What Is Social Engineering? Examples and Prevention
Social engineering is a cyberattack technique that leverages a number of attack vectors to trick victims into giving cybercriminals access or assets. Many methods are used to perpetrate the crime, but all social engineering attacks leverage deception, influence, and manipulation.
In addition, social engineering attacks are usually well-researched. Targets are identified, then profiled, to give the attackers the background needed to establish credibility needed to fool someone into willingly giving away sensitive information or compromising security systems.
Cybercriminals use social engineering techniques to present themselves as someone the target will trust to facilitate engagement. Often, social engineering exploits play upon people's susceptibilities, which makes them especially effective.
For example, the attacker might pretend to be a colleague with an urgent problem that requires the target’s special access to resolve. Another example would be presenting themselves as the mutual friend of someone who needs help.
Social engineering continues to be an effective and commonly used cyberattack, because it is relatively easy to execute—far less complicated than a technical exploit. Often, social engineering is used as the point of entry for more far-reaching attacks.
Traits Targeted by Social Engineering
Common traits taken advantage of in social engineering attacks include the following:
- Authority Figures
Trust in authority figures and a fear of authority figures are commonly exploited in social engineering attacks. For instance, “this is NAME with the IRS…” or “this is Inspector NAME from the FBI.”
A sense of obligation after committing to something is a powerful driver that social engineering ploys leverage. Part of an exploit can be convincing the victim to make a commitment, then using guilt tactics to move them along through the scam. Often, this starts with small, easy commitments to an idea or a goal before getting to the cyberattackers’ actual objectives.
People are much more inclined to help someone they like. People also tend to trust people they like more quickly. Social engineering attackers frame their outreach in ways that make the victim like them, so they can more easily persuade their targets to take desired actions.
When people have been given something, they may feel compelled to give something in return. Social engineering attackers often offer victims something to set the groundwork for reciprocity.
Creating an impression of scarcity is also very effective. When people think that something is in short supply, they are motivated to take action. This is why “it’s a limited-time offer” or “there are only a few left” pitches are often used in social engineering.
- Social Proof
Social engineering attackers use invented peer pressure, such as pretending that a victim’s friends have already engaged, to spur victims into action. This leverages people’s tendency to be more receptive to something if their friends have already purchased an item or performed another action.
Who Perpetrates Social Engineering
- Malicious insiders
- Organized crime
Social Engineering Objectives
Cybercriminals have different objectives, but common motivations for social engineering are:
- Access to applications and systems
- Malware installation
- Monetary gain
- Sensitive information gathering, including login credentials
Social Engineering Attack Techniques
Unlike cybercrimes that use malware to infiltrate, social engineering attack techniques use psychology.
Social engineering attackers identify targets, then research them using publicly available information. They use this information to figure out ways to engage with and exploit them.
Following are some of the many social engineering attack techniques that are commonly used.
Business Email Compromise or BEC
One of the more successful social engineering attack techniques is business email compromise (BEC).
With BEC, the social engineering attacker gains access to a legitimate email account in the target company. This email account is then used for spear phishing attacks that aim to dupe employees, usually those with access to a company’s finances.
BEC is also known as CEO fraud, because the CEO’s account is often used, since people are more willing to act quickly and ask fewer questions when the CEO asks them to do something.
In one variation of BEC, an urgent request is made for a wire transfer to be made. Another variation is a request to change a vendor’s payment account.
BEC is also used for identity theft. In this case, the request is for copies of employees' W-2 forms, which contain a wealth of information, including social security numbers and home addresses.
Another attack that involves researching targets, a watering hole social engineering attack, starts by putting malware on websites that victims regularly visit to gain network access. Attackers find these websites and search for vulnerabilities that allow them to install malware. When the victims visit the infected website, the attackers are able to gain the desired access.
With pharming social engineering attacks, victims are redirected from a legitimate website to a malicious one. This website is usually designed to mimic the legitimate one, and unless users pay close attention, they generally don’t know they’ve been redirected.
Quid Pro Quo
Meaning “something for something” in Latin, a quid pro quo social engineering attack pretends to give something to the victim in exchange for money or assistance. For example: Telling victims that they are from the IT department and need a user to make an important update, but their antivirus solution needs to be turned off for a few minutes in order for the update to be installed. When the victim turns off the anti-virus, the attacker strikes.
Playing on fear, scareware tricks victims into clicking a link to solve a fake problem. In some cases, the social engineering approach is to tell the person that their computer has been infected with malware, and they need to click the link to remove it.
Another example of scareware is pretending to be ransomware and threatening to encrypt files if a ransom is not paid.
Phishing attacks involve sending emails that are created to look like they come from someone inside the company or another source that the target trusts. The objective is to convince the target to divulge sensitive information, such as their login credentials, credit card number, or social security number.
A type of phishing attack, whaling targets executives. These messages are designed to take advantage of the target’s position.
In some cases, the objective is to have them approve a large payment. In other cases, the attacker wants the target’s login credentials, since they have broader access privileges than most other employees.
Following the same basic concept as phishing, spear phishing focuses the social engineering attack on a particular individual or organization. Research is conducted to tailor the message to engage the specific audience.
Cybercriminals search publicly available information to personalize the message and lure the victims into taking the desired action, which is usually providing money or sensitive information.
SMS text message phishing or smishing uses text messaging to deliver phishing messages. Playing to people’s gullibility and natural interest in improving their finances, a commonly used social engineering technique is to inform the victim that they have won a contest and provide a link for them to claim their “prize.”
Also known as voice phishing, vishing attackers use the phone as the channel for social engineering attacks. Like spear phishing, vishing can target individuals or organizations with messages that are customized to them. Calls can also be made at scale using autodial tools that play a recorded message when someone answers the phone.
In either case, the objective is to engage the target and entice them to divulge sensitive information or give money.
With pretexting, the social engineering attacker pretends to be a trusted source that needs personal or financial information to confirm the target’s identity. This is usually conducted under the guise of being the victim’s bank or credit card company.
Social engineering attackers leverage people’s trust in friends, family, and co-workers by sending malicious links or downloads from their email accounts or similar email addresses.
In a baiting attack, the attacker depends on people’s curiosity and willingness to take something that appears to have been lost. A common approach is leaving a USB flash drive infected with malware in a place where the desired target will find it. Almost inevitably, someone will pick up the drive and insert it into their computer, at which point malware is activated.
Baiting is also conducted using infected files, which get shared. Many users cannot resist a file with a fictitious title like Layoff-Plans or Executive-Salaries.
By pretending to be an attractive person, hence the name honeytrap, the attacker lures the victim into interaction. Once engaged, the attacker tries to gather sensitive information from the victim.
This social engineering attack involves the theft of physical material. With diversion theft, the attackers convince delivery services that packages are being dropped at the wrong location. The “helpful” attackers divert the delivery to a different place and steal the goods.
This is done not just with physical goods, but also with documents that contain sensitive information.
To gain entry to secured facilities, access tailgating tricks people with legitimate access into letting attackers enter. This social engineering attack plays on people’s courteous nature.
Access tailgating is commonly performed by asking someone to hold the door. The attacker often poses as someone who needs access to attend a meeting, as a delivery person who’s carrying a large package, or as someone who urgently needs directions.
Often, attackers literally climb into dumpsters to rifle through the trash. Dumpster diving persists as a commonly used social engineering technique, because it yields results.
Information that can be collected from documents, sticky notes, or scraps of paper includes:
- Access codes
- Credit card receipts
- Email addresses
- Facility access protocols
- Organizational charts
- Phone numbers
- Printed emails
Social Engineering Attack Prevention Tips
Create Awareness to Prevent Social Engineering Attacks
Train employees on how to spot phishing emails. A few social engineering attack prevention tips to include in employee training are:
- Check the “from” address. Often, the sender’s address does not match the domain for the company they claim to represent.
- Be wary of emails with suspicious content sent from people claiming to be friends or co-workers.
- Scrutinize URLs before clicking any links.
- Look out for emails that have typos, bad grammar, and unusual syntax.
- Do not fall for offers that are “too good to be true”—usually, they are.
- As they say at the airport and the train station, “If you see something, say something.”
Tools and Tips for Social Engineering Attack Prevention
- Keep spam filters turned on.
- Turn macros off to stop malware from spreading through attachments.
- Do not respond to scam emails or texts.
- Use multi-factor authentication.
- Take advantage of available security solutions.
- Use penetration testing to find security gaps.
- Implement and enforce security policies and guidelines.
- Regularly update software and firmware.
- Keep track of staff members who handle sensitive information and enable advanced authentication measures for them.
- Mandate use of strong passwords.
- Never let users connect to the organization’s primary Wi-Fi network.
- Use a virtual private network (VPN).
The Social Engineering Lifecycle
Information Gathering—Prepare for the Attack
During the information-gathering phase, social engineering attackers identify targets and build detailed profiles to support the engagement. Victims are targeted for a number of reasons, including their position in an organization, ease of access, information the person has access to, or demographics.
Once the target has been selected, the social engineering attacker gathers information about them to help customize communications and build trust. Public information sources used for this include social media, company websites, and articles.
During this phase, the attackers also determine the best channel or channels to use to reach the victim—typically phone or email, usually with a variety of techniques.
Developing the Relationship—Trick Targets into Engaging
Also called the hook phase, developing the relationship is the second step in the social engineering lifecycle. During this phase, the social engineering attacker engages the target and starts to unwind the narrative or “story.”
This is usually done with a combination of phone calls and emails. The goal of this phase is to deeply engage the target and take control of the relationship, by cultivating trust.
Exploitation—Execute the Attack
The exploitation or play phase is when the social engineering attacker reels in the victim. The attack begins, and access is achieved, or asset drains start. In the case where ransomware is the objective, this is when the ransom note is delivered.
Exit—Terminate the Engagement
Once the objective has been achieved, the social engineering attacker will recede, but slowly. During this part of the lifecycle, any malware will be removed or hidden. Any trances of the attack will be covered.
The engagement will be terminated in a natural way that does not arouse suspicion. The goal is to get in and out without the target realizing that they were the victim of a social engineering exploit until it’s too late.
Con Games Are Still Going Strong
Social engineering is a cyberattack that follows the playbook of con artist games. Less sophisticated than other cyberattack strategies, social engineering continues to be effective and lucrative. Social engineering takes advantage of people’s inherent trust in others through trickery and deception rather than with technology.
Egnyte has experts ready to answer your questions. For more than a decade, Egnyte has helped more than 16,000 customers with millions of customers worldwide.
Last Updated: 11th October, 2021