Join top executives in San Francisco on July 11-12, to hear how leaders are integrating and optimizing AI investments for success. Learn More
Table of contents
Social engineering is the very common practice of exploiting a human element to initiate and/or execute a cyberattack.
Human weakness and ignorance present such easy targets that fully 82% of the attacks in Verizon’s 2022 Data Breach Investigations Report were perpetrated, at least in part, via some form of social engineering.
In this article, we look at the forms of social engineering that are frequently used and best practices for limiting its effectiveness within the enterprise.
What is social engineering?
A dictionary definition of social engineering (in the context of cybersecurity) is “the use of deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes.”
Join us in San Francisco on July 11-12, where top executives will share how they have integrated and optimized AI investments for success and avoided common pitfalls.
At the most basic, this includes the mass-market spamming of individual email accounts with a phishing attempt such as an offer for a free gift certificate from a well-known retailer. Consumers who click a link to a malicious website or open an infected file attachment and enter personal information may open themselves up to criminal exploitation.
For higher-value, enterprise targets, the technique can become quite a bit more elaborate — or remain stunningly simple.
Roger Grimes, data-driven defense evangelist at security awareness training vendor KnowBe4, calls it for what it is: a con, a scam. “It’s someone pretending to be a brand, company or person you would … trust more than if you know the message was being sent by a complete stranger trying to trick you into doing something that will impact you or your organization’s own interests,” he explained. “The desired actions are often to launch a malicious program, provide logon passwords, or to provide confidential content (e.g., social security number, banking information, etc.).”
The criminal uses psychological manipulation to trick the user into performing actions or divulging confidential information. Seven means of persuasive appeal, as outlined by Robert Cialini in Influence: The Psychology of Persuasion, are commonly cited in explaining why people are vulnerable to their application in social engineering:
Many social engineering attempts come via email, but that is not the only channel. Social engineering is also accomplished via SMS messages, websites, social media, phone calls or even in person.
As Manos Gavriil, head of content at hacking training firm Hack The Box, points out, “Social engineering is considered the number one threat in cybersecurity, as it exploits individual human error, which makes it very hard to stop, and even the simplest forms of attack can have a devastating impact.”
Types of social engineering techniques and methods
Social engineering is accomplished in a variety of ways:
- Pretexting: This involves the false presentation of identity or context to make a target believe they should share sensitive data or take a compromising action, and it is an element in most social engineering.
- Baiting: The adversary usually offers a fake promise of something to deceive the victim, steal sensitive information or infect the organization with malware.
- Phishing: The attacker sends out large volumes of emails, without a specific target in mind, in the hope that a malicious link or attachment will be clicked to give the attacker access to sensitive information.
- Spear phishing: Masquerading as a known or trusted sender to a specific victim, the attacker sends a targeted, and usually personally crafted, phishing message.
- Whale phishing: This is spear phishing for a high-value target, such as a senior executive or key financial staffer. It is likely predicated on detailed information that the attacker has first gathered about the target and organization in order to present a credible pretext involving access to sensitive information or the initiation of a financial action.
- Vishing or smishing: This is a phishing attempt made via a voice call or SMS text, as opposed to an email message.
- Business email compromise (BEC): The cybercriminal compromises a business email account and impersonates the owner to deceive someone in the business circle into sending money or sensitive data to the attacker’s account.
- Pharming: Code is placed on a computer or server to divert or trick the user into visiting a harmful website.
- Tailgating or piggybacking: A malicious actor gains physical access to an organization’s secured facility by closely following an employee or other authorized entrant who has used a credential to pass through security.
- Dumpster diving: As it sounds, this is another attack at a physical location, whereby the criminal sifts through an organization’s trash to find information that they can use to initiate an attack.
These types of attack are often combined or tweaked to incorporate new wrinkles:
- Cybercriminals often pretend they are from a trusted organization, such as the target’s energy supplier, bank or IT department. They use logos from these institutions and email addresses that are similar to official ones. Once they gain trust, they request sensitive information such as logins or account details to penetrate networks or steal funds.
- A common approach is a false scenario with a warning that if an action isn’t taken very soon there will be some unwanted negative consequence, such as having an account permanently locked, a fine or a visit from law enforcement. The usual goal is to get the person to click on a rogue URL link that takes the victim to a fake login page where they enter their login credentials for a legitimate service.
- Another variant is the BazarCall campaign. It begins with a phishing email. But instead of duping the user into clicking on a malicious link or attachment, the email prompts the user to call a phone number to cancel a subscription. Urgency is injected with the threat that they are about to be automatically charged. Fake call centers then direct users to a website to download a cancellation form that installs BazarCall malware.
- For spear-phishing, the attacker may glean valuable data from LinkedIn, Facebook and other platforms in order to appear more genuine. If the target is out of the country, for example, and is known to use an Amex card, a call or email may claim to be from American Express, seeking to verify identity to approve transactions in the country in which the user is traveling. The person hands over account information, credit card numbers, pins and security codes — and the attacker goes on an online buying spree.
- Because whaling focuses on high-value targets, sophisticated techniques are increasingly used. If a merger is ongoing or a big government grant is about to go through, attackers may pose as someone involved in the deal and inject enough urgency to get money diverted to the account of a criminal group. Deepfake technology may be used to make a financial employee believe that their boss or another authority figure is requesting the action.
- LinkedIn requests from bad actors are growing in prevalence. Con artists charm unsuspecting jobseekers into opening malicious PDFs, videos, QR codes and voicemail messages.
- Push notification spamming is when a threat actor continuously bombards a user for approval via a multi-factor authentication (MFA) app. A user can panic or get annoyed by the number of notifications coming their way and give approval to the threat actor to enter the network.
- Cashing in on a current crisis, a social engineering attack plays on current headlines or people’s fears around personal finances. Whether it is text messages offering fake energy bills and tax rebates or an increase in online banking scams, people become more vulnerable to exploitation from opportunistic bad actors as budgets tighten.
However, social engineering doesn’t have to be sophisticated to be successful. Physical social engineering usually involves attackers posing as trusted employees, delivery and support personnel, or government officials such as firefighters or police. Another effective ploy is to leave a USB stick somewhere labeled “bitcoin wallet” or even, in a company parking lot or building toward the end of the year, “annual raises.”
As Igor Volovich, vice president of compliance for Qmulos, shares, “Recently, a pair of social media figures set out to prove that they could get into concerts by simply carrying a ladder and ‘acting official.’ They succeeded multiple times.”
10 top best practices to detect and prevent social engineering attacks in 2022
Follow these best practices to thwart social engineering attempts within an organization:
1. Security awareness training may be the most fundamental practice for preventing damage from social engineering.
- Training should be multifaceted. Engaging but short videos, user alerts about potentially dangerous online activity, and random phishing simulation emails all play their part.
- Training must be done at regular intervals and must educate users on what to look for and how to spot social engineering.
- One-size-fits-all training should be avoided. According to Gartner, one-size-fits-all training misses the mark. Content needs to be highly varied to reach all types of people. It should be of different lengths — from 20 minutes to one- to two-minute microlearning lessons. It should be interactive and perhaps even consist of episode-based shows. Various styles should be deployed, ranging from formal and corporate to edgy and humorous. Customization of content should address distinct types of users, such as those in IT, finance or other roles and for those with differing levels of knowledge.
- Gamification can be used in a variety of ways. Training can include games where the user spots different threat indicators or solves social engineering mysteries. Games can also be introduced to play one department’s security scores against another’s with rewards offered at the end of a training period.
2. Employees should be tested regularly for their response to threats — both online and in person.
- Before beginning security awareness training, baseline testing can determine the percentage of users who fall victim to simulated attacks. Testing again after training gauges how successful the educational campaign has been. As Forrester Research notes, metrics such as completion rates and quiz performance don’t represent real-world behavior.
- To get a fair measure of user awareness, simulations or campaigns should not be announced in advance. Vary timing and style. If fake phishing emails go out every Monday morning at 10 and always look similar, the employee grapevine will go into action. Workers will warn each other. Some will stand up in the cubicle and announce a phishing campaign email to the whole room. Be unpredictable on timing. Styles, too, should be changed up. One week try using a corporate logo from a bank; the next week make it an alert from IT about a security threat. Akin to using “secret shoppers,” deploying realistic simulations of tailgaters and unauthorized lurkers or positioning tempting USBs at a facility can test in-person awareness. In working with a security awareness provider, Forrester analyst Jinan Budge recommends that organizations “choose vendors that can help measure your employees’ human risk score.” Budge notes, “Once you know the risk profile of an individual or department, you can adjust your training and gain valuable insights about where to improve your security program.”
3. Foster a pervasive culture of awareness.
According to Grimes, “If you create the right culture, you end up with a human firewall that guards the organization against attack.” Well-executed training and testing can help to create a culture of healthy skepticism, where everyone is taught to recognize a social engineering attack.
4. It should be easy to report attempts and breaches.
Systems should make it easy for personnel to report potential phishing emails and other scams to the help desk, IT or security. Such systems should also make life easy for IT by categorizing and summarizing reports. A phishing alert button can be placed directly into the company email program.
5. Multifactor authentication (MFA) is important.
Social engineering is often intended to trick users into compromising their enterprise email and system access credentials. Requiring multiple identity verification credentials is one means of keeping such first-stage attacks from going further. With MFA, users might receive a text message on their phone, enter a code in an authenticator app, or otherwise verify their identity via multiple means.
6. Keep a tight handle on administrative and privileged access accounts.
Once a malicious actor gains access to a network, the next step is often to seek an administrative or privileged access account to compromise, because that provides entry to other accounts and significantly more sensitive information. Therefore it is especially important that such accounts are given only on an “as needs” basis and are watched more carefully for abuse.
7. Deploy user and entity behavior analytics (UEBA) for authentication.
Along with MFA, additional authentication technology should be used to stop initial credential breaches from escalating to larger network intrusions. UEBA can recognize anomalous locations, login times and the like. If a new device is used to access an account, alerts should be triggered, and additional verification steps initiated.
8. Secure email gateways are another important tool.
Although not nearly perfect, secure email gateways cut down on the number of phishing attempts and malicious attachments that reach users.
9. Keep antimalware releases, software patches and upgrades current.
Keeping current on releases, patches and upgrades cuts down on both the malicious social engineering attempts that reach users and the damage that occurs when users fall for a deception or otherwise make an erroneous click.
10. Finally, the only way to 100% guarantee freedom from cyberattack is to remove all users from the web, stop using email, and never communicate with the outside world.
Short of that extreme, security personnel can become so paranoid that they institute a burdensome tangle of safeguards that slow down every process in the organization. A good example is the inefficient TSA checkpoints at every airport. The process has negatively impacted public perception about air travel. Similarly, in cybersecurity a balance between security and productivity must be maintained.
VentureBeat's mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Discover our Briefings.