Protecting Against Social Engineering Attacks
Most people think of hacking as using malware and coding to bypass security defenses and steal data or money. Social engineers take a different approach, targeting the human instead of the software to achieve their goals.
How Social Engineering Works
Social engineers take advantage of knowledge of human behavior to perform their attacks. A person’s biases, assumptions, beliefs and more can allow an attacker to trick them into doing something that is in the attacker’s interests. The field of social engineering is based on psychology and acting.
Phishing simulations & training
Research by Robert B. Cialdini found that humans are more likely to comply with a request under certain circumstances:
- The request is made by an authority figure
- The person making the request is likable or has similar interests, beliefs and attitudes as the victim
- The person making the request gives or promises the target something of value in return for their help
- If the requestor is asking on behalf of a cause that the victim has publicly endorsed
- If complying with the request appears to be in line with what others are doing
- When the requestor is offering something in short supply or available for a limited time
Social engineers are aware of these human biases and take advantage of them in a variety of ways. Social engineering attacks commonly involve:
- Pretexting: Masquerading as someone else
- Baiting: Enticing the victim with promises of something of value
- Blacmail: Threatening to reveal something that the target wishes to be kept secret
- Quid Pro Quo: Promising something to the victim in exchange for their help
Social engineers use their knowledge of how people think in a variety of ways. By targeting the human element, they increase their probability of a successful attack by bypassing defenses designed to protect against “conventional” hacking.
Types of Social Engineering Attacks
Social engineering attacks can be performed through any medium. Social engineers can use the Internet, a phone call or an in-person visit to bypass an organization’s network defenses. In this section, we’ll briefly describe some of the most common types of social engineering attacks.
Web-Based Attacks
The Internet makes cyberattacks possible on a global scale. There are a variety of specific Web-based social engineering attacks, but phishing and watering hole attacks are some of the most common.
Phishing and SMiShing
Phishing is the most common type of social engineering. In fact, 91% of successful attacks begin as a phishing email. The term phishing covers a lot of ground and refers to the use of digital communications to get the target to do something that benefits a hacker. In general, this means getting the end user to click on a malicious link or download and open an attachment. The details of phishing are constantly changing as network defenders develop methods to identify and block phishing emails and hackers create new ways to evade those protections.
There are names for many different phishing attacks based on the medium used or the target. When text messages are used for phishing, it’s called SMiShing, and phishing over the phone is vishing. In a spearphishing attack, a particular user is targeted rather than a large pool of recipients. Business Email Compromise (BEC) attacks impersonate high-level executives within an organization, while whaling attacks target them.
Watering Hole
In a watering hole attack, hackers take advantage of people’s habits to attack them. When preparing to attack a particular target, the attacker observes their browsing habits to identify the type of sites that they routinely visit. For example, when targeting developers, they might target StackOverflow or a similar site. The attacker then compromises the target site and forces it to serve malicious content to users or creates a malicious site that the user is likely to visit. Eventually, the user visits the site and is compromised.
Phone-Based Attacks
Phone-based social engineering attacks are based on impersonating someone that the target would want to (or feel that they have to) talk to. When targeting people outside of work hours, impersonating the government (especially the IRS) and banks are common choices.
One specific type of phone-based social engineering is the help desk scam. In this scheme, the attacker pretends to be a member of the IT help desk at the target’s organization. This pretext gives the attacker the ability to tell the user to take certain actions on their computer without raising their suspicions. A reverse help desk scam is a variant where the attacker gets the target to call them, adding another layer of authenticity to their impersonation of the help desk.
In-Person Attacks
While the Internet and phone system make it possible to perform cyberattacks from anywhere, sometimes in-person attacks are the most effective. Physical access to devices is extremely useful for an attacker, and people are much more likely to reveal sensitive information to someone in person than over the phone or by email.
Tailgating and Piggybacking
Physical access to a company’s offices can provide an attacker with a wealth of valuable data. Information that is extremely useful for crafting a spearphishing attack is pinned to bulletin boards or left on desks within the organization’s office. Finding an unlocked computer could allow an attacker to steal sensitive data in a way undetectable by the organization’s perimeter-focused defenses.
In order to take advantage of these opportunities, the attacker needs to be able to get through the front door. Piggybacking and tailgating are both terms for the most common way of accomplishing this. In general, most people are nice and want to help others, especially someone carrying a heavy package, running late for an important meeting or otherwise struggling or in a hurry. Holding a door doesn’t seem like a big deal, but it’s all that a social engineer needs to get into the building.
Pretexting and NLP
All social engineering attacks involve pretexting, but this is especially true for in-person attacks. “Clothes make the man,” and social engineers know that dressing, talking and acting the right way can do wonders for getting sensitive information out of unsuspecting targets. Neuro-linguistic programming (NLP) is the study of this fact and has found that people are much more likely to help someone with the same accent, body language, vocabulary and other such characteristics.
Protecting Yourself Against Social Engineering
Social engineers take advantage of how people think to perform attacks. Many of these biases and behaviors occur on the subconscious level, making it difficult to identify and protect against social engineering attacks.
However, social engineering boils down to someone attempting to do something that they are not authorized to do. In “The Art of Deception,” well-known social engineer Kevin Mitnick suggests the following three-step process to verify a request:
- Verify that the person is who they claim
- Verify that the person is a current employee or has need-to-know relationship with the company
- Verify that the person is authorized to make request
If you can verify that all three of these things are true, you’re probably not dealing with a social engineer. Taking a moment to slow down and follow appropriate processes is the best way to protect yourself against social engineers.
The Bottom Line on Social Engineering
Social engineering is based on the attacker taking advantage of human behavior to get something out of their target. It can be performed over any medium and comes in a variety of forms. However, taking the time to analyze the situation and verify requests before acting can allow anyone to detect and defeat a social engineering attack.
Phishing simulations & training
Sources
- The Science of Persuasion, Scientific American
- 91% of Cyber Attacks Start With a Phishing Email: Here's How to Protect Against Phishing, Digital Guardian
- Mitnick, Kevin. “The Art of Deception: Controlling the Human Element of Security,” Wiley, 2003
In this Series
- Protecting Against Social Engineering Attacks
- Tax scam season: How to protect your data from common scams in 2024
- Security awareness for kids: Tips for safe internet use
- Celebrate Data Privacy Week: Free privacy and security awareness resources
- Consumer data, who owns it and who protects it?
- Human error is responsible for 74% of data breaches
- What is a social engineering attack?
- Biggest cybersecurity mistakes by large organizations
- 4 common social media scams (and how to avoid them)
- From theory to practice: Designing a successful security awareness training program
- Understanding cyberattacks: Types, risks and prevention strategies
- Securing digital frontiers: The importance of information and IT security awareness training
- Optimizing your corporate security awareness training: Strategies and techniques
- What is security awareness: Definition, history and types
- Top 10 security awareness training topics for your employees in 2023 and beyond
- AI best practices: How to securely use tools like ChatGPT
- Connecting a malicious thumb drive: An undetectable cyberattack
- 5 ways to prevent APT ransomware attacks
- 4 mistakes every higher ed IT leader should avoid when building a cybersecurity awareness program
- ISO 27001 security awareness training: How to achieve compliance
- Run your security awareness program like a marketer with these campaign kits
- Deepfake phishing: Can you trust that call from the CEO?
- Fake shopping stores: A real and dangerous threat
- 10 best security awareness training vendors in 2022
- How to hack two-factor authentication: Which type is most secure?
- Malicious push notifications: Is that a real or fake Windows Defender update?
- Free Cybersecurity and Infrastructure Security Agency (CISA) ransomware resources to help reduce your risk
- How IIE moved mountains to build a culture of cybersecurity
- At Johnson County Government, success starts with engaging employees
- How to transform compliance training into a catalyst for behavior change
- Specialty Steel Works turns cyber skills into life skills
- The other sextortion: Data breach extortion and how to spot it
- Texas HB 3834: Security awareness training requirements for state employees
- SOCs spend nearly a quarter of their time on email security
- Security awareness manager: Is it the career for you?
- Risks of preinstalled smartphone malware in a BYOD environment
- The ROI of security awareness training
- 5 reasons to implement a self-doxxing program at your organization
- What is a security champion? Definition, necessity and employee empowerment [Updated 2021]
- Excel 4.0 malicious macro exploits: What you need to know
- Worst passwords of the decade: A historical analysis
- ID for Facebook, Twitter and other sites? Not so fast, says security expert
- 3 surprising ways your password could be hacked
- Fake online shopping websites: 6 ways to identify a fraudulent shopping website
- All about carding (for noobs only) [updated 2021]
- Password security: Complexity vs. length [updated 2021]
- What senior citizens need to know about security awareness
- 55 federal and state regulations that require employee security awareness and training
- Brand impersonation attacks targeting SMB organizations
- How to avoid getting locked out of your own account with multi-factor authentication
- Breached passwords: The most frequently used and compromised passwords of the year
- Reduce security events
- Reinforce cyber secure behaviors
- Strengthen cybersecurity culture at your organization
Security awareness
Tax scam season: How to protect your data from common scams in 2024
Security awareness
Security awareness
Celebrate Data Privacy Week: Free privacy and security awareness resources
Security awareness