Contact Us

Newsletter Sign-Up

social_engineering_attack_security7

Security7's
Guide to Social Engineering Attacks

Learn what a Social Engineering Attack is, how to spot one and how to defend yourself.

Social Engineering Attacks are one of the biggest threats to you business because they take advantage the greatest asset you have, your employees.

Introduction

Security7's goal with this guide is to educate you on the dangers posed by social engineering attacks. We hope that you learn something from this document and that you socialize it amongst your family, friends, coworkers, and employees, or employer.

If you’ve got any questions or feel the need to reach out to us you can use the instant messenger service we offer in the lower left-hand corner of the page, the “Call Us” button in the navigation at the top of the page, or via this link.

Thanks, and happy reading.

What is a Social Engineering Attack?

In regards to information security, social engineering is defined as:

“The psychological manipulation of people into performing actions or divulging confidential information.”

That information can be leaked via e-mail, social media, the telephone, or even physical means. Attackers are often after a variety of things, but they mostly focus on obtaining personal identifiable information (PII) or financial information.

What is Personal Identifiable Information (PII)?

PII is usually one of the following:

  • Your full name
  • Your current address or address history
  • Your birthday
  • Your social security number
  • Your email address
  • Your pet names
  • The names of your children
  • Etc

What Kind of Financial Information are Hackers After?

Hackers are usually after the following types of financial information:
  • Your bank account numbers (checking, savings, etc)
  • Your credit card numbers
  • Pin numbers
  • Anything that allows them to gain leverage over your financials

Often obtaining PII gives the attacker access TO financial information. Why? People often use unique identifiers for things like passwords.
Surprisingly, we know.

But why are attackers so successful? Years of practice. Have you ever seen the film Catch Me If You Can? Frank Abagnale, the main character, was an expert at social engineering.

Contact us

Think You're Under Attack?

Contact Security7. We're standing by to help you!

Contact Us Today

Why do Social Engineering Attacks Work?

Social engineering attacks work because we're imperfect creatures. Attackers know this. They prey on our fundamental human nature to carry out their nefarious schemes.

In many cases, the reason attackers are so successful is because of a thing called "cognitive bias." Cognitive biases are a part of our daily lives. In simple language, we all create our own, unique subjective reality. If you're shocked or offended, we can understand. So you know, a cognitive bias doesn't always mean a bad thing, it's just something we have to watch out for as they can be easily manipulated.

We're not going to go too deep into this, but if you're interested you can read this article from The Strategy Bridge that does a great job explaining and putting the threat into perspective.

Before we move on to the next section, here are a few examples of cognitive bias, to show you how commonplace they are in our daily lives:

Anthropomorphism The tendency to characterize animals, objects, and abstract concepts as possessing human-like traits, emotions, and intentions.
Bandwagon Effect The tendency to do (or believe) things because many other people do (or believe) the same.
Confirmation Bias The tendency to search for, interpret, focus on and remember information in a way that confirm's one pre-conceptions.
Dunning-Kruger Effect The tendency for unskilled individuals to overestimate their own ability and the tendency for experts to underestimate their own ability.
Focusing Effect The tendency to place too much importance on one aspect of a event.


The list goes on and on. You can read more about cognitive biases here and more examples of cognitive biases can be found here.

Our pain point is don't focus on why a social engineering attack might work. Focus on what they are, how they work, and what you can do to stop them.

What's the Life Cycle of a Social Engineering Attack?

There are 4 key stages in the life cycle of a social engineering attack. They are as follows:

Step 1. Information Gathering

Information gathering is key. The attack’s success is dependent on how much information the attacker can gather. The attacker collects information to:

  • Determine the attack vector
  • Probe potential passwords
  • Become familiar with the target
  • Identify possible security response questions

Step 2. Establishing Relationship(s)

People are more likely to do things for someone they feel connected to. Attackers know this. The attacker will either build or feign a relationship with their target to accomplish their goals (i.e. exploitation, the next step in the life cycle).

Building a relationship can include things like:

  • Connecting over the telephone
  • Sharing family photos
  • Creating fake social media or dating profiles
  • Leveraging existing relationships through impersonation

Step 3. Exploitation

This is where things get set into motion. The attacker has to increase pressure without raising the target’s suspicion. The attacker uses the leverage they’ve built up in the previous stages to enact their plan.

Exploitation can include:

  • Convincing the target to let the attacker into the facility
  • Obtaining the target’s username and/or password over the phone
  • Sending the target an email with a malicious link or infected email attachment

Step 4. Execution

Typically this happens right under the target’s nose. If the attacker is successful, the target doesn’t even know they’ve been compromised until it’s too late. This is where the attacker usually does things like:

  • Tie up loose ends
  • Clean up their digital footprint
  • Exfiltrating information and sensitive data

There are too many variations to list when it comes to itemizing all of the different things an attacker can do to complete a lifecycle stage, but we hope this gives you a better understanding of what might happen.

What’s important to remember is once, completed, the cycle often starts over again.

What Are the Different Types of Social Engineering Attack?

There are many different  types of social engineering attacks. We've only included the most prominent type  here in this guide.

Phishing
phishing

Learn More

Spear-Phishing
harpoon

Learn More

Pretexting
liar

Learn More

Vishing
telephone

Learn More

Baiting
fishing

Learn More

Tailgating
tailgaiting-01

Learn More

Scareware

scareware-01-1

Learn More

 

How to Spot and Protect Yourself from a Social Engineering Attack


There are a lot of different ways a social engineering attack can unfold. They don't always follow a similar blue print.

However, there are a few things you can do right off the bat to condition yourself to their attempts and spot an attack before it has a chance to impact you or your business.

Slow Down and Control Your Emotions

Remember the attacker is trying to manipulate your emotions into making a quick reaction. The more time you take to think about the situation the more likely you’ll start to realize something’s up.

We might be animals when it comes to our emotions, but we’re also brilliant. By slowing down, our rational brain allows us to overcome our feelings.

Think About What You're Reading, Seeing or Hearing

The more time you give yourself for rational thought, the better off you are when it comes to seeing through the attacker’s ruse.

Look for things like strange word choices or misspellings. Look for visual clues like off-brand graphics (if it comes from someplace like your bank or a store you frequent).

You’re more astute than you might give yourself credit for. If something seems off, it probably is.

Check to See Who Sent the Message

Email masking is incredibly prominent in today’s world. Most email clients format the sender address so that it’s easier to discern who it’s from. The problem is attackers leverage this.

If you’ve got the feeling the message you’re reading isn’t on the level check to see who sent it. If the name is familiar, but the email address isn’t there’s a good chance you’re experiencing a social engineering attack.

Don't Follow Blind Links

 Links are easy to hide, just like email addresses. If you can’t discern where a web-link is going to send you don’t click on it.

Always make sure to hover or right-click on an email link (whatever your email client is set up for) to see where it might send you.

Be Wary of Attachments

If you’ve gone through the steps mentioned above, you probably know what I’m going to say here. Don’t download attachments from people you don’t know.

Sometimes it’s a bad idea to download attachments from people that you do. Be on the lookout for e-mail attachments that appear to be Microsoft Word or Excel files. They might contain pretty nasty surprises.