Social Engineering Attacks

Learn what a Social Engineering Attack is, how to spot one,
and how to defend yourself.

Free Download


FREE Security Awareness Training Email Campaign


Help educate your end-users with a fully developed internal email campaign focused on Social Engineering Attack topics.

Coming Soon

If You're Trying to Hack a Business Hack, Their Employees First...


Social Engineering Attacks are one of the biggest threats to your business because they take advantage of the greatest asset you have: your employees.

It's much easier for an attacker to manipulate an individual than it is to break through a firewall or guess a password. Cybercriminals know that. It's why Social Engineering Attacks are so highly effective.

Let's look at what a Social Engineering Attack is, what the different examples of a Social Engineering Attack can be, and how you can stop one!

social-engineering-1-02

What is a Social Engineering Attack?


A Social Engineering Attack is:

“The psychological manipulation of people into performing actions or divulging confidential information.”

That information can be leaked via e-mail, social media, the telephone, or even physical means. Attackers are often after a variety of things, but they mostly focus on obtaining personally identifiable information (PII) or "Financial Information."

According to a report from Baracuda, the average organization is faced with 700+ attempted Social Engineering Attacks a year. According to a report from Proof Point, 83% of American businesses have fallen victim to a Social Engineering Attack.

2022 By the Numbers

Think You're Immune to Social Engineering Attacks? Think Again. Last year there were:

>0

Attempted Social Engineering Attacks
on a Business Per Year

0%

of American Businesses were Impacted Negatively by a
Social Engineering Attack

But why are Social Engineering Attacks so dangerous? Why are attackers so successful? Let's find out together below...

social-engineering-2-01

ADDITIONAL FAQS

Free Download

FREE Security Awareness Training Email Campaign

Help educate your end-users with a fully developed internal email campaign focused on Social Engineering Attack topics.

 

Coming Soon

WHY SOCIAL ENGINEERING ATTACKS WORK: COGNITIVE BIAS AND THE THEORY OF INFLUENCE...


Human beings are imperfect creatures. Complex, but imperfect. Despite how smart, or evolved we think we are, there are times when we fall into these simply constructed traps.

Why?

Blame "cognitive biases."

If you're not familiar with the term "cognitive bias," we understand. Here's a definition:

A cognitive bias is a systematic pattern of deviation from norm or rationality in judgment.

- The Handbook of Evolutionary Psychology

The general gist is: People create their own version of reality and that can dictate behavior. A cognitive bias can distort perception, cause irrational decision-making, etc. Simply put, cognitive biases are bugs in our biological hardware.

Attackers, especially those well versed in manipulation, know how to exploit the human hardware bugs just as much as well as they know how to exploit the software and hardware-related bugs on our end-points.

Putting all that knowledge together can lead to a perfect storm of misery and dismay for those impacted by it.

Robert Cialdini, a psychologist and marketing professor at Arizona State University, determined that a social engineering attack needs to rely on six key principles to properly manipulate an individual (and their cognitive bias). Cialdini calls this the Theory of Influence.

social-engineering-3-01-1

The Theory of Influence: Six Principles

Essentially, like the line in Hotel California by the Eagles, when it comes to cognitive biases and the theory of influence, we are "programmed to receive."

Let's take a break from the psychology behind a social engineering attack. It's time to start looking at the work that goes into a Social Engineering Attack and its lifecycle.

Free Download

FREE Security Awareness Training Email Campaign

Help educate your end-users with a fully developed internal email campaign focused on Social Engineering Attack topics.

 

Coming Soon

The Lifecycle of a Social Engineering Attack


There are 4 key stages in the life cycle of a social engineering attack:

Step 1. Information Gathering

Information gathering is key. The attack’s success is dependent on how much information the attacker can gather. The attacker collects information to:

  • Determine the attack vector
  • Probe potential passwords
  • Become familiar with the target
  • Identify possible security response questions

What’s important to remember is once, completed, the cycle often starts over again.

Step 2. Establishing Relationship(s)

People are more likely to do things for someone they feel connected to. Attackers know this. The attacker will either build or feign a relationship with their target to accomplish their goals (i.e. exploitation, the next step in the life cycle).

Building a relationship can include things like:

  • Connecting over the telephone
  • Sharing family photos
  • Creating fake social media or dating profiles
  • Leveraging existing relationships through impersonation

Step 3. Exploitation

This is where things get set into motion. The attacker has to increase pressure without raising the target’s suspicion. The attacker uses the leverage they’ve built up in the previous stages to enact their plan.

Exploitation can include:

  • Convincing the target to let the attacker into the facility
  • Obtaining the target’s username and/or password over the phone
  • Sending the target an email with a malicious link or infected email attachment

Step 4. Execution

Typically this happens right under the target’s nose. If the attacker is successful, the target doesn’t even know they’ve been compromised until it’s too late. This is where the attacker usually does things like:

  • Tie up loose ends
  • Clean up their digital footprint
  • Exfiltrating information and sensitive data

There are too many variations to list when it comes to itemizing all of the different things an attacker can do to complete a lifecycle stage, but we hope this gives you a better understanding of what might happen.

 

social-engineering-attack-life-cycle-01

Learn about the different Social Engineering Attack types...

Free Download

FREE Security Awareness Training Email Campaign

Help educate your end-users with a fully developed internal email campaign focused on Social Engineering Attack topics.

 

Coming Soon

How to Spot and Stop a Social Engineering Attack:

It's difficult to spot a Social Engineering Attack when you're in the middle of one, and there are too many variations to list here.

However, if you think you're being attacked here's what you should do:

Slow Down and Control Your Emotions

Remember the attacker is trying to manipulate your emotions into making a quick decision. The more time you take to think about the situation the more likely you’ll start to realize something’s not right.

We might be animals when it comes to our emotions, but we’re also brilliant. By slowing down, our rational brain allows us to overcome our feelings.

Think About What You're Reading, Seeing, or Hearing

The more time you give yourself for rational thought, the better off you are when it comes to seeing through the attacker’s ruse.

Look for things like strange word choices or misspellings. Look for visual clues like off-brand graphics (if it comes from someplace like your bank or a store you frequent).

You’re more astute than you might give yourself credit for. If something seems off, it probably is.

Check to See Who Sent the Message

Email masking is an important part of a social engineering attack. Most email clients format the sender's address so that it’s easier to discern who it’s from by showing just a name, and not an email address.

Attackers leverage this.

If you’ve got the feeling the message you’re reading isn’t on the level check to see who sent it. If the name is familiar, but the email address isn’t, there’s a good chance you’re experiencing a social engineering attack.

Don't Follow Blind Links

Links are easy to hide, just like email addresses. If you can’t discern where a link is going to send you don’t click on it.

Always make sure to hover or right-click on an email link (whatever your email client is set up for) to see where it might send you.

Be Wary of Attachments

If you’ve gone through the steps mentioned above, you probably know what I’m going to say here. Don’t download attachments from people you don’t know.

Sometimes it’s a bad idea to download attachments from people that you do. Be on the lookout for e-mail attachments that appear to be Microsoft Word or Excel files. They might contain pretty nasty surprises.

Free Download

FREE Security Awareness Training Email Campaign

Help educate your end-users with a fully developed internal email campaign focused on Social Engineering Attack topics.

 

Coming Soon