Social Engineering Attacks
Learn what a Social Engineering Attack is, how to spot one,
and how to defend yourself.
Free Download
FREE Security Awareness Training Email Campaign
Help educate your end-users with a fully developed internal email campaign focused on Social Engineering Attack topics.
If You're Trying to Hack a Business Hack, Their Employees First...
Social Engineering Attacks are one of the biggest threats to your business because they take advantage of the greatest asset you have: your employees.
It's much easier for an attacker to manipulate an individual than it is to break through a firewall or guess a password. Cybercriminals know that. It's why Social Engineering Attacks are so highly effective.
Let's look at what a Social Engineering Attack is, what the different examples of a Social Engineering Attack can be, and how you can stop one!
What is a Social Engineering Attack?
A Social Engineering Attack is:
“The psychological manipulation of people into performing actions or divulging confidential information.”
That information can be leaked via e-mail, social media, the telephone, or even physical means. Attackers are often after a variety of things, but they mostly focus on obtaining personally identifiable information (PII) or "Financial Information."
According to a report from Baracuda, the average organization is faced with 700+ attempted Social Engineering Attacks a year. According to a report from Proof Point, 83% of American businesses have fallen victim to a Social Engineering Attack.
2022 By the Numbers
Think You're Immune to Social Engineering Attacks? Think Again. Last year there were:
>0
Attempted Social Engineering Attacks
on a Business Per Year
0%
of American Businesses were Impacted Negatively by a
Social Engineering Attack
But why are Social Engineering Attacks so dangerous? Why are attackers so successful? Let's find out together below...
ADDITIONAL FAQS
-
What is Personal Identifiable Information?
- Your full name
- Your current address or address history
- Your birthday
- Your social security number
- Your email address
- Your pet names
- The names of your children
- Etc.
-
What is considered Financial Information?
- Your bank account numbers (checking, savings, etc)
- Your credit card numbers
- Pin numbers
- Anything that allows them to gain leverage over your financials
Free Download
FREE Security Awareness Training Email Campaign
Help educate your end-users with a fully developed internal email campaign focused on Social Engineering Attack topics.
Coming Soon
WHY SOCIAL ENGINEERING ATTACKS WORK: COGNITIVE BIAS AND THE THEORY OF INFLUENCE...
Human beings are imperfect creatures. Complex, but imperfect. Despite how smart, or evolved we think we are, there are times when we fall into these simply constructed traps.
Why?
Blame "cognitive biases."
If you're not familiar with the term "cognitive bias," we understand. Here's a definition:
A cognitive bias is a systematic pattern of deviation from norm or rationality in judgment.
- The Handbook of Evolutionary Psychology
The general gist is: People create their own version of reality and that can dictate behavior. A cognitive bias can distort perception, cause irrational decision-making, etc. Simply put, cognitive biases are bugs in our biological hardware.
Attackers, especially those well versed in manipulation, know how to exploit the human hardware bugs just as much as well as they know how to exploit the software and hardware-related bugs on our end-points.
Putting all that knowledge together can lead to a perfect storm of misery and dismay for those impacted by it.
Robert Cialdini, a psychologist and marketing professor at Arizona State University, determined that a social engineering attack needs to rely on six key principles to properly manipulate an individual (and their cognitive bias). Cialdini calls this the Theory of Influence.
The Theory of Influence: Six Principles
-
Authority
In social engineering, the attacker may pose as authority to increase the likelihood of adherence from the victim.
-
Intimidation
The attacker (potentially disguised) informs or implies that there will be negative consequences if certain actions are not performed. Consequences could include subtle intimidation phrases such as "I'll tell your manager" to much worse.
-
Consensus
People will do things that they see other people are doing. For example, in one experiment, one or more confederates would look up into the sky; bystanders would then look up into the sky to see what they were missing. At one point this experiment was aborted, as so many people were looking up that they stopped traffic.
-
Scarcity
Perceived scarcity will generate demand. The common advertising phrase "while supplies last" capitalizes on a sense of scarcity.
-
Urgency
Linked to scarcity, attackers use urgency as a time-based psychological principle of social engineering. For example, saying offers are available for a "limited time only" encourages sales through a sense of urgency.
-
Familiarity
People are easily persuaded by other people whom they like. Cialdini cites the marketing of Tupperware in what might now be called viral marketing. People were more likely to buy if they liked the person selling it to them. Some of the many biases favoring more attractive people are discussed.
Essentially, like the line in Hotel California by the Eagles, when it comes to cognitive biases and the theory of influence, we are "programmed to receive."
Let's take a break from the psychology behind a social engineering attack. It's time to start looking at the work that goes into a Social Engineering Attack and its lifecycle.
Free Download
FREE Security Awareness Training Email Campaign
Help educate your end-users with a fully developed internal email campaign focused on Social Engineering Attack topics.
Coming Soon
The Lifecycle of a Social Engineering Attack
There are 4 key stages in the life cycle of a social engineering attack:
Step 1. Information Gathering
Information gathering is key. The attack’s success is dependent on how much information the attacker can gather. The attacker collects information to:
- Determine the attack vector
- Probe potential passwords
- Become familiar with the target
- Identify possible security response questions
What’s important to remember is once, completed, the cycle often starts over again.
Step 2. Establishing Relationship(s)
People are more likely to do things for someone they feel connected to. Attackers know this. The attacker will either build or feign a relationship with their target to accomplish their goals (i.e. exploitation, the next step in the life cycle).
Building a relationship can include things like:
- Connecting over the telephone
- Sharing family photos
- Creating fake social media or dating profiles
- Leveraging existing relationships through impersonation
Step 3. Exploitation
This is where things get set into motion. The attacker has to increase pressure without raising the target’s suspicion. The attacker uses the leverage they’ve built up in the previous stages to enact their plan.
Exploitation can include:
- Convincing the target to let the attacker into the facility
- Obtaining the target’s username and/or password over the phone
- Sending the target an email with a malicious link or infected email attachment
Step 4. Execution
Typically this happens right under the target’s nose. If the attacker is successful, the target doesn’t even know they’ve been compromised until it’s too late. This is where the attacker usually does things like:
- Tie up loose ends
- Clean up their digital footprint
- Exfiltrating information and sensitive data
There are too many variations to list when it comes to itemizing all of the different things an attacker can do to complete a lifecycle stage, but we hope this gives you a better understanding of what might happen.
Learn about the different Social Engineering Attack types...
-
What is Phishing?
Phishing is a type of Social Engineering Attack where individuals are targeted by email (or in some cases text messages). The attacker masquerades as someone else (a co-worker, manager, or individual from an outside organization) to manipulate their target.
The attacker's goal might be to steal sensitive information such as:
- Log-in Credentials
- Credit Card Numbers,
- Bank Routing Numbers
- Checking Account Numbers
- Etc.
The attacker might also try to get their target to install malware on their end-point in order to compromise an organization's network for monetary or disruptive reasons.Thing's to watch out for in a Phishing Attack:
- Check the Sender - Hover over who sent the email to you. Often times a Phishing email will spoof a sender's address. If you hover or click on the name you'll see the actual address the message came from. If it's an address you don't recognize, you're being fished.
- Links - Links are meant to be clicked! And social engineering attackers know this. People blindly click links. Don't do that. Most email browsers allow you to see where a link leads by hovering over it with your cursor (that doesn't mean click). If the address isn't something familiar or looks suspicious don't click it.
- Be Wary of Attachments - It's easy to hide malicious files in attachments. If an already suspicious email has attachments it's a sure thing there's something nasty hidden in it. Don't try to download it or open it.
-
What is Spear Phishing/Whaling?
Phishing attempts directed at specific individuals or companies are known as spear phishing or whaling.
Within organizations, spear phishing targets employees, typically executives or those that work in financial departments that have direct access to financial data.
The things we mentioned to look out for in the Phishing example apply here as well.
-
What is Vishing?
Vishing (or Voice Phishing) is a form of social engineering attack where an attacker uses the telephone to manipulate a person into gaining access to private personal and financial information for the purpose of stealing money.
The attacker might pretend to be from:
- Microsoft Tech Support
- Your Bank
- Your Doctor’s Office
- The IRS
- Social Security
- Etc.
-
What is Baiting?
Baiting is when an attacker leaves a malware-infected external storage device (ex: a thumb drive) in a place where other people can easily find it.
The attacker hopes an employee at their targeted organization will pick up the device once found and plug it into their computer and compromise the entire network with malware.
-
What is Tailgating?
A Tailgating attack is a social engineering attack where an attacker tries to trick an employee into helping them gain unauthorized access to their targeted organization physically.
-
What is Scareware?
Scareware is a form of malware that uses social engineering to cause shock, anxiety, or the perception of a threat in order to manipulate users into buying unwanted software.
Scareware is part of a class of malicious software that includes rogue security software, ransomware, and other scam software that tricks users into believing their computer is infected with a virus, then suggests that they download and pay for fake antivirus software to remove it.
Usually, the virus is fictional and the software is non-functional.
Free Download
FREE Security Awareness Training Email Campaign
Help educate your end-users with a fully developed internal email campaign focused on Social Engineering Attack topics.
Coming Soon
How to Spot and Stop a Social Engineering Attack:
It's difficult to spot a Social Engineering Attack when you're in the middle of one, and there are too many variations to list here.
However, if you think you're being attacked here's what you should do:
Slow Down and Control Your Emotions
Remember the attacker is trying to manipulate your emotions into making a quick decision. The more time you take to think about the situation the more likely you’ll start to realize something’s not right.
We might be animals when it comes to our emotions, but we’re also brilliant. By slowing down, our rational brain allows us to overcome our feelings.
Think About What You're Reading, Seeing, or Hearing
The more time you give yourself for rational thought, the better off you are when it comes to seeing through the attacker’s ruse.
Look for things like strange word choices or misspellings. Look for visual clues like off-brand graphics (if it comes from someplace like your bank or a store you frequent).
You’re more astute than you might give yourself credit for. If something seems off, it probably is.
Check to See Who Sent the Message
Email masking is an important part of a social engineering attack. Most email clients format the sender's address so that it’s easier to discern who it’s from by showing just a name, and not an email address.
Attackers leverage this.
If you’ve got the feeling the message you’re reading isn’t on the level check to see who sent it. If the name is familiar, but the email address isn’t, there’s a good chance you’re experiencing a social engineering attack.
Don't Follow Blind Links
Links are easy to hide, just like email addresses. If you can’t discern where a link is going to send you don’t click on it.
Always make sure to hover or right-click on an email link (whatever your email client is set up for) to see where it might send you.
Be Wary of Attachments
If you’ve gone through the steps mentioned above, you probably know what I’m going to say here. Don’t download attachments from people you don’t know.
Sometimes it’s a bad idea to download attachments from people that you do. Be on the lookout for e-mail attachments that appear to be Microsoft Word or Excel files. They might contain pretty nasty surprises.
Free Download
FREE Security Awareness Training Email Campaign
Help educate your end-users with a fully developed internal email campaign focused on Social Engineering Attack topics.
Coming Soon