What is Social Engineering? – June 2022 Newsletter

What is Social Engineering?

According to a study by Proofpoint in 2019, 98% of cyberattacks use social engineering tactics to achieve their goals.  98%.  Understanding social engineering and the tools attackers use to gain your trust is key to effectively mitigating the risk of a cyberattack on you or your business.

Fortinet defines social engineering as “a wide range of attacks that leverage human interaction and emotions to manipulate the target.”  The victim is tricked into providing compromising information which usually involves several steps. 

1. The cyberattacker will study the behavior of the intended target.  They use this research to execute the attack by learning the likes or dislikes, businesses they engage with or don’t, etc, and their role in bypassing security protocols.
2. As humans, we naturally are attracted to those we trust, whether it be a friend, spouse, or business.  Social engineers know this and will try to facilitate a feeling of trust and common interests.  They will use the information gained in their research to acquire the target’s trust.
3. Once they have gained your trust, they begin manipulating the target to get sensitive information or violate security policies.

5 Human Characteristics Social Engineers Exploit

All humans have similar characteristics that social engineers know of and use to exploit their target.  According to Fortinet, they are:

Liking – we tend to trust those we like.  An email from a trusted vendor or customer, or even coworkers or bosses, is more likely to be opened and the requests fulfilled than one from an unknown source.  

Spoofing an email identity is simple. All an attacker would need to search your websites or social media profiles, and they can easily create a false identity from someone you trust.

Reciprocity – Who isn’t compelled to take a free item if one were offered to them?  Social engineers know this and will often use tactics such as providing free advice, exclusive or personalized, to make the victim feel as if they owe the attacker something in return. 

Commitment – Most of us feel a strong need to follow through with something if we promise to do it.  Social Engineers know this and urge the victim to agree to small things before going for the primary goal.  They also may get them to agree to do something before the victim realizes the risk.  

Social Proof – People are more willing to buy into something if they think their friends have.  With research, the hacker can quickly gain information on who our friends our to name drop and make us feel like they are a trusted source since they also know our “friend.”

Authority – Who would you be more likely to believe about a supposed health product to solve all your problems?  A doctor or some random email claiming to know it all?  Should that email come from a “Dr.” you will probably give it more authority than another unexpected voice.  Hackers exploit this by claiming “according to experts” or “science proves” to gain your trust and convince you to agree to something.

8 Techniques of Social Engineering Attackers

While there may be more techniques, these are the most common ones you are likely to come across if a social engineering attacker targets you.  They are:

1. Baiting – uses our sense of curiosity, or even greed, to draw you in.  This usually results in you installing, or clicking on, something that will download malware onto your system.
2. Water Holing – casts a broader net.  The attacker will target a group of specific individuals by infecting sites they regularly visit and trust, knowing they feel safe on those pages.
3. Scareware – If we feel under attack, our fight or flight response is triggered.  Taxes are overdue, foreclosure notices or the threat of disconnected utilities have been known to trigger an immediate response to protect yourself.  Scareware uses this to get you to react to protect yourself, and no surprise, but they have the solution to take care of it then and there.  
4. Quid Pro Quo – attacks generally involve the attacker offering something to the victim in exchange for a password or specific action.  Such as a caller claiming to be from IT who then asks you to download a particular program to your computer, which is most likely to be malware.
5. Pretexting – is where an attacker pretends to be someone they aren’t (your boss, grandchild, long lost cousin) and tricks you into giving them sensitive information.
6. Honey Trap – With online dating opening up more expansive pools of potential romantic partners, cyberattackers have also tapped into this area to take advantage of human emotions.  A honey trap is where the attacker poses as a love interest, then tries to gain information or money due to their growing relationship.
7. Tailgating – We’ve all seen it happen.  You enter a secure building with your credentials, and someone pops up right behind you.  General courtesy says to hold the door open, which is exactly what the attacker is looking for.
8. Phishing, Spear Phishing, and Vishing – Like baiting, the attacker uses your sense of urgency or natural curiosity to encourage you to click a link or give out private information.  Spear phishing attacks gather a bit more information on you before launching their attack, and vishing uses the same strategies as phishing and spear phishing but is over the phone and using voice communications. 

Basic Security Habits to Keep You Safe

There are many tools and processes that you can use to keep yourself and your business safe, but below are the big 4. 

1. Don’t click!  Just don’t do it.  If you receive an email or text from an unknown source telling you to click here now, your account is in jeopardy, or whatever you do, don’t click that link.  If you are concerned, navigate directly to the account through your typical methods of accessing, such as a web browser or a mobile app.
2. Password managers.  Just use them.  Google and Apple have robust password management systems you can tap into that can follow you from device to device.  
3. Multi-factor authentication.  As annoying as they are, two factor authentication processes are critical in keeping you safe online.  Any attempt to log into your account requires you to respond to a text or phone call or email you can be warned immediately of a potential breach and act accordingly.
4. Be careful of online friends.  Yes, the internet and social media can be significant in helping you to form new relationships or maintain old ones.  But take a good look at friends who refuse to talk on the phone or meet in person – they may not be real.