Social engineering is a technique used by malicious hackers to obtain information, data, or access from the victim. Social engineering attacks are also referred to as "human hacking". The hacker will often use a variety of techniques to get the victim to provide them with this information, such as authority level, fear, greed, or friendship. This allows them to implant malware or other malicious files on the computer, which they can then exploit to gain access to more private and sensitive data!
How does social engineering work?
A hacker will often use various techniques in order to gather information from their victim. These techniques range from hacking into a company's email system to socially engineering their way into the office of a high-level manager. A hacker might pose as an employee within the company and then gain access to systems such as payroll or even personnel files, which could have information on where employees are currently located or who they are living with! This type of information can be used to then send out well-crafted phishing attacks with malicious software attached. By getting the target to open the attachment, they will then infect their computer and be vulnerable to remote access.
A hacker might also physically break into an office building or other establishment using similar techniques. They could do this by posing as a janitor, repairman, or lunch delivery man. For example, a hacker posing as a repairman could make their way to the server room, gains access to all the data stored in that room!
The 5 Principles of Persuasion
A study published in the proceedings of the Third International Conference on Human Aspects of Information Security, Privacy and Trust defined five key principles of persuasion used in social engineering: authority, social proof; liking, similarity and deception (LSD); commitment, reciprocation, and consistency (CRC); and distraction.
We are conditioned—throughout our upbringing—to avoid questioning authority. Question a teacher’s orders and you’re liable to wind up in detention. Question the judgment of your supervisor and paint a target on your back on the battlefield of office politics. It’s no wonder, then, that phishing schemes in which hackers impersonated a CEO grew 100% over a 14-month period from 2018 to 2019 and cost over $26 billion between June of 2016 and July of 2019.
People tend to let their guard down when conforming to the behavior of a larger group. Group behaviors are often perceived as carrying less risk (as the burden of any consequences is more widely dispersed).
Liking, Similarity, and Deception
It’s easier to let down your guard or comply with the requests of someone you like or to whom you feel similar. This could be a coworker, family member, supervisor, close friend, etc.
Commitment, Reciprocation, and Consistency
The desire to appear consistent can increase one’s tendency to commit to and follow through on an action. Agreeing to do someone a favor often has some expectation of reciprocity. Social engineering almost always involves an “ask” of some sort.
If you suspect an email may be a phishing attempt, it can help by identifying the “ask” before considering whether the remaining four principles of persuasion seem fishy—like they lend themselves to a quick read and a near-thoughtless response. Hackers don’t want you spending too much time admiring their handiwork; the more time you spend, the more likely you are to get suspicious.
As it’s defined within the five principles of persuasion, a “distraction” is akin to a sales tactic used to create a false sense of urgency or heightened stakes. That urgency often stems from scarcity (of time, supply, etc.). Hackers heighten the stakes of a social engineering attack by presenting an opportunity, which—whether lost, gained, or unclaimed—makes you want to act fast.
Social Engineering Attack Examples
Some common social engineering scams include:
An email informing you have been chosen as a winner in a competition or giveaway. This usually contains a link to click on, which will then install malware or spyware onto your computer. This allows the hacker to gain access to private information and leak it online if they wish!
The Accidental Wire
An email informed you have been sent some money from someone who doesn't know how to use a bank account. The person will ask you to send back their money, and the email will contain a link to click on which installs malware or spyware onto your computer.
The Group Chat
Group chats, such as Discord servers, are a great tool for staying in touch with friends or organising important events. However, they can sometimes be diverted for malicious purposes by people who have hacked into them! These people may set a trap to obtain your personal information, such as asking you for a copy of a photo ID or address.
The Access Request
If someone is pretending to be from a company and 'needs' access to your online account in order to fix some problems with it, then this could be the start of a social engineering scam! The person will ask you to provide them with your login details for social media or email, and once they have gained access they can change these altogether. This means that you won't be able to regain access to the account without starting through another company!
Social Engineering Techniques
Pretexting is a social engineering tactic that engages social engineering. This technique may be used to compromise computer networks or individual systems by obtaining information, such as passwords, on an unsuspecting victim. There are many methods and techniques employed in this type of activity and it is difficult to detect when a person has been targeted.
A hacker can use pretexting to dupe their way into a company's secure network by posing as an employee- in more extreme cases, the hacker could even pose as an employee of the printing company that 'printed' the documents and get access to your office.
It is important for employees to keep vigil so they are not victimized by this or any type of social engineering tactics.
Phishing is a very common type of social engineering. It is the act of obtaining someone's personal data or sensitive information by sending them a message, usually via email, that looks as if it comes from a legitimate site, business or organization. The victim will then be tricked by the sender to divulge sensitive information (e.g. passwords).
Tailgating is when someone enters a lot, building, or other facilities without authorization by following closely behind an authorized person. Tailgating can end up being a problem in parking lots because the tailgater may follow the victim all the way to their car—and if they've obtained driver's license information like registration or license plate, it's possible that they'll steal your car!
In addition to hacking computers and infiltrating networks, social engineers may also insert themselves into social media networks with the goal of gaining information from users. They could pose as a friend or someone you know in order to shut down your account or get control over it. Social engineers could dupe you into giving them your login credentials to Facebook, Twitter, or other accounts that use text messages and emails as a validation process.
This is extra problematic because many people don't think about their social media profiles in the same way they think about their email or banking information. You should be careful whom you friend on Facebook and other social media websites, as well as your location and the information you post about yourself.
Scareware is a type of social engineering attack that targets your sense of fear with the goal to trick you into purchasing fake antivirus software or downloading other malicious files. This type of malware typically comes up as popups and warnings that are designed to make the user believe their computer or operating system has a serious problem.
Spear phishing is a specific type of phishing attack that involves an attacker sending emails to specific targets with the goal to steal data or lure the recipient into clicking a link that will provide the attacker access to your computer.
This can happen when, for example, someone receives an email from a relative or friend who says they were in an accident and need help. This is designed to make you feel guilty that your loved one was hurt and will scare you into spending money on whatever the scammer is selling—in this case, it's fake medical treatment or other products.
Spear phishing is very effective because it targets a specific person or group of people. Attackers typically learn as much about the target as possible to make their messages sound believable and personal.
Baiting is a social engineering tactic that uses curiosity, greed or a false promise to "bait" someone into, say, clicking a link that will allow the hacker to gain access to their computer. For example, in the phishing email example, the hacker would send an email that says they are in an accident and need help. They may say something like "This is supposed to be my last resort" or "I'm not sure what else I can do".
The attacker wants you to get a sense of guilt so that you don't think about what will happen if you don't help them.
Why Does Social Engineering Work?
You might be wondering how cybercriminals are able to get away with so much by using social engineering to manipulate victims.
First, social engineers usually have a reasonable idea of their potential victim's background and interests. They can then use this knowledge to play according to the victim's individual needs in order for them to provide what they're after.
Secondly, it is often much easier for people to speak freely on the phone or in-person than if they were typing or writing something out online somewhere like chat message boards.
Lastly, humans are trusting creatures by nature; we often believe that others will act as they should and choose not to let down their guard when information is being exchanged openly over the phone or even through email correspondence with someone we've never met before.
Many times, we get more comfortable speaking with someone and end up revealing information about our personal lives or even passwords to accounts we don't really want anyone else getting their hands on!
If you think about it, social engineering is simply the art of manipulation, and it is extremely effective in allowing cybercriminals to get what they want over the phone, in person, or with emails.
How to Stop Most Social Engineering Attacks Before They Start
Social engineering is hard to notice in the moment. But if you use these tips, you may be able to realize when you're being socially engineered
Be aware of your surroundings. The person you're talking to might be a social engineer looking to use fear or authority level to get what they want!
Never open attachments that you aren't expecting from someone you don't know- It's easy for a hacker to gain access to your computer if you do this!
Keep your passwords private. Social engineers can break into your account that way, which can lead to hackers getting all of the information stored on it. This includes if they've taken over your email and social media accounts. ALWAYS change your default passwords. If you don't know what the default is, look in the back of your instruction manual for your device
Never use public computers for ANY banking or shopping-related activities. Have a private browser and private profile that you only use on personal accounts.
NEVER give out your personal or financial information to ANYONE- even if they claim it's a legitimate request from the IRS, police, etc.
And finally- be wary of those around you. Really try to get a feel for whether or not someone is looking to take advantage of you or not! One tell-tale sign that someone might be attempting to social engineer you is if they repeatedly ask you for information you've already told them!
Social Engineering in the News
Social engineering attacks have been in the news recently, with numerous stories of people falling for this hack! Here are a couple of examples:
A woman pretending to be an IRS agent managed to scam more than $300,000 from victims over the phone by pretending they owed taxes and saying that if their card or bank account wasn't immediately verified, they would face arrest. In the same way, a hacker could send you emails or calls, pretending to be from your bank or government and asking for your bank account information over the phone so they can "verify it".
In another case, a woman pretended to be an employee at a hospital in Michigan when she called security guards about an incident in the hospital. She used this opportunity to gain a lot of sensitive information about the facility and its employees, including names, email addresses, social security numbers, and other personal data.
In each of these cases, people were able to gain a lot of sensitive data and use it for criminal activity. Social engineering is an extremely powerful way for hackers to get access to your private data. So, next time you get an email or call from someone claiming to be from your bank or a government office, think twice before giving them any information!
Social Engineering in the Movies
What are some examples of social engineering attacks in movies? If you've watched a lot of action-packed Hollywood films, I bet you've seen at least one movie that has a lot of social engineering in it!
In the 1995 film, "Hackers", an evil computer genius called The Plague was able to obtain sensitive information from unsuspecting victims by using his laptop's built-in microphone and speakers. This allowed him to hear everything going on inside their homes, say while they might be talking with their family members or friends in another room, and then he would use that information to manipulate them into giving him exactly what he wanted.
In "Antitrust," based on a famous novel by Michael Crichton, the main character, an antitrust lawyer named Nick Brady (played by Tim Robbins) was able to extract evidence of one computer corporation's crime by using a sophisticated computer chip installed in his brain. This gave him the ability to read other people's emails and listen to their phone calls without them knowing about it.
There are many more examples of movies that include social engineering as part of the plot, such as " Nightcrawler", which stars Jake Gyllenhaal as a self-centered, sociopathic news cameraman who steals videos and photographs from an unsuspecting public in order to sell them to his employer. In "Bad Company," the main character has been framed for murder. He then attempts to gather information from his one-time enemies in order to clear his name and get revenge on the guys who set him up!
If you're a fan of the Ocean's 11 series or any heist movies, these films are PACKED with social engineering. Once you think about it, there are many subtle ways that social engineering is shown in movies and TV.
5 Tips to Protect Yourself from Social Engineering Attacks:
1.) Verify the claim of who is contacting you. Before you respond to a request for personal data, you should verify who is making this request. You can do this by using Google to lookup an email address or phone number that corresponds with the person you are chatting with. If it looks out of place or uses disparate formatting, you may have been targeted by a hacker!
2.) Never share personal information over the phone or in an email. While it may be tempting to provide your bank account information or social security number over the phone, you could fall victim to a scam! If someone is contacting you and claiming to be from a financial institution, like your bank, they should never ask for this information on the telephone or via email.
3.) Be wary of clicking links. If you receive an email with a link that takes you to a different website, try going directly to the website before entering any sensitive information or logging in. Even if the email looks legitimate, there may be some sort of malware attached to the link that will allow a hacker to view your activity on the internet!
4.) Be wary of people seeking personal information from you. While it may seem polite, or even necessary to provide your social security number or other private information to a caller, don't do it! If someone is trying to gain this type of access to your identity, they could be using it for nefarious purposes. Do not trust them!
5.) Be careful when sharing details on your social media accounts. While it can be tempting to share pictures, videos, and other personal content with your friends and followers online, you should really consider how much of this you put out there for the world to see. If someone is able to gain access to an online account that contains confidential information, they can use it in a way similar to other forms of social engineering. It is best for security purposes to only share on social media what you are comfortable showing the world!
How to Educate Your Employees on Social Engineering:
Social engineering attacks are often hard to detect, and a lot of people think they won't fall for it because they are smart. But anyone can be targeted by social engineering! And educating your employees about the dangers can help them understand how to spot them.
Most of the time a social engineering attack starts off with someone asking for information- whether that's your password or simply where you work! And if the people around you are educated with security awareness training, they can help you spot when that happens.
Implement a Security Policy
One effective way to prevent social engineering is to have a firm security policy in place regarding how employees should handle unexpected requests for information. And it's important not only what to do with requests, but also who handles them. Entrusted people are the ones who have contact with outsiders, such as a receptionist or secretary.
The policy should include:
Who employees can talk to about requests for information.
How they're expected to send those requests back up the chain of command without revealing them to others during that time (for example, using text messages)
How to verify requests are legitimate before acting on them. And if the request seems odd, they should immediately stop and contact their supervisor or another figurehead for verification. This way, a hacker can't trick multiple employees into doing what they want!
If you have an IT department that handles requests from employees about computers, then you should include how they are expected to handle requests for information from them as well. This could be with a phone call or text message, depending on what your policy says works best for you.
If you can, consider implementing a secure method of gaining access to your company's network, maybe using an extra step like entering a code sent to your phone. This way, even if someone does manage to get an employee's login information, they can't use it to access the network.
Provide Security Awareness Training to your employees
By training your employees in security awareness, you are empowering them with the knowledge they need to spot social engineering attempts and protect themselves from malicious hackers that want access to their private information!
It's best to target all employees with security awareness training, but you should make effort to further engage with the most "at-risk" employees, such as those who work in customer service or a financial capacity.
Some things you can cover:
- What social engineering is and how it works
- Methods hackers use for obtaining information
- What their role should be in spotting attempts
- Understand that they could be targeted by malicious hackers
This training doesn't have to be overly complicated or take up a ton of time. It just needs to cover the basics and make your employees aware of how important it is for them to do their part!
It's important to educate yourself and your employees about social engineering because they are often the ones who will be targeted. Learning what types of information hackers want and how they go about getting it can help your company stay safer from malicious attacks! If you're looking for a security awareness training tool that can educate employees on social engineering and other security topics, Try Hook Security's training for free today!