Social engineering is a technique solely focused on manipulating/exploiting a human error to gain something from them (e.g., private information, credentials, valuables). It is also dubbed ‘Human hacking’ since this method does not involve any kind of technical skills at all. Everything relies on the adversary’s capabilities to manipulate victims. This method usually tricks victims into exposing their data, spreading malware, or gaining access to systems.
Table of content :
How Can These Attacks Happen Generally? On Which Channel?
- It can happen online (email, SMS, phone call).
- In-person (face to face interaction).
Scams based on social engineering are built around how people think and act. Social engineering attacks are beneficial for manipulating a user’s behaviour. Once an attacker understands what motivates a user’s actions, they can effectively deceive and control the user.
In addition, hackers try to exploit a user’s lack of knowledge. Thanks to the speed of technology, many consumers and employees aren’t aware of common threats like phishing. Users also may not realise the total value of personal data, like their phone number. As a result, many users are unsure how to protect themselves and their information best.
How Does Social Engineering Work?
Most social engineering attacks rely on actual communication between attackers and victims. The attacker tends to motivate the user into compromising themselves rather than using technical methods such as brute force to breach your data.
The attack cycle gives these criminals a reliable process for deceiving you. Steps for the social engineering attack cycle are usually as follows:
- Preparation – Hackers gather information about their targets, such as working company, email, current working sector, and victim’s interest.
- Infiltration – Hacker initiates interaction with the victim. e.g sending an email.
- Exploit – Exploit the victim once a weakness is being exposed.
- Disengage – Disappear/disconnect from the interaction once the attack has been carried out successfully.
By masquerading as legitimate users to IT support personnel, they grab your private details — like name, date of birth or address. From there, it’s a simple matter to reset passwords and gain almost unlimited access. They can steal money, disperse social engineering malware, and more.
Common Indicator of Social Engineering?
In order to manipulate the user, certain indicators or traits will always be present to convince the victim to expose their information.
Emotional manipulation gives the attacker the upper hand in conducting this attack. Victims are more likely to take actions irrationally without thinking since they are in a certain emotional state. Examples of emotions that can manipulate the victims:
Urgency is another trait that victims need to look out for. The attacker will always try to trick the victims to initiate the action as soon as possible. Victims may be motivated to compromise themselves when they understand that this problem needs immediate attention. For example, Your account will be disabled in 24 hours, please reset your password immediately. <Include malicious link for reset password>.
Types of Social Engineering Attacks?
Attackers pretend to be a trusted institution or individual to persuade you to expose personal data and other valuables.
- Email Phishing – The most common method of phishing. Attackers usually urge you to reply to the mail and sometimes the content can have things like malicious URL links, malicious attachments, and their contacts.
- Vishing (Voice phishing) – A phishing conducted in a phone call. Attackers can manipulate you to try to expose information immediately by claiming they are from trusted government bodies etc.
- Smishing (SMS phishing) – Text Messages that can include malicious links, fraud email contacts or phone numbers.
- Search engine phishing – attempt to place links to fake websites at the top of search results. These may be paid ads or use legitimate optimisation methods to manipulate search rankings.
Lure victims to expose themselves to attackers. This can be achieved by an attacker who purposely leaves infected removable drives (USB) left in public spaces or an infected paid software that is given free by the attacker over the internet.
Involves attackers appearing in-person, posing as someone legitimate to gain access to otherwise unauthorised areas or information. Attacks of this nature are most common in enterprise environments, such as governments, businesses, or other organisations. Attackers may pretend to be a representative of a known, trusted vendor for the company.
- Piggybacking – Trailing/following closely behind an authorised staff member into a restricted area (offices etc). They could also convince the victim that they are authorised to be in the area.
- Pretexting – Attacker establishes trust beforehand, such as by impersonating as an employee or vendor. Once trust has been gained, exploits follow once they are convinced the attacker is authorised/legitimate.
Quid pro quo
A term refers to “a favour for a favour”, which means both parties agree to exchange something that benefits them mutually. In the context of phishing, victims exchange their personal information for some reward or compensation. Giveaways or offers to take part in research studies commonly used to expose victims to this type of attack.
The exploit comes from getting you excited for something valuable that comes with a low investment on the victim’s end. However, the attacker simply takes their data with no reward in return.
How to Detect a Social Engineering Attacks?
1. Check The Website’s Legitimacy
Is the URL correct? Does it have HTTPS? Correct company logo? Any spelling errors? Is their interface usually like that? Be observant of every detail that may come as suspicious.
2. Legitimate Sender?
Inspect email addresses and social media profiles carefully when getting a suspect message. There may be characters that mimic others, such as “[email protected]” instead of “[email protected]” Fake social media profiles that duplicate your friend’s picture and other details are also common.
3. Suspicious Email Subject
If the email subject is too general or something that is always quick to get the attention of the recipient. For example: “Payment pending”, “RE: Order received”, “You won an iPad!” etc.
When the person claims to be from a government body and claims that you have a pending payment of a certain amount. The vishing attacker usually has a ready-made script to explain everything to you. Verify their identity, ask whether they are an authorised person from the said government body. Drag away the conversation from their main point (which is to claim a payment). Usually, government bodies do not inform people in case of anything over a phone call, mailing is the common method.
5. Email Content
Check the spelling, grammatical errors. Observe the structure of the email (inconsistent spacing, lining, paragraph spacing) if it is not too proper then it might be phishing. Do not click on any link blindly, if the URL is commonly used by you then proceed with caution. Do not download attachments blindly – do you expect this attachment coming from the sender? Is the file name proper? Does the file extension seem suspicious? Watch out for these file extensions – .exe, .bin, .vbs, .jar, .bat, .msi, .cmd, .reg.
How to Defend Against Social Engineering Attacks?
1. Always Active Security Culture
A security team that is ready 24/7 to act quickly to contain the attack if anything bad happens (e.g. staff fall victim to a phishing attack).
2. Staff Awareness Training
Companies should always conduct security awareness training to equip them with knowledge on how to defend against social engineering attacks.
3. Practical Training
Regularly test the effectiveness of the training by conducting a simulated phishing attack targeted towards the staff.
4. Security Solutions
Deploy security solutions such as antivirus, firewalls, and Security Email Gateway (SEG) to apply multiple layered defence against the threat.
5. User Account Management Habits
Use strong passwords, multi-factor authentication (MFA), never click on any suspicious email links or attachments, and avoid sharing your personal details on the internet such as full names, school name, pets, and place of birth (to avoid attackers using all these details to crack your password).