May 4, 2023 | Cyber security education
Social engineering: Attacks, techniques, and defences
By Katie Yahnke
Social engineering is a highly effective attack technique used by cybercriminals around the world. Its success rate comes from the fact that social engineering attacks exploit one of the largest risks in any organization—humans.
This blog post explains social engineering, how and why it works, and steps you can take right now to bolster your defence against social engineering attacks.
What is social engineering?
Social engineering is a broad range of manipulative interactions and techniques that cybercriminals use to trick the victim into doing something—disclosing corporate credentials or opening a file containing malware—to advance their attack.
Social engineering is widely recognized as one of the easiest, cheapest, and most popular techniques used by cybercriminals. It’s relatively straightforward and requires very little if any technical skill.
To understand social engineering better, let’s look at four common attacks and how they work.
Four cyberattacks using social engineering
1. Phishing, vishing, and smishing
Phishing attacks rely on social engineering to lure users into clicking on a malicious link or file in an email. These scams are common because they’re relatively simple to execute. Even inexperienced threat actors can find and purchase phishing kits—collections of malicious tools used to launch these attacks—without much trouble.
Phishing emails may look something like this:
Clicking the link may open an illegitimate website prompting the victim to enter their username and password, ultimately revealing them to the attacker. Alternatively, clicking the file could launch malware that infects the victim’s device or network.
Phishing is largely a numbers game. Imagine an attacker sends a malicious document to 500 email addresses. If half get blocked by spam filters, security software, or delivery issues, 250 emails will land in an inbox. Of those, say that 98% are either opened and ignored or deleted immediately—that still leaves five successful attacks.
In early 2023, the Guardian informed its staff that their confidential information, including salaries and passport numbers, was compromised during a highly sophisticated cyberattack. The threat actor likely gained access to the company's internal systems by successfully phishing an employee, said the media giant.
This type of cyberattack typically happens via email, but hackers are starting to use other mediums. The term has even evolved to reflect these new techniques: “vishing” refers to phone call-based phishing and “smishing” for scams by text message.
Robinhood, the online trading platform, was the victim of a vishing attack back in 2021. The hacker social-engineered a customer service representative by phone and compromised sensitive data for about 7,000,000 Robinhood customers.
2. Spear phishing
Instead of casting a large net hoping someone will fall for the trick, spear phishing involves deliberate and strategic targeting. The attacker employs similar social engineering tactics used for phishing but with far more preparation and precision.
Here’s a simplified overview of how spear phishing attacks work:
The cybercriminal starts by targeting and researching a specific victim, which could be a single individual or an entire organization. How long the hacker takes to research the victim depends on their goal and the nature of the cyberattack.
For example, imagine an attacker’s goal is to extract customer records from Company X. They may scour social networking websites, such as LinkedIn, to find an employee that works in Company X’s customer success department.
After choosing the target, the attacker might follow their social trail to identify a person the target would likely receive customer-related emails from, such as a colleague. For the sake of this example, we’ll say the attacker successfully identifies the target’s manager.
Then, the attacker creates a fake but recognizable email address impersonating that manager. Attackers do this strategically, like swapping out the letter M for the letter N, hoping that a busy employee accidentally overlooks the typo.
Using the fake address, the cybercriminal sends a malicious email to their chosen target. Due to how personalized and seemingly authentic the message is, it’s far more likely the victim will click on the link.
Spear phishing at the heart of the Twitter attack
Several years ago, hackers targeted Twitter employees in a sophisticated spear phishing campaign. The scam worked, and the hackers accessed the social media accounts of several high-profile figures and corporations, including Barack Obama, Elon Musk, and Apple.
The attackers tweeted from many accounts, sharing a Bitcoin scam that brought in more than $100,000.
According to an update posted on Twitter’s blog, the hackers targeted a small number of employees via phone. The company explicitly says that the attack “relied on a significant and concerted attempt to mislead certain employees and exploit human vulnerabilities to gain access to our internal systems.”
3. Business email compromise
Business email compromise (BEC) is a scam that relies heavily on social engineering techniques. The cyberattacker poses as or impersonates someone else, typically a company executive or third-party vendor, to initiate financial transfers to an account they control.
But to pose as an executive or vendor, they first need a disguise.
Attackers require access to the right account or at least similar credentials to make the transfer look realistic. Regardless of how they gain access or who they impersonate, attackers spend time gathering information to make their communications seem authentic, much like a spear phishing attack.
The attacker then uses this account just as the legitimate owner would to send email messages and interact with others in the organization. This disguise gives the attacker incredible power. It allows them to take advantage of the trusting relationship between colleagues and skip many technical protections intended to prevent an attack.
How common is business email compromise?
According to the FBI’s Internet Crime Report 2022, BEC schemes are incredibly damaging, with 21,832 complaints with adjusted losses exceeding $2.7 billion. There were far more victims of phishing—slightly more than 300,000—however losses for those totalled only $54 million.
4. Watering hole
During a watering hole attack, the hacker compromises a legitimate website their target is likely to visit. Instead of attacking directly via email or text message, watering hole attacks employ social engineering techniques in a different way. Here’s how it works.
The cybercriminal starts with reconnaissance. They’ll research the organization or industry they’re targeting and use this information to find websites they frequent, such as discussion boards or forums. This is where the name comes from—attackers find and prey on the target’s “watering hole.”
Then, the attacker finds and exploits vulnerabilities on the website to inject malware. Once this is done, simply visiting the compromised website will infect users with malicious code, potentially giving the attacker access to the victim’s account. Users may not even realize they’ve been hacked.
In essence, the attacker employs social engineering by exploiting the trust their target has in the compromised website.
Social engineering techniques to know
There are a few reasons behind social engineering’s surging popularity.
First, businesses are spending more on replacing old hardware, penetration testing, and security software to reduce the volume of IT vulnerabilities for attackers to target. Now, instead of attacking digital weaknesses, cybercriminals are pivoting their attention toward the one vulnerability still found in all companies: the people.
The second reason is that social engineering is effective. Humans aren’t perfect—we’re busy, we get distracted, and we sometimes simply forget to follow cybersecurity best practices. Attackers know this, fine-tuning their social engineering tricks to exploit this fact. Now, they rely on the same attack methods and techniques that have worked for years.
Impersonating authority figures or a trusted person
Attackers may pose as an executive the victim knows, such as the CEO. Disguised as someone else, the attacker may request a wire transfer, company credentials, or other confidential information.
Preying on the victim’s need for information
Attackers may encourage a victim to open their email by falsely offering new information. By designing the scam to pique curiosity, the recipient may be more likely to open files or links to fill the knowledge gap.
Using fear or urgency to pressure action
Attackers create social engineering scams with limited-time offers or tasks requiring urgent action. Despite knowing better than to open a link without first inspecting it, victims may follow directions haphazardly if pressured to act quickly.
Hiding their attack within current events
Attackers know that governments and organizations send communications about current events, often with consistent email branding and messaging. This consistency is easy for attackers to copy and use maliciously.
Defending against social engineering
Social engineering is a major threat to businesses of any size. With a little effort, education, and investment, you can harden your organization’s cybersecurity.
User awareness of social engineering scams
User awareness is essential to your defence, but many organizations struggle in this area. To get started, focus on the basics, such as defining social engineering, tips to recognize it, and what to do if you receive a phishing email.
Arm your employees with the cybersecurity knowledge they need. Get the 2022 Employee Cybersecurity Handbook today.
For training, educate employees on both technical and behavioural indicators of a social engineering scam. For example, technical indicators of a malicious email may include:
- Suspicious links: looking at the links and attachments in an email can expose its legitimacy. Typos in the domain names, and URLs that are long or complex, are suspicious.
- Suspicious attachments: look at the name of the file and the extensions. Doubling them up (important_work_files.doc.exe) is a popular tactic that attackers use.
Behavioural indicators, on the other hand, may include:
- Urgent requests: social engineers know that applying pressure is an advantage, and they may thread in urgency as part of their attack.
- Changes to financial details or transactions: legitimate requests to change financial information are relatively common, but employees should remain cautious.
- Unusual or unexpected senders: receiving an email from someone you’ve never spoken to or worked with may signal a social engineering attack.
- Changes in behaviour: a colleague writing differently or making unique requests may indicate that their account is compromised.
Having an alternate way to report cybersecurity concerns is critical. If the hacker has gained access to an employee’s email account, they may be able to see and intercept the victim’s reporting of the attack. Consider creating a confidential instant messaging chat where conversation can happen quickly.
Organizations should also establish secondary checks to confirm that any changes to suppliers, vendors, providers, and financial details are legitimate. This can help to expose malicious behaviour before the damage is done.
Email account and cloud service monitoring can help you watch for suspicious behaviour in login events. Ensure that your organization uses 24×7 threat monitoring to identify and address anomalies early before the attacker can cause serious damage or disruption.
Other technical protections like spam filtering can reduce risk further by blocking many malicious emails.
Prepare employees with phishing simulations
One effective way to defend against social engineering attacks is with realistic training that puts employee awareness to the test.
Field Effect’s phishing simulations are fully researched, tailored, and executed to match your organization’s specific needs. Every campaign incorporates modern social engineering techniques that your employees may encounter. After your campaign has ended, you’ll also receive a comprehensive report detailing exercise results, key findings, and suggestions from our experts to improve your defence.
Don’t wait to train your employees against this major cybersecurity risk. Visit Field Effect’s Phishing Service page to get your campaign started.