What is Social Engineering?
Some cybercriminals are experts at discovering and exploiting technical vulnerabilities in applications and networks, skills they use to gain unauthorized access to restricted systems and steal money or sensitive personal information from their victims.
But there’s another sort of cybercriminal who specializes in exploiting one of the most significant security vulnerabilities of them all: humans. According to Kevin Mitnick, the world’s most famous hacker, humans are the weakest link in any security system – and the way to exploit that weakness is through social engineering.
Social engineering encompasses all deceptive techniques used by cybercriminals to gain access to sensitive data, restricted networks, or steal money by exploiting human psychology and behavior instead of technical vulnerabilities.
Social Engineering Attack Techniques
Social engineering attacks weaponize human psychology to trick victims into sending money or disclosing sensitive data. As a result, social engineering attacks can be as diverse as the human characteristics, emotions, and dispositions they tend to exploit.
We can analyze social engineering attack techniques in two ways: by looking at the aspects of human psychology that are being exploited and by looking at the actual methods used by cybercriminals to deploy the attack.
Let’s start with a look at some aspects of human psychology that cybercriminals can exploit:
- Conformity – Most people will do things they see others doing and conform to match those around them. Social engineers can use this fact to encourage a target to do an action by convincing them that their friends, colleagues, and associates are also doing it.
- Curiosity – Some people are easily made victims of their own curiosity. This type of social engineering is observed when cybercriminals send emails with malicious attachments. The attachment will often have a “clickbait” name that encourages the curious recipient to open it.
- Deference – Some people show a high level of deference to authority figures. As a result, they’re likely to follow directions from a perceived authority figure with minimal questioning or pushback.
- Familiarity – People are more easily persuaded by people they like or who seem familiar. Cybercriminals can exploit this by adopting a likeable personality, using a relatable tone of voice, or by impersonating a trusted colleague or friend of the target.
- Fear – People who are genuinely afraid simply cannot make good decisions. Cybercriminals exploit this by threatening the target with harm if they don’t comply, often while impersonating an authority figure (e.g., an executive at the target’s company or the IRS).
- Greed – Some people are greedy and will readily fall for scams that promise them something for nothing. The most famous example of exploiting human greed is the “Nigerian Prince” scam, where the target is asked to make a small deposit to receive a large sum of cash.
- Helpfulness – Some people will readily breach security protocols if they feel like they’re being helpful to someone they trust. Cybercriminals exploit this by impersonating trusted friends and colleagues of the target, then asking them for help.
- Urgency – Some people will take quick action and narrow their focus if they believe the situation is urgent. Social engineers will often craft stories about an urgent situation, pressuring their targets to act quickly in complying with their directions.
Next, we can highlight four of the most common social engineering attacks used by cybercriminals to prey on these human vulnerabilities:
- Phishing and Spear Phishing – Phishing attacks are deceptive emails, voicemails or text messages used to trick a victim into disclosing sensitive information, sending money or downloading malware.
- Pretexting – Pretexting is when a cybercriminal invents a made-up situation to convince their target to disclose information or send money. Cybercriminals may try to increase the success rate of a pretexting attack by impersonating a friend, colleague, or associate of the target.
- Scareware – Scareware is just one example of how cybercriminals exploit fear in their victims by using fictitious threats or false alarms that spur the victim into action. In a scareware attack, the criminal convinces the victim (via telephone, email, or even a digital advertisement) that their computer is infected with a malicious program. The target’s fear of the program is used to trick them into sending money or disclosing sensitive data. A cybercriminal may impersonate authorities like the police, the IRS, the FBI, or the target’s boss to threaten them with consequences for not following directions.
- Baiting – Baiting weaponizes a victim’s greed or curiosity to trick them into compromising their data, downloading harmful files, or sending money to cybercriminals. The bait could be a digital file with an enticing name or a malware-filled USB stick left in the elevator at the target organization’s office building.
How to Prevent Social Engineering Attacks
Preventing social engineering attacks is a big challenge for IT security teams in 2021. Below, we list five steps that your team can take to help prevent social engineering attacks from negatively impacting your organization.
Deliver Cybersecurity Awareness Training
Employees need to be trained on the nature of social engineering attacks, how to recognize and report an attack, and how to avoid falling victim. Cybersecurity awareness training should teach employees the basics of verifying the sender of an email and why it’s important to avoid opening attachments or clicking links from untrusted sources.
Deploy Phishing Simulations
Some IT security teams regularly test their employees by sending fake phishing emails to their inboxes. If the employee fails the test by clicking on a suspicious link or attachment, they may be directed to complete further cybersecurity awareness training.
Block Spam Mail
IT security teams can use firewalls and email gateways to filter phishing emails from employee inboxes and reduce the chances of their employees falling victim.
Educate on Social Media Privacy
Social engineering attacks often use the victim’s own personal data against them, and that data can often be found on social media. People need to be reminded that any information they publish on social media is publicly available and can be used by cybercriminals in a social engineering attack.
Secure Your Public Attack Surface
As organizations increase their reliance on publicly available platforms (social media, websites, collaboration tools, etc.) for daily operations, cybercriminals benefit from an expanded attack surface that creates more opportunities to implement social engineering attacks. ZeroFOX uses advanced AI to monitor and secure the public attack surface and effectively detect and disrupt digital threats.