The biggest weakness in a cybersecurity strategy is humans, and social engineering takes advantage of a targeted user’s inability to detect an attack. In a social engineering threat, an attacker uses human emotion (usually fear and urgency) to trick the target into performing an action, such as send the attacker money, divulge sensitive customer information, or disclose authentication credentials.
History of Social Engineering
Tricking users into divulging sensitive information is nothing new in the world of cybersecurity. The only thing that’s changed is the method of attack, the stories used to obtain information, and sophisticated attacks from organized groups incorporating other threats such as phishing. The term social engineering was first used in 1894 by Dutch industrialist JC Van Marken, but it’s been a method of cyber-attacks since the 1990s.
In the 1990s, social engineering involved calling users to trick them into divulging their credentials or providing the dial-in landline number that connected a threat actor to an internal corporate server. Now, attackers use social engineering to trick targeted users into sending potentially millions of dollars to offshore bank accounts, costing organizations millions in damages. In some cases, employees lose their jobs after the fallout and damages.
Traits of a Social Engineering Attack
The lines between social engineering and phishing are blurred because they usually go hand-in-hand in a sophisticated attack. Social engineering usually involves masquerading as a legitimate employee (e.g., the CFO or CEO) or tricking an employee into thinking that the attacker is a legitimate customer in an effort to get the employee to provide the attacker with sensitive information or change account features (e.g., SIM swapping).
Regardless of the attacker’s goals, there are some clear signs that communication is from social engineering. One primary component in social engineering is playing on a targeted user’s fears and emotions. The attacker doesn’t want the targeted user digesting and contemplating the request, so social engineering involves using fear and a sense of urgency.
A few common traits in all social engineering attacks are:
- Heightened emotions: An attacker threatens the loss of an account to trick users into providing their credentials, or the attacker might pretend to be an executive demanding money from a targeted user to instill a sense of urgency in an employee fearful of losing their job.
- Spoofed sender address: Most users are unaware that a sender email address can be spoofed, but proper email security will stop spoofed senders from accessing a targeted user’s inbox. Instead, an attacker will register a domain similar to an official one and hope that a targeted user does not notice the misspelling.
- Strange friend requests: It’s not uncommon for an attacker to compromise an email account and spam malicious messages to the victim’s contact list. Messages are usually short and don’t have the personalized element from friends, so be hesitant to click links from friends if the message does not sound like personalized communication.
- Unprofessional website links: Phishing links are sometimes used with social engineering to trick users into divulging sensitive information. Never enter credentials into a website directly from an email link, even if it looks like an official site (e.g., PayPal).
- Too good to be true: Scammers often promise money in exchange for monetary compensation. For example, a targeted user could get a free iPhone in exchange for shipping payments. If the offer is too good to be true, then it is probably a scam.
- Malicious attachments: Instead of tricking targeted users into divulging private information, a sophisticated attack might work towards installing malware on a corporate machine using email attachments. Never run macros or executables on a machine from a seemingly harmless email message.
- Refusal to respond to questions: If a message seems suspicious, reply to the message and ask the sender to identify themselves. An attacker will avoid identifying themselves and might just ignore the request.
Social Engineering Techniques
The overall technique used in social engineering is using emotions to trick users, but attackers use several standard methods to push the user into performing an action (e.g., sending money to a bank account) and making the attack look more legitimate. Usually, the techniques involve email or text messages, because they can be used without voice conversations.
A few common techniques include:
- Phishing: With social engineering, an attacker usually pretends to be a corporate executive to trick users into sending money to an offshore bank account.
- Vishing and smishing: Attackers use text messages and voice-changing software to send SMS messages or robo-call users. The messages usually promise gifts or services in exchange for payment. These types of scams are called vishing (voice phishing) and smishing (SMS phishing).
- CEO (executive) fraud: Users often feel urgency when an executive requests action, so an attacker will pretend to be the CEO or another executive to instill a sense of urgency for the targeted employee to perform an action. This is known as CEO fraud.
- Baiting: It’s common for attackers to promise prizes or money in exchange for a small payment. The offer is usually too good to be true, and the payment is usually for shipping or some other cost coverage.
- Tailgating or piggybacking: Corporations that use security scanners to block unauthorized access to the premises. An attacker uses tailgating or piggybacking to trick users into using their own access cards to give the attacker physical access to the premises.
- Quid pro quo: Disgruntled employees could be tricked into providing sensitive information to an attacker in exchange for money or other promises.
Examples of Social Engineering Attacks
To identify a social engineering attack, it’s important to know what it looks like. Social engineering attacks play on a targeted victim’s emotions, but they have a few elements in common regardless of the threat actor’s goals. An attacker’s goals usually revolve around tricking users into sending money, but some want to trick users into sending money.
A few common social engineering scenarios include:
- Baiting: The attacker offers a “carrot on a stick” where the victim must pay money to receive a large payout. The payout could be lottery winnings or a free prize in exchange for a small shipping fee. An attacker might also ask for charitable donations for a campaign that does not exist.
- Responding to a question never asked: The targeted victim will receive an email “responding” to a question, but the response will ask for personal details, contain a link to a malicious website, or include a malware attachment.
- Threaten loss of money or accounts, or threaten prosecution: Fear is a useful tool in social engineering, so an effective way to trick users is to tell them that they will suffer money loss or go to jail if they do not comply with the attacker’s request.
- CEO fraud: Posing as a boss or executive, the attacker conveys a sense of urgency to the targeted victim convincing them to send money to a bank account.
How to Not Be a Victim of Social Engineering
The sense of urgency throws off many intended victims, but educated users can take the necessary steps to avoid being a victim but following a few rules. It’s important to slow down and verify an email sender’s identity or ask questions when communication is over the phone. A few rules to follow:
- Research before responding: If the scam is common, you will find others talking about the social engineering method online.
- Don’t interact with a web page from a link: If an email sender claims to be from an official business, don’t click the link and authenticate. Instead, type the official domain into the browser.
- Be aware of strange behavior from friends: Attackers use stolen email accounts to trick users, so be suspicious if a friend sends an email with a link to a website with little other communication.
- Don’t download files: If an email requests to urgently download files, ignore the request or ask for assistance to ensure that the request is legitimate.
Essential Social Engineering Statistics
Social engineering is one of the most common and effective ways an attacker can gain access to sensitive information. Statistics show that social engineering combined with phishing is highly effective and costs organizations millions in damages.
A few statistics on social engineering include:
- Social engineering is responsible for 98% of attacks.
- In 2020, 75% of companies reported being victims of phishing.
- The most common cyber incident in 2020 was phishing.
- The average cost after a data breach is $150 per record.
- Over 70% of data breaches begin with phishing or social engineering.
- Google recorded over 2 million phishing websites in 2021.
- Approximately 43% of phishing emails impersonate large organizations like Microsoft.
- 60% of companies report data loss after a successful phishing attack, and 18% of targeted users fall victim to phishing.
Social Engineering Prevention
Businesses are also targets for social engineering, so employees must be aware of the signs and take the necessary steps to stop the attack. It’s the responsibility of the organization to educate their employees, so follow these steps to empower your employees with the tools to identify an ongoing social engineering attack:
- Be aware of the data being released: Whether it’s social media or email, employees should know if the data is sensitive and should be kept confidential.
- Identify valuable information: Personally identifiable information (PII) should never be shared with a third party, but employees should know what data is considered PII.
- Use policies to educate users: A policy in place gives users the information necessary to act on fraudulent requests and report ongoing social engineering attacks.
- Keep anti-malware software up to date: Should an employee download malicious software, anti-malware will detect and stop it in most cases.
- Be suspicious of requests for data: Any request for data should be received with caution. Ask questions and verify the sender’s identity before complying with the request.
- Train employees: Employees can’t identify attacks if they do not have the education that helps them, so provide training that shows employees real-world examples of social engineering.
How Proofpoint Can Help with Social Engineering
Proofpoint knows that social engineering attacks are highly effective at targeting human emotions and mistakes. We have security awareness training and education programs that help employees identify social engineering and the phishing emails that work alongside these attacks.
We prepare users for the most sophisticated attacks and give them the tools necessary to react. Using real-world examples, employees will be prepared to identify social engineering and react according to the organization’s set security policies.
FAQs for Social Engineering
What is Social Engineering in Simple Words?
Most people think of cyber-threats as malware or a hacker exploiting vulnerabilities in software. However, social engineering is a threat where an attacker tricks a targeted user into divulging sensitive information by pretending to be a familiar person or service. The attacker might trick a targeted user into divulging their password, or the attacker could trick the targeted user into sending money by pretending to be a high-level executive. Attackers’ goals in a social engineering campaign vary, but generally, the attacker wants access to accounts or to steal the user’s private information.
How Does Social Engineering Work?
A threat actor might have a specific target in mind, or the attacker could cast a wide net to access as much private information as possible. Before a threat actor carries out a social engineering attack, their first step is to conduct due diligence on the targeted user or corporation. For example, the attacker could gather names and email addresses of the finance department staff from an organization’s LinkedIn page to identify targeted victims and standard operating procedures.
The reconnaissance phase is critical to the success of a social engineering attack. The attacker must fully understand the business’s organizational chart and target who has the authority to perform the actions necessary for success. In most attacks, social engineering involves the threat actor pretending to be someone the targeted user knows. The more information the threat actor collects about the targeted user, the more likely the social engineering attack will be successful.
With enough information gathered, the attacker can now carry out the next steps. Some social engineering attacks require patience to slowly build the targeted user’s trust. Other attacks are quick where the threat actor gains trust within a limited time by conveying a sense of urgency. For example, the attacker might call a targeted user and pretend to be an IT support staff member to trick the user into divulging their password.
What are the Steps to a Successful Social Engineering Attack?
Just like most effective cyber-attacks, social engineering involves a specific strategy. Each step requires thoroughness because the attacker aims to trick the user into performing a particular action. Social engineering involves four steps. These steps are:
- Information gathering: This first step is critical to social engineering success. The attacker collects information from public sources like news clippings, LinkedIn, social media, and the targeted business website. This step familiarizes the attacker with the inner workings of the business departments and procedures.
- Establish trust: At this point, the attacker contacts the targeted user. This step requires conversation and convincing, so the attacker must be equipped to handle questions and persuade the targeted user to perform an action. The attacker must be friendly and might try to connect with the targeted user on a personal level.
- Exploitation: After the attacker tricks the targeted user into divulging information, exploitation begins. The exploit depends on the attacker’s goals, but this step is when the attacker gets money, access to a system, steals files, or obtains trade secrets.
- Execution: With the sensitive information obtained, the attacker can now perform the final goal and exit the scam. The exit strategy includes methods to cover their tracks, including detection avoidance from the targeted organization’s cybersecurity controls that could warn administrators that an employee had just been tricked.
What is the Most Common Form of Social Engineering?
The term “social engineering” is a broad term that covers many cyber-criminal strategies. Social engineering involves human error, so attackers target insiders. The most common form of social engineering is phishing, which uses email messages. Under the umbrella of phishing are vishing (voice) and smishing (text messages). In a typical phishing attack, the goal is to obtain information for monetary gain or data theft.
In a phishing email, the attacker pretends to be a person from a legitimate organization or a family member. The message might ask for a simple reply, or the message will contain a link to a malicious website. Phishing campaigns can target specific people within an organization – spear phishing – or the attacker can send hundreds of emails to random users hoping that at least one falls for the fraudulent message. Untargeted phishing campaigns have a low success rate, but it doesn’t take many successful messages for an attacker to obtain necessary information for monetary gain.
The two phishing variants – smishing and vishing – have the same goals as a general phishing campaign but different methods. A “smishing” attack uses text messages to tell targeted users that they have won a prize and need to pay a shipping fee to receive their gifts. “Voice” phishing requires voice-changing software to trick users into thinking the attacker is someone from a legitimate organization.
What Percentage of Hackers Use Social Engineering?
Hackers use social engineering frequently because it works. Social engineering and phishing are often used in combination as a more effective way to trick users into sending money or divulging their sensitive information (e.g., network credentials and banking information). In fact, most emails received by individuals and corporations are spam or scam emails, so it’s critical to integrate cybersecurity with any email system.
It’s estimated that 91% of cyber-attacks start with an email message. Many of them prey on a sense of urgency so that targeted victims don’t have time to process that the messages are a scam. Only 3% of attacks use malware, leaving 97% of attacks to social engineering. In some sophisticated attacks, the targeted victim receives an email and then a follow-up call or message.
Is Social Engineering Illegal?
Social engineering is indeed a crime because it uses deceit to trick targeted victims into divulging sensitive information. The typical aftermath results in additional crimes in the form of fraudulently accessing a private network, stealing money or the user’s identity, and then selling private data on darknet markets.
Consumer fraud is common in social engineering attacks. The attacker pretends to be a legitimate organization giving away prize money in exchange for financial data or a small payment. After the targeted victim provides financial data, the attacker steals money directly from the bank account or sells the credit card number on the dark web markets. Identity theft and stealing money from targeted victims are serious crimes.
Some social engineering is classified as a misdemeanor and only carries fines and short-term jail sentences. If crimes involve larger monetary amounts or target several victims, they can carry higher sentences and larger fines. Some crimes lead to civil suits where victims win judgments against criminals and those involved in helping with social engineering scams.
How Common is Social Engineering?
It depends, but it’s estimated that social engineering is used in 95%-98% of targeted attacks on individuals and corporations. High-privilege accounts are a common target, and 43% of administrators within IT operations have reported being a target in social engineering attacks. Recent hires within IT operations are even more likely to be a target. Corporations say that 60% of new hires are targets rather than long-term current staff members.
Because social engineering is so successful, attacks based on phishing and identity theft increased by 500% in recent years. Identity theft isn’t the only goal for an attacker. A few other reasons social engineering is a primary attack vector include:
- Fraudulent account access for data or monetary theft
- Financial access to banking or credit card accounts
- Simple nuisance reasons
Is Social Engineering Ethical?
Social engineering is a crime, so malicious threats do not consider ethics when targeting individuals and corporations. Everyone is a target for an attacker, so both individuals and employees should be aware of how social engineering is carried out. An attacker must know their target and perform reconnaissance before carrying out a social engineering campaign, so users should also understand the ways social engineering works.
The first red flag that indicates you’re the target of social engineering is that the caller or email sender will not answer any questions and discourage you from asking questions to clarify why they have an urgent request. Their requests may seem subtle, but they ask for sensitive information without answering any of your questions. In a legitimate financial transaction, an organization or bank answers as many questions as required until you feel comfortable with the actions that they need you to take.
Another unethical red flag is that most attackers use phishing with no voice conversations. If you ask to have a voice conversation with the requester, the attacker will refuse. This red flag is not always the case, but it should tell you that the email sender is not from a legitimate organization. In any scenario, you should hang up or stop communication with the email sender and directly call the phone number on the company’s website.
Some social engineering is ethical. When you hire white-hat hackers to penetration test cybersecurity, they will test all employees for their ability to detect social engineering attacks. In a penetration test, a certified ethical hacker calls employees to determine if they will divulge their network credentials or send phishing emails with a link that points to a malicious website. They log every user who clicks the link and take note of users who enter their private network credentials. This activity helps organizations determine the employees vulnerable to social engineering and provide them with more education on cybersecurity protocols.
What is the Cost of a Social Engineering Attack?
According to the Federal Bureau of Investigations, social engineering costs organizations $1.6 billion globally. Organizations pay an average of $11.7 million annually for cybersecurity crimes.
A significant component in cost is the time it takes for organizations to detect a data breach, which is an average of 146 days. In a social engineering attack, it’s much more difficult for administrators and cybersecurity infrastructure to determine when an employee falls victim to an attack. Any employees with legitimate access can leave the environment vulnerable to attackers when they fall for a social engineering campaign and install malicious software, provide credentials to attackers, or divulge sensitive information.
Strangest Social Engineering Tactics
Cyber-attacks continue to rise, and they are getting weirder. Check out this post for a round up of the strangest social engineering tactics that we saw last year.
How Threat Actors Hijack Attention: The 2022 Social Engineering Report
Social engineering is a component of nearly every threat actor’s toolbox who uses email as an initial access vector.
2022 Social Engineering Report
In our latest social engineering report, Proofpoint researchers analyze key trends and behaviors in social engineering throughout 2021 that highlight some common misconceptions people may have about how criminal or state actors engage with them.
Social Engineering: Essential Security Awareness Training Topic
In this first installment of our six-part blog series, we’ll be focusing on social engineering as an essential security awareness training topic.