Social engineering is a highly effective attack technique used by cyber criminals around the world. Its success rate comes from the fact that social engineering attacks exploit one of the largest risks in any organization—humans.
This blog post explains social engineering, how and why it works, and steps you can take right now to bolster your defence against social engineering attacks.
What is social engineering?
Social engineering is a broad range of manipulative interactions and techniques that cyber criminals use to trick the victim into doing something—disclosing corporate credentials or opening a file containing malware—to advance their attack.
Social engineering is widely recognized as one of the easiest, cheapest, and most popular techniques used by cyber criminals. It’s relatively straightforward and requires very little if any technical skill. Verizon’s 2021 Data Breach Investigation Report pinpointed a significant jump in social engineering breaches in recent years and an overall upward trend since 2017.
Social engineering: 4 common attacks
1. Phishing, vishing, and smishing
Phishing attacks rely on social engineering to lure users into clicking on a malicious link or file in an email. These scams are common because they’re relatively simple to execute. Even inexperienced cyber attackers can find and purchase phishing kits—collections of malicious tools used to launch these attacks—without much trouble.
Phishing emails may look something like this:
Clicking the link may open an illegitimate website prompting the victim to enter their username and password, ultimately revealing them to the attacker. Alternatively, clicking the file could launch malware that infects the victim’s device or network.
Phishing is largely a numbers game. Let’s imagine an attacker sends a malicious document to 500 email addresses. If half get blocked by spam filters, security software, or delivery issues, 250 emails will land in an inbox. Of those, we’ll say that 98% are either opened and ignored or deleted immediately—that still leaves five successful attacks.
In 2021, a healthcare employee fell victim to a phishing email. According to the two-month-long investigation, the Revere Health employee clicked a link in the malicious email that gave the attacker remote access to their account. The incident exposed confidential data for 12,000 patients, compromising medical record numbers, birthdates, health provider names, procedures, and insurance provider names.
This type of cyber attack typically happens via email, like in the example above, but hackers are starting to use other mediums. The term has even evolved to reflect these new techniques: “vishing” refers to phone call-based phishing and “smishing” for scams by text message. Robinhood, the online trading platform, was recently the victim of vishing. The hacker social engineered a customer service representative by phone and compromised sensitive data for about 7,000,000 Robinhood customers.
2. Spear phishing
Instead of casting a large net hoping someone will fall for the trick, spear phishing involves deliberate and strategic targeting. The attacker employs similar social engineering tactics used for phishing but with far more preparation and precision.
Here’s a simplified overview of how spear phishing attacks work:
The cyber criminal starts by targeting and researching a specific victim, which could be a single individual or an entire organization. How long the hacker takes to research the victim depends on their goal and the nature of the attack.
For example, imagine an attacker’s goal is to extract customer records from Company X. They may scour social networking websites, such as LinkedIn, to find an employee that works in Company X’s customer success department.
After choosing the target, the attacker might follow their social trail to identify a person the target would likely receive customer-related emails from, such as a colleague. For the sake of this example, we’ll say the attacker successfully identifies the target’s manager.
Then, the attacker creates a fake but recognizable email address impersonating that manager. Attackers do this strategically, like swapping out the letter M for the letter N, hoping that a busy employee accidentally overlooks the typo.
Using the fake address, the cyber criminal sends a malicious email to their chosen target. Due to how personalized and seemingly authentic the message is, it’s far more likely the victim will click on the link.
Spear phishing at the heart of Twitter attack
In 2020, hackers targeted Twitter employees in a sophisticated phone spear phishing campaign. The scam worked, and the hackers accessed the social media accounts of several high-profile figures and corporations, including Barack Obama, Elon Musk, and Apple.
The attackers tweeted from many accounts, sharing a bitcoin scam that brought in more than $100,000.
According to an update posted on Twitter’s blog, the hackers targeted a small number of employees via phone. The company explicitly says that the attack “relied on a significant and concerted attempt to mislead certain employees and exploit human vulnerabilities to gain access to our internal systems.”
3. Business email compromise
Business email compromise (BEC) is a scam that relies heavily on social engineering. The cyber attacker poses as or impersonates someone else, typically a company executive or third-party vendor, to initiate financial transfers to an account they control.
But to pose as an executive or vendor, they need a disguise.
Attackers need access to the right account or at least similar credentials to make the transfer look realistic. Regardless of how they gain access or who they impersonate, attackers spend time gathering information to make their communications seem authentic, much like a spear phishing attack.
The attacker then uses this account, as the legitimate owner would, to send email messages and interact with others in the organization. This disguise gives the attacker incredible power. It allows them to take advantage of the trusting relationship between colleagues and skip many technical protections intended to prevent an attack.
How common is business email compromise?
According to the FBI’s Internet Crime Report 2020, BEC schemes are incredibly damaging, with 19,369 complaints costing businesses approximately $1.8 billion. There were far more complaints about phishing—more than 240,000—however losses for those totalled only $54 million.
4. Watering hole
During a watering hole attack, the hacker compromises a legitimate website their target is likely to visit. Instead of attacking directly via email or text message, watering hole attacks employ social engineering techniques in a different way. Here’s how it works.
The cyber criminal starts with reconnaissance. They’ll research the organization or industry they’re targeting and use this information to find websites they frequent, such as discussion boards or forums. This is where the name comes from—attackers find and prey on the target’s “watering hole.”
Then, the attacker finds and exploits vulnerabilities on the website to inject malware. Once this is done, simply visiting the compromised website will infect users with malicious code, potentially giving the attacker access to the victim’s account. Users may not even realize they’ve been hacked.
Common social engineering techniques
There are a few reasons behind social engineering’s surging popularity.
First, businesses are spending more on replacing old hardware, penetration testing, and security software to reduce the volume of IT vulnerabilities for attackers to target. Now, instead of attacking digital weaknesses, cyber criminals are pivoting their attention toward the one vulnerability still found in all companies: the people.
The second reason is that social engineering is effective. Humans aren’t perfect—we’re busy, we get distracted, and we sometimes simply forget to follow cyber security best practices. Attackers know this, fine-tuning their social engineering tricks to exploit this fact. Now, they rely on the same attack methods and techniques that have worked for years.
Impersonating authority figures or a trusted person
Attackers may pose as an executive the victim knows, such as the CEO. Disguised as someone else, the attacker may request a wire transfer, company credentials, or other confidential information.
Preying on the victim’s need for information
Attackers may encourage a victim to open their email by falsely offering new information. By designing the scam to pique curiosity, the recipient may be more likely to open files or links to fill the knowledge gap.
Using fear or urgency to pressure action
Attackers create social engineering scams with limited-time offers or tasks requiring urgent action. Despite knowing better than to open a link without first inspecting it, victims may follow directions haphazardly if pressured to act quickly.
Hiding their attack within current events
Attackers know that governments and organizations send communications about current events, often with consistent email branding and messaging. This consistency is easy for attackers to copy and use for malicious purposes.
Tips for defending against social engineering
Social engineering is a major cyber threat to businesses of any size. With a little effort, education, and investment, you can harden your organization’s cyber security.
User awareness of social engineering scams
User awareness is essential to your defence, but many organizations struggle in this area. To get started, focus on the basics, such as defining social engineering, tips to recognize it, and what to do if you receive a phishing email.
For training, educate employees on both technical and behavioural indicators of a social engineering scam. For example, technical indicators of a malicious email may include:
- Suspicious links: looking at the links and attachments in an email can expose its legitimacy. Typos in the domain names, and URLs that are long or complex, are suspicious.
- Suspicious attachments: look at the name of the file and the extensions. Doubling them up (important_work_files.doc.exe) is a popular tactic that attackers use.
Behavioural indicators, on the other hand, may include:
- Urgent requests: social engineers know that applying pressure is an advantage, and they may thread in urgency as part of their attack.
- Changes to financial details or transactions: legitimate requests to change financial information are relatively common, but employees should remain cautious.
- Unusual or unexpected senders: receiving an email from someone you’ve never spoken to or worked with may signal a social engineering attack.
- Changes in behaviour: a colleague writing differently or making unique requests may indicate that their account is compromised.
Having an alternate way to report cyber security concerns is critical. If the hacker has gained access to an employee’s email account, they may be able to see and intercept the victim’s reporting of the attack. Consider creating a confidential instant messaging chat where conversation can happen quickly.
Organizations should also establish secondary checks to confirm that any changes to suppliers, vendors, providers, and financial details are legitimate. This can help to expose malicious behaviour before the damage is done.
Email account and cloud service monitoring can help you watch for suspicious behaviour in login events. Ensure that your organization uses 24×7 cyber security monitoring to identify and address anomalies early before the attacker can cause serious damage or disruption.
Test your employees’ resilience to social engineering
One effective way to defend against social engineering attacks is with realistic training that puts employee awareness to the test.
Field Effect’s phishing simulations are fully researched, tailored, and executed to match your organization’s specific needs. Every campaign incorporates modern social engineering techniques that your employees may encounter. After your campaign has ended, you’ll also receive a comprehensive report detailing exercise results, key findings, and suggestions from our experts to improve your defence.
Don’t wait to train your employees against this major cyber risk. Visit Field Effect’s Phishing Service page to get your campaign started.