What is Social Engineering? Can it Bypass Great Security
Social engineering scams revolve around the hacker’s use of manipulation and confidence. These techniques tend to make victims act in ways that they otherwise wouldn’t. Usually, victims act the way they do because of heightened emotions, a sense of urgency, and trust.
Today’s cyber attackers are smart. They know that companies invest millions of dollars in corporate security features. They also know that every organization has the weakest link – human error. That’s why they keep devising clever ways to manipulate people to give up confidential information. Social engineering is one technique that hackers use to fool unsuspecting users into handing over sensitive information, like passwords, banking information and personal information.
What is social engineering?
It is a form of cyber-attack that exploits people through deception and trickery. It taps into human vulnerabilities like trust, emotions, or habits to gain access to networks, systems, and physical locations. Usually, the attackers intend to trick users into providing details like bank account details, social security numbers, or login credentials. But they may also want to access a computer and secretly install malicious software that gives them control over the computer.
Attackers use social engineering techniques to hide their real identities and motives. They pose as trusted individuals or experts, but their only intention is to influence, manipulate, or trick users into giving up access or confidential data. A majority of social engineering attacks are based on the way people act and think. As such, these scams are particularly useful in exploiting a user’s actions. Once the hacker understands the reasons behind a target’s actions, he or she can effectively manipulate and deceive them.
How social engineering works
Social engineering attacks happen in one or more steps. First, the hackers run background checks to gather as much information about the target as possible. Then they’ll try to win over the target’s trust and persuade them to reveal confidential information. As opposed to violent methods, fraudsters use persuasion and confidence to prompt the victims into taking actions.
In a nutshell, social engineers:
- Gather background data on the target and his or her organization
- Infiltrate by starting conversation or building relationships – which often starts on the basis of trust
- Establishes weakness and exploits victim
- Disengage once they achieve their goal
What social engineering attacks look like?
Social engineering attacks appear as an ordinary text message, email, phone call, or voice call from a seemingly safe source. Ultimately, it ends with the victim’s action, like exposing themselves to malware or sharing sensitive data.
Many people assume that they can tell scams right off the bat, but today’s attackers are much more advanced. They know how to disguise themselves. And, with a couple of details here and there, they can easily gain access to your organization’s various accounts and networks.
As Kevin Mitnick, a former hacker and social engineering expert, once said, “There isn’t a technology today that can’t be overcome through social engineering.”
Attackers are using social engineering to attack even the most sophisticated systems. In 2016, for instance, the United States Department of Justice fell for social engineering bait that saw a leak of personal information of 9,000 DHS and 20,000 FBI employees. In the same year, the Democratic National Convention lost over 150,000 emails, thanks to a spear-phishing email that appeared to be a legitimate email from Google. Other famous attacks include Ubiquiti Networks BEC, in 2015, Yahoo hack in 2014, Sony Pictures Hack in 2014, and US Department of Labor Watering Hole in 2013.
Types of social engineering attacks
1. Email from a trusted source (phishing emails)
Hackers use psychological manipulation to get victims to take different actions. For instance, they may send out an urgent message like this one:
Most employees will jump into action when they receive such an urgent email from their “boss.” They will even prioritize it over anything else. What’s more, some will proceed with the instructions without asking any questions. Emails may also come from another trusted source – like a friend, industry expert, and so on.
Phishing scams deliberately take advantage of the trust that individuals have in legitimate email owners. Attackers use different phishing methods and platforms, including:
- Spam phishing: non-personalized and aims at several users
- Spear phishing: personalized and aims at high-profiled people
- Voice phishing: phone calls with automated messages or sometimes a real person to boost trust
- SMS phishing: mobile app texts which may include a link or prompt to take action
- Angler phishing: happens on social platforms, where hackers imitate a legitimate company’s customer care team
In baiting, an attacker leaves malware-infected device where a target can find it. Sometimes, they label it in an appealing way to make it even more luring. When a person picks and plugs it into their machine, they unknowingly infect their computer with malware.
Also known as piggybacking, tailgating is where a disguised attacker follows an authenticated staff into a restricted area. He or she then asks the employee to hold the door for them, thereby gaining access to the building.
Pretexting involves hackers creating an excellent ploy to try and steal their target’s data. In pretexting, the fraudsters may say that they need some information from their victims to confirm their identity – but they use the information to stage secondary attacks or identity theft. In some cases, the attackers manipulate their victims into doing something that abuses the company’s physical and digital weaknesses.
Unlike in phishing where scammers capitalize on the victim’s urgency and fear, pretexting depends on creating a false sense of trust with the victim. Meaning, the hacker has to build a good story that victims believe.
Social engineering prevention
Security awareness training is the best way to prevent social engineering. Companies should sensitize their teams about social engineering as well as the tactics that attackers use. Employees should know well to delete any requests for passwords or secure financial data. They should also reject requests or offers of help. It’s equally important for companies to update their operating systems and also install firewalls, anti-virus software and email filters.
Frank is a technology visionary and strategic hands-on executive with over 20+ year track record of helping companies revitalize, restructure, and implement complete Unified Communications systems in national and global markets.