Social engineering has been an observable phenomenon since the beginning of history. People with something to gain have always found avenues to manipulate others’ fears or willingness to trust. In the modern world, social engineering attacks most frequently take place over the telephone or internet. Would-be hackers pose as known entities to convince their target to hand over credentials, financial information, or compromising data.
What do CIOs, development, security and operations professionals, and frontline employees need to know about social engineering and its many forms?
Read more: Top Cyber Security Threats to Organizations
What Is Social Engineering?
Social engineering is an umbrella term for hacking methodologies that attempt to gather personal information and business data through manipulation of one or more individuals. Hackers use a combination of lies and persuasion techniques to get the victim to reveal sensitive information, which can then be used to gain access to a system’s resources.
Cyberattackers use social engineering tactics because they work. The COVID-19 pandemic presided over an explosion of digital fraud for a simple reason: it was a confusing and scary time for many, which caused a natural lowering of the defenses.
Even in ordinary circumstances, social engineering attacks work because they prey on people’s desire for a quick resolution and their likeliness to trust. Someone already having computer problems at work can easily fall prey to an email claiming to be from the IT team. If somebody in dire financial straits receives a call promising a windfall, there’s a similarly high temptation to give in to demands.
There are several types of social engineering attacks that individuals and professionals need to be aware of.
Phishing can take several forms. Each one is a variation on a theme: the would-be hacker emails their target claiming to be a trusted contact. It could be somebody at their company, or a representative from their bank. Phishing aims to extract credentials straight from the source.
Angler phishing sees the bad actor posing as a customer experience representative. It sometimes involves the hacker reaching out to people on social media who’ve complained about their experience with a company. The hacker, if successful, makes off with any financial information they can.
Ordinary phishing typically sees bad actors sending the same email to multiple people. Spear phishing is more deliberately targeted toward one individual and involves prior research to appear more convincing.
Whaling is also specifically targeted, but it involves an even higher value individual, like a CEO.
Pharming (Man-in-the-Middle Attack)
A man-in-the-middle or pharming attack targets individuals attempting to reach legitimate digital portals, like websites or apps. The scammer even creates convincing-looking fake sites to manipulate traffic. Once a target makes their way to these interfaces, they’ll often input passwords, user IDs, or financial information because they believe they’re interacting with a first-party website.
Once the interloping website or app “pharms” these credentials or identifying information, it typically culminates in identity theft. An alternative form of pharming may involve the hacker sending their target a code or link that installs malware on their system to farm credentials instead.
Read more: Best Malware Removal & Protection Software for 2021
Business Email Compromise Attack
In a business email compromise attack, bad actors use previously-obtained corporate email login information and appear to be the account owner. They then attempt to glean compromising information or credentials from the target, or conduct outright theft.
Many email compromise attacks specifically target employees in departments dealing with company finances. If they’re not aware of the threat in advance, these individuals sometimes send money transfers to fraudulent bank accounts.
The standard definition for pretexting is similar to that of social engineering, although with some refinements. Pretexting is the act of carrying out reconnaissance on a target, then posing as somebody else to gain that person’s confidence based on what’s been learned.
The most common forms of pretexting involve creating a plausible scenario, like a family or business crisis, to put the target on alert and extract information from them. Sometimes people wire money, thinking they’re paying a loved one’s bail or settling business accounts. The initial reconnaissance helps the hacker create a fictitious persona that has a better chance of fooling the victim into compliance.
Read more: VPNs, Zero Trust Network Access, and the Evolution of Secure Remote Work
Quid Pro Quo
From the Latin phrase meaning “in exchange,” a quid pro quo social engineering attack involves a trade of sensitive information for the promise of services rendered. One example could be a would-be hacker who calls a company offering IT services for somebody who “needs assistance.”
Once the caller is put through to somebody who has an IT ticket, the caller asks the target for user credentials — whether for an online account, an internal internet connection, or something else business-related.
The social engineering attack known as baiting is where a bad actor makes a promise to their victim in exchange for something they want, such as a wire transfer of money, a Social Security number, or a credit card. The fraudster will sometimes make direct contact by posing as a trusted entity, like a cop or a bank. Other times, an email might deliver links that lead to fraudulent websites or install malware.
In each case, the person believes they’ll get something in exchange for their information. During the global pandemic in 2020, many scams promised speedier delivery of stimulus checks and advance access to vaccines, effectively preying on the desperate and out-of-work.
Vishing & Smishing
This pair of social engineering tactics isn’t to be taken lightly, despite their names.
Vishing targets individuals using voicemail messages. The caller will claim to be from a bank or perhaps a government agency — like the IRS — and attempt to extort information. Smishing works similarly, but is carried out through text messages.
Both forms of attack prey primarily on the non-tech-savvy. The target either hands over their information directly when they return the call, or clicks a link that captures their data on a new page.
Read more: Yet Another Security Headache, This Time From Messaging Apps
Know How to Defend Your Organization
All social engineering attacks leverage the relative weaknesses of the individual, like a willingness to trust or panic in a crisis. Anyone representing an organization on digital platforms must know how to raise a robust defense. It’s vital to use email filtering, regularly train employees, remove unnecessary accounts and credentials, and study normal traffic and user patterns to flag suspicious activity.