What is Social Engineering?
Also known as “human hacking,” social engineering attacks use psychologically manipulative tactics to influence a user’s behavior. By understanding what needs to be done to drive a user’s actions, a threat actor can apply deceptive tactics to incite a heightened emotional response (fear, anger, excitement, curiosity, empathy, love, guilt, sadness, etc.) or exploit a user's lack of knowledge. In so doing, the attacker induces the user to perform ill-advised actions, such as:
- Clicking a malware infected link
- Granting access to an asset (bypassing MFA)
- Divulging confidential information, like their credentials, to compromise their digital security.
The attacker then exploits the mistake to gain inappropriate access to private information, assets, or other valuable resources. Via a social engineer attack, the threat actor may get a user to unwittingly play into their scheme by:
- Redirecting the user to a fraudulent website form meant to collect their personal data or secrets.
- Clicking a malicious or infected link or attachment they receive in a fraudulent communication (email, instant message, SMS, etc.).
- Using email, voice, or text messages to coerce the victim to disclose sensitive, personal, or financial data under the guise of trust.
This blog will explore the risks posed to an organization when an employee is targeted by a social engineering attack, the top social engineering schemes to look out for, and the best ways to fend off a social engineering attacker when they do make contact.
Why are social engineering attacks a high risk to organizations?
Social engineering attacks are more prevalent and threatening than ever. According to Verizon’s 2022 Data Breach Investigations Report (DBIR), social engineering attacks have maintained their position among the top three attack patterns affecting DBIR participants since 2017.
From Verizon’s 2022 study, 2,249 social engineering incidents were reported, and 1,063 of these involved confirmed data disclosure (63% of these involved credentials). 100% of these incidents were incited by external threat actors, with motives including financial incentive (89%) and espionage (11%).
Social engineering attacks often act as a gateway for other attacks and breaches.
While software misconfigurations and poor network hygiene are predominant entry points for a breach, one of the reasons social engineering attacks are seen as such as high risk (and are seen to have such a high success rate) is because they target human beings. The human element was found to be a persistent key driver of 82% of breaches in the DBIR, and is widely recognized as cybersecurity weak link—if not its weakest.
What are the “human elements” threat actors are targeting?
- Humans are driven by emotions – like fear, curiosity, and anger. These emotions can be manipulated and leveraged to the attacker’s gain. These emails, texts and posts elicit an emotional response in you. Humans don’t always act rationally when in a heightened emotional state. Threat actors count on this and will make use of timely and socially relevant content to exploit those emotions. The best security advice here is to remain calm and think through the request. Threat actors are cunning con artists.
- Trust – Humans tend to trust the authority of familiar organizations. Assuming the legitimacy of a notification based on the apparent authority of the entity, or even the likelihood they could be reaching out to you, can leave you vulnerable to fraudulent activity. Just because you bank with Bank of America does not mean the communication coming from them is legitimate. Verification of the source is crucial. Remember to trust, but verify, before acting.
- Lack of knowledge – many social engineering tactics sit on the leading edge of threat innovation, which often means users are unaware of what to look for to avoid being targeted or attacked. This requires everyone to stay vigilant and keep educating themselves on the latest tactics.
- Misconception – often users are guided by misconceptions like thinking they aren’t significant enough to be targeted by a threat actor. Victims erroneously believe threat actors wouldn’t spend time learning how to personalize an attack against them, or build a rapport with them by holding regular conversations to harvest information. End users should never underestimate the importance of their personal information.
- Assumptions – Assuming social engineering threats only involve the computer and not the telephone, text messages, or even postal mail can be a liability to victims. End users should never assume threat actors are unaware of existing conversation threads (like email conversations held with colleagues), accounts you may have, or companies you conduct business with as a part of their social engineering campaigns. This is especially true when that information may have been disclosed during a breach of an organization or other person.
Types of Social Engineering Attacks
#1 Phishing Attacks (email)
Phishing refers to a type of social engineering attack where an attacker disguises as a trusted entity to trick an unsuspecting user into opening a fraudulent email containing a malicious link, file attachment, or some form of embedded code. Once clicked, opened, or executed, the contents can exploit the asset or install a wide variety of malware (or ransomware) to attempt to steal user data, credentials, create a beachhead, or hold assets hostage. Employees are considered a primary phishing target because they have external-facing tools, like email and social media, that could potentially allow the attacker to gain a foothold and execute lateral movement through the corporate network, once they’ve infiltrated the employee’s asset and identity.
#2 Spear Phishing
Spear phishing is a specific variant of phishing targeting specific individuals or groups within an organization using emails (often an email and attachment), social media, instant messaging, etc. The purpose is to induce the targeted user to divulge personal information or perform an action to compromise the network, or cause a loss of data or finances. Spear phishing attacks often involve prior research of the targets. Spear phishers may use high levels of personalization to encourage the target to carry out the required action. These attacks are designed to create the perception that the source is trusted by using information only the target would potentially know or recognize as legitimate.
#3 Whaling Attacks
Whaling attacks are a sophisticated form of spear phishing attacks that target senior executives and C-level personnel. The goal is to bring in the “whale” (aka executive) of an organization. These attacks feature fraudulent, but well-crafted, emails using business language and tone, while conveying a sense of urgency to encourage the user to perform a secondary action, such as initiating a wire transfer. Financial institutions, cloud storage sites, file hosting sites, and e-commerce sites are some of the most targeted since their executives are easily identifiable on the Internet. Whaling attacks tend to get large returns for the threat actors and pose some of the biggest risks to businesses because the targets potentially have the capability to execute the scam by giving orders to their subordinates to the threat actor’s benefit.
#4 Smishing and Vishing
Similar to email phishing, smishing is a fraudulent text message containing a link to a form designed to steal the user’s information or exploit a vulnerability. Clicking the link may also download malware, such as viruses, ransomware, spyware, or adware, onto the user’s device. These often take the form of urgent requests from a delivery service, bank, or even a superior at work. The threat actor leverages the link as a means of taking “quick action” to solve an urgent problem or gain an end users trust as the first step in a more sophisticated attack.
Vishing involves fraudulent calls or voicemails that pose as legitimate companies to solicit personal information, such as your name, address, driver’s license number, social security number, and credit card information. These attacks may also record your voice and use this recording to authorize charges or access to your financial accounts. Phone calls are typically more trusted communications than the written word in an email or text message. These can be more difficult to identify if the threat actor is posing as a company or person you already have a trusted relationship with, like an electric company, insurance carrier, or even an employee who might be traveling abroad and has lost access.
This is a highly manipulative social engineering technique that “baits” users with tempting offers (i.e. movie or music downloads, discounts, and prizes) or even malware-infected devices (i.e. USB drives left on the floor, parking lot, conference room, etc.) to infect a user’s system with malware or steal their sensitive information. The vehicle for malicious “clickbaiting” can be anything listed above, and end users should follow the philosophy, "if it sounds too good to be true, it probably is fraudulent," and never connect a device found in the wild (or randomly in your office) to your computer.
#6 Business Email Compromise (BEC)
An email cybercrime specifically targeting businesses with the goal of defrauding the company. A common associated scam is an Email Account Compromise (EAC) based on a legitimate email account being inappropriately accessed by a threat actor. Both are difficult to detect and prevent, and both have increased as cloud-based infrastructures have become more common and extensive. BEC scams have exposed organizations to billions in potential losses when threat actors pose as legitimate employees or companies to interact with workflows or create exceptions to divert funds or information to a malicious entity. A simple example is a fake invoice submitted for payment that defrauds the company, once paid.
#7 Tech Support, Rebate, or Legal Scams
These types of fraud involve a scammer masquerading as a legitimate technical support service or legal entity attempting to convince you that their services are required, based on your emotional response. These attacks commonly feature popups with malicious links via a web browser, phishing, smishing, or vishing. (i.e. a fake error notification that links to a fake help line or website). These attempt to convince the user of a problem or opportunity and may prompt for payment through gift cards or other untraceable means. The end goal can be either financial or to infect the asset with additional malware (like free anti-virus software) under the guise of trying to help the victim.
#8 Romantic Scams
Romance-based social engineering scams are when a criminal or con artist adopts a fake online identity to gain their victim’s trust and affection, and then manipulates them for financial gain. These threat actors can be present on dating and social media sites. They often claim to be out of the country looking for help, and usually end up asking for money for a medical or legal emergency. Some gain access to the victim’s bank account information and use this to carry out other theft and fraud schemes. Victims fall for this type of attack via sensitivity based on the portrayal of emotions by the threat actor and the victim’s willingness to help.
#9 Scareware and Personal Threats
These tactics intentionally scare people into visiting a fraudulent and infected website or into downloading malicious software (malware). These threats often appear as pop-up ads or spam emails warning about an immediate threat or another issue that needs to be fixed immediately by clicking a link. Once clicked, rather than helping the user fix a problem, the malware is deployed to conduct some other nefarious activity. This is related to technical support scams; however, the messaging is based on fear, urgency, and the potential threat of incarceration. This attack vector commonly invokes emotions based on the fear of being investigated by the government or losing services, like insurance or electricity.
#10 Watering Hole Attacks
By either infecting existing websites, cloning them with similar URLs, or performing Advisory in the Middle attacks (AitM), threat actors use watering hole attacks to capture credentials and other personally identifiable information for identity-based scams. Threat actors use a variety of techniques to lure users towards the malicious website and hope the victim cannot identify the attack. The threat actor’s goal is to capture credentials or other personal information. One example involves leveraging fraudulent email ads to encourage the target to unsubscribe by clicking a malicious “unsubscribe” link or filling in a fraudulent “unsubscribe” form. Ultimately, a watering hole attack is designed to capture information you would normally enter on a legitimate site. It gets its name from wild animals being drawn to a pool of water due to thirst, but as a consequence, being attacked by a predator lurking below the muck.
How do you Prevent a Social Engineering Attack?
Now that you know the top threats to stay vigilant for, here are the top strategies to help protect you when a threat actor tries to make contact.
- Verify the communication is legitimate by checking it is from a trusted source. Check that the email address is correct, there are no spelling, foreign characters, or odd grammar mistakes, and make sure your name is correct. Do not be afraid to phone the company to confirm they did reach out to you by email in order to validate the identity of the sender.
- Verify any links are for real domains—watch for questionable URL endings, like “.ru.” or plus signs (+) in lieu of the letter t using a similar font. Copying the link and opening it in notepad is a simple way to verify its contents.
- Update your operating system and applications regularly to stay up to date with security patches. Known and unpatched vulnerabilities are commonly exploited targets.
- Make sure your antivirus software is properly licensed, updated regularly, and scanning your system regularly. Also maintain your SPAM filters and firewalls to stop malicious emails before they hit your inbox. If the cost is a concern, check if your internet service provider provides it at a discounted cost or even for free. Many of them do in order to lower their own technical support costs.
- Be wary of volunteering personal information. Don’t underestimate the power this can give a threat actor. Even basic information can leave you vulnerable or allow them to learn more about you.
- Don’t underestimate your value to the threat actor. Just because you aren’t the CEO of the company doesn’t mean you aren’t a target. A threat actor will look for any point of entry into a network and move laterally until they find what they are looking for, and you can be a target just because you have access.
- Implement the principle of least privilege to make sure you are operating with the proper amount of privileges. Avoid interacting with your computer as an administrator for daily activities. By removing local admin rights for basic user accounts, and by restricting those users who do require privileges (i.e. IT admins) from accessing the web or checking email, you can protect your network from malware that needs administrative privileges to execute.
- Don’t use old, outdated, or EOL operating systems. If it isn’t getting security patches anymore, it is full of known vulnerabilities and exploits that will be targeted by threat actors. These systems should never be used to surf the Internet or receive email.
- Be aware of your emotions. Consider your negative, fearful, or curious response as a red flag that someone may be trying to get you to click on a link or open a file without taking all the appropriate steps and considerations to verify the sender and contents.
- Perform pen tests on your infrastructure and employees. One of the best ways to protect your network from social engineering attacks is to incorporate social engineering tactics into your pen test methodology. Performing permissible pen tests, including Phishing, Vishing, SMishing, social media, and remote access pen tests, can help you identify where you need to mitigate social engineering vulnerabilities (i.e. via security solutions, employee training, changing workflows or processes, etc.).
Next steps for protecting yourself from a Social Engineering Attack
Social engineering schemes are a devious form of attack—but they aren’t impossible to detect and prevent. By knowing what to look for, the preventative steps you can take, and the tools that can help, you can pose a significant obstacle to the threat actor who is attempting to break into your network. Read our blog on “When Clickbait Goes Bad” to learn more tips and tricks that can help you steer clear of phishing clickbait.
BeyondTrust can help you dramatically improve your cybersecurity hygiene by eliminating local admin rights, applying application control, and more to minimize your attack surface and protect your organization from social engineering attacks. Learn more by checking out our leading Endpoint Privilege Management (EPM) solution.
Morey J. Haber, Chief Security Officer, BeyondTrust
Morey J. Haber is the Chief Security Officer at BeyondTrust. He has more than 25 years of IT industry experience and has authored three books: Privileged Attack Vectors, Asset Attack Vectors, and Identity Attack Vectors. He is a founding member of the industry group Transparency in Cyber, and in 2020 was elected to the Identity Defined Security Alliance (IDSA) Executive Advisory Board. Morey currently oversees BeyondTrust security and governance for corporate and cloud based solutions and regularly consults for global periodicals and media. He originally joined BeyondTrust in 2012 as a part of the eEye Digital Security acquisition where he served as a Product Owner and Solutions Engineer since 2004. Prior to eEye, he was Beta Development Manager for Computer Associates, Inc. He began his career as Reliability and Maintainability Engineer for a government contractor building flight and training simulators. He earned a Bachelor of Science degree in Electrical Engineering from the State University of New York at Stony Brook.