The biggest weakness in a cybersecurity strategy is humans, and social engineering takes advantage of a targeted user’s inability to detect an attack. In a social engineering threat, an attacker uses human emotion (usually fear and urgency) to trick the target into performing an action, such as send the attacker money, divulge sensitive customer information, or disclose authentication credentials.
History of Social Engineering
Tricking users into divulging sensitive information is nothing new in the world of cybersecurity. The only thing that’s changed is the method of attack, the stories used to obtain information, and sophisticated attacks from organised groups incorporating other threats such as phishing. The term social engineering was first used in 1894 by Dutch industrialist JC Van Marken, but it’s been a method of cyber-attacks since the 1990s.
In the 1990s, social engineering involved calling users to trick them into divulging their credentials or providing the dial-in landline number that connected a threat actor to an internal corporate server. Now, attackers use social engineering to trick targeted users into sending potentially millions of dollars to offshore bank accounts, costing organisations millions in damages. In some cases, employees lose their jobs after the fallout and damages.
Traits of a Social Engineering Attack
The lines between social engineering and phishing are blurred because they usually go hand-in-hand in a sophisticated attack. Social engineering usually involves masquerading as a legitimate employee (e.g., the CFO or CEO) or tricking an employee into thinking that the attacker is a legitimate customer in an effort to get the employee to provide the attacker with sensitive information or change account features (e.g., SIM swapping).
Regardless of the attacker’s goals, there are some clear signs that communication is from social engineering. One primary component in social engineering is playing on a targeted user’s fears and emotions. The attacker doesn’t want the targeted user digesting and contemplating the request, so social engineering involves using fear and a sense of urgency.
A few common traits in all social engineering attacks are:
- Heightened emotions: An attacker threatens the loss of an account to trick users into providing their credentials, or the attacker might pretend to be an executive demanding money from a targeted user to instil a sense of urgency in an employee fearful of losing their job.
- Spoofed sender address: Most users are unaware that a sender email address can be spoofed, but proper email security will stop spoofed senders from accessing a targeted user’s inbox. Instead, an attacker will register a domain similar to an official one and hope that a targeted user does not notice the misspelling.
- Strange friend requests: It’s not uncommon for an attacker to compromise an email account and spam malicious messages to the victim’s contact list. Messages are usually short and don’t have the personalised element from friends, so be hesitant to click links from friends if the message does not sound like personalised communication.
- Unprofessional website links: Phishing links are sometimes used with social engineering to trick users into divulging sensitive information. Never enter credentials into a website directly from an email link, even if it looks like an official site (e.g., PayPal).
- Too good to be true: Scammers often promise money in exchange for monetary compensation. For example, a targeted user could get a free iPhone in exchange for shipping payments. If the offer is too good to be true, then it is probably a scam.
- Malicious attachments: Instead of tricking targeted users into divulging private information, a sophisticated attack might work towards installing malware on a corporate machine using email attachments. Never run macros or executables on a machine from a seemingly harmless email message.
- Refusal to respond to questions: If a message seems suspicious, reply to the message and ask the sender to identify themselves. An attacker will avoid identifying themselves and might just ignore the request.
Social Engineering Techniques
The overall technique used in social engineering is using emotions to trick users, but attackers use several standard methods to push the user into performing an action (e.g., sending money to a bank account) and making the attack look more legitimate. Usually, the techniques involve email or text messages, because they can be used without voice conversations.
A few common techniques include:
- Phishing: With social engineering, an attacker usually pretends to be a corporate executive to trick users into sending money to an offshore bank account.
- Vishing and smishing: Attackers use text messages and voice-changing software to send SMS messages or robo-call users. The messages usually promise gifts or services in exchange for payment. These types of scams are called vishing (voice phishing) and smishing (SMS phishing).
- CEO (executive) fraud: Users often feel urgency when an executive requests action, so an attacker will pretend to be the CEO or another executive to instil a sense of urgency for the targeted employee to perform an action. This is known as CEO fraud.
- Baiting: It’s common for attackers to promise prizes or money in exchange for a small payment. The offer is usually too good to be true, and the payment is usually for shipping or some other cost coverage.
- Tailgating or piggybacking: Corporations that use security scanners to block unauthorised access to the premises. An attacker uses tailgating or piggybacking to trick users into using their own access cards to give the attacker physical access to the premises.
- Quid pro quo: Disgruntled employees could be tricked into providing sensitive information to an attacker in exchange for money or other promises.
Examples of Social Engineering Attacks
To identify a social engineering attack, it’s important to know what it looks like. Social engineering attacks play on a targeted victim’s emotions, but they have a few elements in common regardless of the threat actor’s goals. An attacker’s goals usually revolve around tricking users into sending money, but some want to trick users into sending money.
A few common social engineering scenarios include:
- Baiting: The attacker offers a “carrot on a stick” where the victim must pay money to receive a large payout. The payout could be lottery winnings or a free prize in exchange for a small shipping fee. An attacker might also ask for charitable donations for a campaign that does not exist.
- Responding to a question never asked: The targeted victim will receive an email “responding” to a question, but the response will ask for personal details, contain a link to a malicious website, or include a malware attachment.
- Threaten loss of money or accounts, or threaten prosecution: Fear is a useful tool in social engineering, so an effective way to trick users is to tell them that they will suffer money loss or go to jail if they do not comply with the attacker’s request.
- CEO fraud: Posing as a boss or executive, the attacker conveys a sense of urgency to the targeted victim convincing them to send money to a bank account.
How to Not Be a Victim of Social Engineering
The sense of urgency throws off many intended victims, but educated users can take the necessary steps to avoid being a victim but following a few rules. It’s important to slow down and verify an email sender’s identity or ask questions when communication is over the phone. A few rules to follow:
- Research before responding: If the scam is common, you will find others talking about the social engineering method online.
- Don’t interact with a web page from a link: If an email sender claims to be from an official business, don’t click the link and authenticate. Instead, type the official domain into the browser.
- Be aware of strange behaviour from friends: Attackers use stolen email accounts to trick users, so be suspicious if a friend sends an email with a link to a website with little other communication.
- Don’t download files: If an email requests to urgently download files, ignore the request or ask for assistance to ensure that the request is legitimate.
Social Engineering Prevention
Businesses are also targets for social engineering, so employees must be aware of the signs and take the necessary steps to stop the attack. It’s the responsibility of the organisation to educate their employees, so follow these steps to empower your employees with the tools to identify an ongoing social engineering attack:
- Be aware of the data being released: Whether it’s social media or email, employees should know if the data is sensitive and should be kept confidential.
- Identify valuable information: Personally identifiable information (PII) should never be shared with a third party, but employees should know what data is considered PII.
- Use policies to educate users: A policy in place gives users the information necessary to act on fraudulent requests and report ongoing social engineering attacks.
- Keep anti-malware software up to date: Should an employee download malicious software, anti-malware will detect and stop it in most cases.
- Be suspicious of requests for data: Any request for data should be received with caution. Ask questions and verify the sender’s identity before complying with the request.
- Train employees: Employees can’t identify attacks if they do not have the education that helps them, so provide training that shows employees real-world examples of social engineering.
How Proofpoint Can Help with Social Engineering
Proofpoint knows that social engineering attacks are highly effective at targeting human emotions and mistakes. We have security awareness training and education programs that help employees identify social engineering and the phishing emails that work alongside these attacks.
We prepare users for the most sophisticated attacks and give them the tools necessary to react. Using real-world examples, employees will be prepared to identify social engineering and react according to the organisation's set security policies.