How Social Engineering Works
Social engineering is a surprisingly common way for attackers to break into an organization’s computer systems, by fooling the people who use and protect those systems rather than directly attacking the system itself. Basically, the goal is to fool the person behind the keyboard into inadvertently helping the attacker.
You actually see a lot of social engineering attacks in movies and TV shows. It might be a person trying to fake their way into a military base late at night. The guard is suspicious, but then the protagonist simply states, “Do you want to wake up the general? Go ahead and call.” Intimidated, the guard simply waves them through.
You’ve seen lots of other variants of this too:
- “Hey, I’m trying to deliver this package. I’m already late on this, and they’ll have my head if I don’t get it to them. Can you help me out?”
- “Well, someone up in maintenance called us in to get rid of those rodents, but it will be another three weeks before we can re-schedule. But it’s your call.”
- Calling on the phone: “Hey, this is Bob Westerman down in accounting. I’m having some problems accessing our internal network. Can you send the latest sales report to me at firstname.lastname@example.org?”
Ok so that last one isn’t from a movie, but is a perfect example of a real-world social engineering attack. Given the processes and workflow in an organization, it might seem like a perfectly reasonable request. Large organizations can also have a hard time defending against these kinds of attacks too, as it is impossible for every individual to know everyone else in the company.
Attackers can further exploit weaknesses in organizational structure by sending out fake signals that signify legitimacy. In the example above, the attacker might be using a real person’s name, is using a legitimate looking email address, and could also be faking the caller ID number so it looks like it’s coming in from inside the company (I guess this brings a new meaning to the old trope of “the call is coming from inside the house”).
Attackers also make use of a lot of social psychology in influencing people. This might include people’s willingness to help others in need, starting with small requests and incrementally growing those requests over time (see this NPR article about nibbles for a fantastic example), and just dressing the part (making it look like you know what you are doing and that you belong there is 90% of social engineering).
This is why social engineering training is so important. Social engineering attacks circumvent all of the certificates, passwords, anti-virus, encryption, and intrusion detection systems you might have in place. Employees have to be trained to recognize common patterns in social engineering, so that you have a fighting chance against them.
Wombat’s customers have experienced more than 80% reduction in susceptibility to attack when they combine Social Engineering Assessments, such as phishing attacks or USB attacks for the purposes of training, with our in-depth training modules. However, when Social Engineering Assessments are coupled with interactive software training modules the reduction in susceptibility can be even greater.
We just introduced our Social Engineering training module which teaches employees how to recognize scams and keep themselves and their employer’s information safe.
By the way, if you’re looking to be entertained while also being educated, check out Ocean’s Eleven and Veronica Mars. Both are good primers for social engineering. There’s even an episode of Veronica Mars about phishing attacks!
For another fun read, check out this fun article dissecting how various scams work, in the context of the UK TV show The Real Hustle.
Subscribe to the Proofpoint Blog