Social engineering is one of the most interesting concepts in cybersecurity. Unlike other types of cyberattacks that rely solely on technology like malware to accomplish a breach, the main component of social engineering is human psychology.
It’s the tactic of manipulating a user’s actions in an attempt to get control of their system or to steal information. Baiting users into making mistakes is key.
Fundamentally, social engineering isn’t really a cyberattack, though it is used to get around security controls like EDR, IDS and IPS systems.
It’s a psychological attack, a con game. And that game is for bad actors to gain the trust of potential victims so they lower their guard and become susceptible to performing unwise actions like opening email attachments, clicking malicious links, or giving away sensitive information.
In this article we explore:
- The psychology of social engineering
- How it works
- What a typical attack is like
- Different social engineering techniques
- The dangers and damage it can cause
- Education and awareness
Psychology of social engineering
Social engineers look to exploit the inherent human tendencies to want trust, approval, and validation when interacting with others. They use multiple psychological techniques to manipulate targets.
Authority impersonation is one of the most widely used social engineering methods. This technique capitalizes on humans’ innate tendency to defer to authority and can be very effective in gaining unauthorized access to resources and information.
There is also an aspect of emotional manipulation, especially in regard to fear and a sense of urgency. By creating a scenario meant to induce distress and panic, potential victims are prone to act impulsively or be susceptible to coercion, persuasion, and making reactionary decisions.
How social engineering works
A traditional social engineering engagement involves the bad actor communicating with the potential victim in any number of ways. The most common is for them to claim to be from a trusted, familiar, organization. Sometimes the threat actor will even falsify their identity claiming to be someone that the user knows.
If the ruse works the social engineer will encourage the victim to take some sort of action. This could be clicking on a link that installs malware on their machine, giving away private information like financial details or passwords. Or even infecting their machine with malware or ransomware.
Social engineering is a component of many types of cyberattacks and most organizations can see hundreds of attempts every year.
What does a social engineering attack look like?
Imagine this. A company employee receives an email from someone claiming to be from the customer service division of a software application the organization uses. The email prompts the user to log in through a link in the email and threatens something like account suspension or claims there is an issue that needs to be immediately addressed.
The link in the email is clicked. It takes the user to a fake login page that looks seemingly identical to the authentic website. When the user enters their login information the fake pages captures it and gives the hacker access to the account.
This type of social engineering is known as business email compromise, and it’s just one type of social engineering attack.
Let’s go over some of the other most common.
Social engineering techniques
There are many ways social engineering attacks can happen. These are by no means the only ones; they are just some of the most common.
Pretexting
This involves gaining trust, and there is usually an element of fraud or identity theft associated with it. It creates a deceptive scenario to lull victims into a false sense of security. This makes them more likely to make mistakes that can lead to a breach.
Quid pro quo
Another type of fraudulent interaction, quid pro quo social engineering exchanges service or benefits for information. For example, someone might pretend they are a representative of a bank and confirm account information or online banking login information. Or they might pretend to be an IT professional from a company’s technical division to gain systems access.
Impersonation
Like quid pro quo, this involves the attacker posing as a legitimate representative of a business the victim uses. It could be an authority figure like a supervisor, a work colleague, the list goes on. By assuming a false identity the attacker then attempts to extract information or gain access to systems or accounts from the victim.
Phishing and spear phishing
Phishing is one of the most common cyberattack types. Victims receive deceiving emails or messages with the intent of revealing sensitive information. This includes login credentials or financial information or downloading software or attachments that contain malware.
Scareware
We’ve all seen scareware at some point. These false alerts and “security” messages scare users into downloading corrupt software or giving away personally identifiable information (PII) to remove the malicious software on your system that isn’t really there.
Baiting
Just like it sounds, baiting involves offering the victim something appealing or of value like a flash drive or download that contains malicious software. This one of the best social engineering examples that capitalizes on the tendency of humans to be greedy and want something for nothing.
Social media
It’s no secret that social media offers a disturbing number of ways to socially engineer users. These accounts are a one-stop-shop for intelligence on potential victims from where they live, their pets names, even what they ate for dinner!
Information obtained from social profiles can be used in social engineering in any number of ways from phishing emails, pretexting, and baiting to quid pro quo and impersonation. That’s why it’s vital to make sure social media accounts are secure.
These platforms offer a wealth of security and visibility features that every user should use to their full advantage.
The dangers and the damage done
In general, humans are the weakest links when it comes to security. Social engineering is especially dangerous because it doesn’t have to be successful on a large scale. Even the breach of one person can be enough to take down an entire organization regardless of the size.
These types of attacks have gotten a lot better in recent years too. Fake websites look more authentic, phishing emails are more convincing, and it’s one of the best attack vectors to get around defenses like EDR, IDS and IPS systems, and other security approaches like a defense in depth cybersecurity strategy.
Breaches can have dire consequences, and not just for the immediate victims. Malware can be downloaded, login credentials revealed, ransomware attacks suffered, funds transferred, identities and data stolen, reputation damage suffered, and business operations disrupted, along with many more consequences.
Education, awareness, and protection
Since social engineering attacks begin with a psychological component, education, awareness training, and proper cyber hygiene are the best defenses against them. Cultivating a security-conscious culture so users can identify and respond to social engineering attempts appropriately is key.
Every company uses different tools and has unique vulnerabilities. The ideal security awareness curriculum should be tailored to each organization. A defined set of security policies prepares all employees to recognize social engineering efforts. These include how to properly manage passwords, use of dual or multi-factor authentication, and how to recognize phishing attempts.
Many companies hire cybersecurity organizations to perform white hat social engineering attempts to educate their workforce on how to identify when someone is using it on them. Fostering a culture of vigilance and skepticism while educating users on the importance of verifying authenticity of requests and messages from unfamiliar communication greatly reduces the chances of a breach.
Appropriate security protocols and access controls restricts access to sensitive information and data and minimizes the impact of successful social engineering attempts.
Conclusion
Social engineering is a wide-ranging term used to describe malicious activities accomplished via human interactions. Through psychology and manipulation hackers deceive victims into making cybersecurity mistakes or revealing sensitive information.
By taking advantage of human emotions like fear, curiosity, and sympathy threat actors try to trick people into taking certain actions so they can exploit them.
Understanding the psychology behind it is just a first step. Continued education, consistent awareness, and ongoing cybersecurity protection efforts are keys to not falling prey to social engineering attacks.
