Social engineering is the process of manipulating people so that they part with confidential and sensitive information or to encourage them to act against their interests. Social engineering has been around long before the internet even existed, and despite awareness of its methods, is still going strong today.
When the first email was sent in 1971, a new method of social engineering was born, and one that people still fall victim to all these years later.
Social engineering is done for a variety of reasons, and it’s not always financial. If information is of value and can be used to for the attackers gain, then its a prime target for social engineering.
What is the Goal of Social Engineering Attacks?
Gather Sensitive Information
The goal here is to trick targets into handing over personal or sensitive information. This could be a username and password; banking card PIN numbers; credit card details; and more. The goal is to get the information necessary to access the recipient’s private accounts.
The goal here is to encourage a target to click a link or document that will download malicious software onto their computer system. Once the malware has infected the computer it will perform nefarious tasks such as locking the computer files and demanding bitcoin payment (known as ransomware) or logging keystrokes. Ransomware is the most common form of malware distributed in social engineering scams and in 2017 it was estimated to account for 93% of malware attachments.
Different Types of Social Engineering Attacks
Phishing scams are the most common form of social engineering attacks conducted by bad actors. So, what is a phishing scam? Phishing attacks are often broad attacks aimed at a large number of targets in the hope that some will fall for the scam, even if most don’t. Like all social engineering scams, the goal of a phishing attack is to obtain private information such as login credentials or financial information. Phishing scams will usually have the following traits:
- Urgency – The email will try to instill a sense of fear or urgency in the target to compel them to act quickly rather than thinking over their decision to act.
- Emotion – The message will try to solicit a specific emotion in the target. This emotion could be fear, for example threatening the target with their account being canceled or a financial or legal penalty if they don’t act. Other times this emotion may be a happy one such as “You have won X, click here to claim your reward.” The third emotion used is confusion. This is where the attacker will encourage the target to act out of confusion, for example, “You order has been approved” or “your payment has been processed” for a company you don’t recognize.
- Vagueness – They are most often not addressed to the target directly but will instead say “Dear Customer” or some other variation.
- Grammatical errors are common.
- Trusted Companies – phishing emails are usually pretending to be from big-name companies that are trusted and well known such as Amazon, eBay, PayPal, Apple, Microsoft and so on. Most people will have used these sites or services before and had emails from them in the past so the target’s guard will be down.
- Use a shortened link with a suspicious URL.
Spear phishing is a tailored phishing email in which the target’s identifiers such as their name or other details are used by the attacker to gain trust. Spear phishing attacks require more effort from the attacker than phishing attacks which rely on vagueness and casting a wide net. They will often have the following characteristics:
- Appeal to authenticity – spear phishing emails will often look authentic due to the use of company logos and an email address or URL that on first glance looks legitimate. They will also try to emulate the style of a particular company so that it meets your expectations of what an email from that company looks like. Another way they may try to appear authentic is by pretending to be an important figure, such as the CEO of the company you work for or a company your employer does business with.
- Identifiers – Unlike a phishing email, a spear phishing email will address you by your name and may even include other personal information. This is one of the major reasons spear phishing is so successful and why it can be so difficult to recognize the email as malicious. This narrow focus leads people to believe the email must be legitimate. Attackers often buy data from online databases in order to gather this information.
- Spear phishing emails will often masquerade as important business emails such as invoice or payment notification emails. These emails are common for office employees and combined with the urgency creation techniques, an employee may think the email is legitimate and take action.
Whale phishing is a form of spear phishing that is directed at high up employees or “big fish”. These high-value targets could be CEOs or directors within a company and usually have a high degree of autonomy and control over business decisions which makes them an attractive target. The goal here would likely be to encourage the high-value target to unknowingly download malware, probably a keylogger, where the attackers can gather highly sensitive information.
Spear phishing can be very lucrative for attackers which incentivizes the continuation of the practice and the sharpening of techniques.
A 2016 white paper by cybersecurity firm FireEye said:
Spear phishing is on the rise because it works. Traditional security defenses simply do not detect and stop it. From a cyber criminal’s point of view, spear phishing is the perfect vehicle for a broad array of damaging exploits. For example, threat actors are increasingly targeting executives and other high-level employees, tricking them into activating malware that gives criminals access into their companies’ environments.
The targeted executives are usually key leaders with titles such as chief financial officer, head of finance, senior vice president and director. Spear phishing emails are created with enough detail to fool even experienced security professionals.
Vishing is a type of social engineering voice scam – using phone calls to get targets to give up valuable information. In these scenarios, the attacker will call a target pretending to be from a well known legitimate company, bank, or government organization.
A common vishing scam involves the attacker pretending to be a manager at your bank and claiming that someone has committed fraud on your account. They will create a sense of urgency and encourage you to give your bank account details so they can sort out the problem.
Another common vishing scam is where the attacker will pretend to be from your government’s tax office and claim you owe tax and there is a warrant out for your arrest! – but don’t worry, you can pay that money right now and the warrant will be dropped.
The other type of common vishing scam is computer repair scams where the attacker will claim to be from an IT helpdesk and tell you that your computer has a virus. They will usually ask the victim to download “anti-virus” software that is actually malware, or demand payment for their time.
The attackers will try to frighten you into acting quickly and parting with your information. Sometimes these scams don’t appear particularly convincing and other times they can be highly sophisticated. The elderly are particularly vulnerable to these types of scams and many have lost their life savings at the hands of these attackers.
To prevent falling victim to these types of attacks you should never give up sensitive credentials to someone who has called you. If your bank is legitimately calling you, or the tax office, or anywhere else, you can hang up and find their customer services number online and ring them back. This way you can be confident you are speaking to the right people.
Baiting is a real-world Trojan Horse – it relies on the excitement and curiosity of the victim in order to work. A common baiting technique for attackers is distributing malware infected flash drives in areas of high human traffic and hoping people pick them up.
This scenario relies on curiosity, the attackers are hoping that you’ll see a flash drive and be too curious about what is on it and go home and plug it into your computer.
Other baiting attacks are conducted entirely online where the target is enticed into visiting a malicious site.
In a pretexting attack, the attacker will present themselves as a trusted party and encourage the target to give up information as part of a fabricated scenario. A common example of pretexting is when the attacker pretends they need certain information from you in order to verify your identity.
Pretexting attacks rely on authority, trust, and a plausible scenario that the target will believe. You’ve probably seen plenty of pretexting attacks in movies. Every time you see someone impersonate a police officer, a security guard, or a maintenance worker to get into a building they shouldn’t be in, that’s pretexting.
Scareware is a type of malware that will infect a victims computer and attempt to threaten and scare them into a detrimental action. You might have heard of anti-virus software that’s actually a virus itself and will ask the victim for payment for removing viruses it’s found, that’s scareware.
Tips to Avoid Falling Victim to Social Engineering Scams
- Remain calm – We know, it’s easier said than done. The best advice here is to delay any action. Attackers rely on creating emotional responses and encouraging you to act urgently, knowing that people are poor decision makers when they are emotional and don’t have time to process. Take some time to look over what you’re reading. If you’re at work, you should notify the IT department if you receive an email you’re unsure about. If you’re on a phone call, tell the attacker you will call the company back on their customer service line.
- Never give out login credentials in emails or over the phone. A company will never ask for this information.
- Examine links carefully before you click them.
- Look for signs that something isn’t right.
- Use added security measures where possible, for example, two-factor authentication.
- Use strong passwords and don’t repeat passwords across accounts. This is to protect your other accounts if your details are compromised by a social engineering scam. If an attacker gains access to one of your accounts then that’s a problem but it can usually be fixed relatively painlessly, if they gain access to all of your accounts, that’s a huge problem.