People are social animals; we like to mix, communicate, work, and have fun together. This socialised behaviour, built upon trusted relationships, makes human groups cooperate and co-exist.
Unfortunately, it is also these social aspects of human behaviour that cybercriminals, intent on harming, can exploit vulnerabilities. Social engineering attacks use trickery and impersonation to fool people into performing an action that benefits a scammer.
This is borne out by the 2022 Verizon Data Breach Investigations Report (DBIR), which found that 82% of breaches involve a human element.
Here is a look at how social engineering attacks happen and what you can do to prevent your staff from being socially engineered.
How Do Social Engineering Attacks Happen?
According to a report, the average organisation experiences 700 social engineering attacks per year. Social engineering attacks come in many forms and evolve into new ones to evade detection.
The remit of a social engineering attack is to get someone to do something that benefits a cybercriminal. For example, trick a person into revealing financial details that are then used to carry out fraud.
Social engineering is not just carried out using digital methods. Social engineers will turn to any tactic to build the structures needed to trick people. This can include using the telephone or walking into an office and chatting with the staff.
Current favourite social engineering tricks include:
Pretexting and tailgating: attackers will pretend to be a co-worker or person in authority, e.g., a police officer. They will use this guise to establish trust with a target via a digital method, phone, or in person. Once trust is established, the scammer will attempt to extract information, such as personal data or financial details.
In addition, tailgators often carry out physical attacks on companies, finding ways to enter a building, slipping in unnoticed or even invited. Once inside a building, they can use readily available tools, such as RubberDucky, used by legitimate penetration testers, to steal data, including login credentials.
Phishing: phishing comes in various flavours, including email, phone calls, social media posts, and text messages. Phishing messages encapsulate social engineering tactics, applying pretence, trust, and the urge to click to encourage recipients to divulge personal information, such as passwords and credit card details.
A UK Gov study into cyber security found that the vast majority (83%) of businesses who identified a cyber attack said that phishing was the primary vector of the attack.
Spearphishing is the targeted form of phishing that takes social engineering to the greatest heights of success. Spear-phishing emails are hard to differentiate from legitimate emails because scammers go to great lengths to make them look realistic, often forming trusted relationships with their target. Spearphishing is behind 93% of cyber attacks, according to the 2018 DBIR.
Baiting: this social engineering attack uses enticement or fear of missing out (FOMO) to encourage certain behaviours. For example, an employee may be offered free gifts if they provide personal or company information or passwords.
Why Are Social Engineering Attacks Effective?
Human beings have evolved to act and behave in certain ways to establish strong and cohesive social structures. Elements such as trust are vital components of coherent societies. Without trust, relationships fail.
Scammers understand human behaviour and the need to build trusted relationships. They also understand how to manipulate people by pretending to be a trusted person or building trust.
Other human behaviours such as the urge to do a good job, not get into trouble, or not miss out on a good thing are also abused by cybercriminals. All these natural actions we carry out daily in our home and work lives are open to exploitation by cybercriminals intent on stealing data and accessing networks to carry out malicious acts.
5 Examples of Social Engineering Attacks
Examples of social engineering are regularly in the press, but here are five to give you a flavour of how social engineering works:
Marriott Hotel: a hacking group used social engineering tactics to steal 20 GB of personal and financial data from a Marriott Hotel. The hackers tricked a Marriott Hotel associate into giving the hacking gang access to the associate’s computer.
US Department of Labor (DoL): this involved a socially engineered attack stealing Office 365 login credentials. The attack used sophisticated phishing based on cleverly spoofed domains that looked just like the legitimate DoL domain. The emails seemed to be from a senior DoL employee inviting them to submit a bid for a government project. Clicking the bid button took the employee to a phishing site used to steal credentials.
Zoom users: a phishing campaign targeting employees affected at least 50,000 users. The social engineers used fear of redundancy to encourage employees to click a link to meet with HR over Zoom. Clicking on the link took the employee to a fake Zoom login site designed to steal passwords.
FACC (Austrian aircraft manufacturer): FACC lost around 42 million euros when the company became a victim of a sophisticated Business Email Compromise (BEC) scam. The CEO of the company had his email account spoofed and then used to send an ‘urgent’ email request for a funds transfer. This email tricked an account payable employee who accommodated the request, paying the money into the scammer’s account.
Crowdstrike callback: even security vendors are feeling the force of social engineering. Crowdstrike has become an unwitting pawn in the social engineer’s game. Scammers are using the trusted brand of Crowdstrike and other security vendors to send phishing emails to employees. The email contains details of a possible malware infection and a phone number to call to remove the installed malware. If the employee reaches the number, they are tricked into giving the attacker access to their computer.
How to protect against social engineering attacks
Social engineering is successful because the technique manipulates our everyday actions. This makes it difficult for employees to spot that they are part of a social engineering attack.
Social engineering needs to be part of the conversation around security awareness, and security policies should reflect this. However, there are practical ways to ensure that employees are up to speed with the tricks that social engineering scammers play:
Make social engineering part of your security culture:
- Engage staff in regular updates on social engineering and how it works.
- Make sure that social engineering is part of your regular Security Awareness Training.
- Include social engineering in security awareness month posters and send newsletters to staff about the issues caused by social engineering.
Deploy phishing simulations: use an advanced simulated phishing platform to train staff on what phishing emails look like and to test their response to a phishing email. Tailor these emails to different roles in your organisation and base the simulations on known tactics used by scammers.
Penetration test your company and staff: set up various test scenarios to see how well staff respond to potential social engineering attempts. This can include tests to see how easy (or hard) it is to gain entry to the building.
Also, test out staff and their response to unknown individuals. For example, pose testers as cleaners or contractors and see how far they can get in extracting information about your company or asking for access to a computer.