Social Engineering Attacks are one of the biggest threats to you business because they take advantage the greatest asset you have, your employees.
Security7's goal with this guide is to educate you on the dangers posed by social engineering attacks. We hope that you learn something from this document and that you socialize it amongst your family, friends, coworkers, and employees, or employer.
If you’ve got any questions or feel the need to reach out to us you can use the instant messenger service we offer in the lower left-hand corner of the page, the “Call Us” button in the navigation at the top of the page, or via this link.
Thanks, and happy reading.
In regards to information security, social engineering is defined as:
“The psychological manipulation of people into performing actions or divulging confidential information.”
That information can be leaked via e-mail, social media, the telephone, or even physical means. Attackers are often after a variety of things, but they mostly focus on obtaining personal identifiable information (PII) or financial information.
PII is usually one of the following:
Often obtaining PII gives the attacker access TO financial information. Why? People often use unique identifiers for things like passwords.
Surprisingly, we know.
But why are attackers so successful? Years of practice. Have you ever seen the film Catch Me If You Can? Frank Abagnale, the main character, was an expert at social engineering.
Social engineering attacks work because we're imperfect creatures. Attackers know this. They prey on our fundamental human nature to carry out their nefarious schemes.
In many cases, the reason attackers are so successful is because of a thing called "cognitive bias." Cognitive biases are a part of our daily lives. In simple language, we all create our own, unique subjective reality. If you're shocked or offended, we can understand. So you know, a cognitive bias doesn't always mean a bad thing, it's just something we have to watch out for as they can be easily manipulated.
We're not going to go too deep into this, but if you're interested you can read this article from The Strategy Bridge that does a great job explaining and putting the threat into perspective.
Before we move on to the next section, here are a few examples of cognitive bias, to show you how commonplace they are in our daily lives:
|Anthropomorphism||The tendency to characterize animals, objects, and abstract concepts as possessing human-like traits, emotions, and intentions.|
|Bandwagon Effect||The tendency to do (or believe) things because many other people do (or believe) the same.|
|Confirmation Bias||The tendency to search for, interpret, focus on and remember information in a way that confirm's one pre-conceptions.|
|Dunning-Kruger Effect||The tendency for unskilled individuals to overestimate their own ability and the tendency for experts to underestimate their own ability.|
|Focusing Effect||The tendency to place too much importance on one aspect of a event.|
Our pain point is don't focus on why a social engineering attack might work. Focus on what they are, how they work, and what you can do to stop them.
There are 4 key stages in the life cycle of a social engineering attack. They are as follows:
Step 1. Information Gathering
Information gathering is key. The attack’s success is dependent on how much information the attacker can gather. The attacker collects information to:
Step 2. Establishing Relationship(s)
People are more likely to do things for someone they feel connected to. Attackers know this. The attacker will either build or feign a relationship with their target to accomplish their goals (i.e. exploitation, the next step in the life cycle).
Building a relationship can include things like:
Step 3. Exploitation
This is where things get set into motion. The attacker has to increase pressure without raising the target’s suspicion. The attacker uses the leverage they’ve built up in the previous stages to enact their plan.
Exploitation can include:
Step 4. Execution
Typically this happens right under the target’s nose. If the attacker is successful, the target doesn’t even know they’ve been compromised until it’s too late. This is where the attacker usually does things like:
There are too many variations to list when it comes to itemizing all of the different things an attacker can do to complete a lifecycle stage, but we hope this gives you a better understanding of what might happen.
What’s important to remember is once, completed, the cycle often starts over again.
There are many different types of social engineering attacks. We've only included the most prominent type here in this guide.
There are a lot of different ways a social engineering attack can unfold. They don't always follow a similar blue print.
However, there are a few things you can do right off the bat to condition yourself to their attempts and spot an attack before it has a chance to impact you or your business.
Remember the attacker is trying to manipulate your emotions into making a quick reaction. The more time you take to think about the situation the more likely you’ll start to realize something’s up.
We might be animals when it comes to our emotions, but we’re also brilliant. By slowing down, our rational brain allows us to overcome our feelings.
The more time you give yourself for rational thought, the better off you are when it comes to seeing through the attacker’s ruse.
Look for things like strange word choices or misspellings. Look for visual clues like off-brand graphics (if it comes from someplace like your bank or a store you frequent).
You’re more astute than you might give yourself credit for. If something seems off, it probably is.
Email masking is incredibly prominent in today’s world. Most email clients format the sender address so that it’s easier to discern who it’s from. The problem is attackers leverage this.
If you’ve got the feeling the message you’re reading isn’t on the level check to see who sent it. If the name is familiar, but the email address isn’t there’s a good chance you’re experiencing a social engineering attack.
Links are easy to hide, just like email addresses. If you can’t discern where a web-link is going to send you don’t click on it.
Always make sure to hover or right-click on an email link (whatever your email client is set up for) to see where it might send you.
If you’ve gone through the steps mentioned above, you probably know what I’m going to say here. Don’t download attachments from people you don’t know.
Sometimes it’s a bad idea to download attachments from people that you do. Be on the lookout for e-mail attachments that appear to be Microsoft Word or Excel files. They might contain pretty nasty surprises.