering a secure area, a hacker can slip in behind them unnoticed. Though frequently the staff member will simply hold the door open of them out of politeness. All it takes is the confidence to act as if you belong, which is why this is one of the most widespread threats to networks today.
While generic phishing campaigns are blasted out to large numbers of random recipients hoping someone, anyone will bite. Spear phishing is much more targeted and tailored to a specific company or individual. For example, hackers may spoof an email address from Gmail asking the CFO to reset their password but in reality they are being railroaded to a fake site where their password will be captured and used to access other accounts where they have reused that password.
Hackers will invest time fabricating a scenario or pretext to create a false sense of trust with the victim. The best example of this is probably a call purporting to be from a bank which requires personal information to confirm the identity of the victim. These calls can mirror the familiar ‘bank patter’ so closely, that often victims end the call none the wiser.
Here the attacker will often impersonate an external contractor such as an IT provider to trick building security into letting them in the building. The attacker must look the part and have the confidence to spin a credible story that employees won’t doubt.
Baiting is a close relative of the phishing attack. However, what distinguishes them is the promise of a desirable item such as a free music or movie download which is used to entice victims. If users take the bait, their login credentials will be captured, or they will download a malicious payload.
This method focuses on using fear as the primary emotion to drive action. Malicious software will flash urgent warnings pressurising the victims into a knee jerk reaction. They may pay for fake antivirus protection or download software that will do some real damage.
Lock your laptop when you’re away from your desk. Be mindful of what information you share online and on social media. Hackers need only a few pieces of information like name, date of birth or address to masquerade as you to your IT dept, or to reset passwords to gain access to your network.
..it probably is. Don't trust offers or emails from strangers.
Learn that its ok to politely ask strangers in your building for ID or to check who they are meeting. Contact colleagues and bosses via phone if you receive an email that seem suspicious in any way.
This the first and most important step. Training will help your employees spot the tricks hackers will use to get you to click on malicious links or hand over their log-in credentials.
The onus shouldn’t fall on individual employees to protect the holy grail of customer data from falling into the hands of hackers. Many weaknesses are built into the building itself and need to be addressed at management level. Steps like instituting smart photo ID’s or improving locks and hinges on Server rooms are simple ways to stop a Social Engineering attack in its tracks.
Turn on Multi-factor authentication wherever possible so that even if that even if attackers have a password and some personal details that alone won’t allow them hijack your employees accounts.
Once your training is in place, it's time to test it and see what happens. Discovery learning last longer. Testing your employee’s security awareness in the real-life office setting makes for a highly effective teachable moment.
No system is perfect. Many organisations have found out too late that their people have already taken the bait. So remember, should a social engineering attack be successful you may not even be aware. Therefore if you want to defend your network against Malware it’s critical you employ a CREST-Certified Penetration testing firm to test your network properly.
Conor is our Co-Founder and Head of Product Strategy at OnSecurity. Conor has over a decade of IT security experience, and has held a number of impressive letters after his surname, including M.Sc, CRT, GCIH and CISSP.