When a ransomware group launched twin cyber attacks on casino giants MGM and Caesars, they only needed the accidental participation of the organizations’ outsourced IT help desk to get started. It was social engineering — in this case impersonation over the phone, or vishing— that gave the hackers the information they needed to launch a ransomware attack that cost both casinos millions.
According to the 2023 Verizon Data Breach Investigations Report, 74% of breaches last year involved the human element, including “error, privilege misuse, use of stolen credentials, or social engineering.” In addition, Arctic Wolf’s own research showed user action as the root point of compromise for 28% of incidents in 2022.
It’s clear that social engineering is a favorite among threat actors’ tool kits and it’s not going away any time soon.
What Is Social Engineering?
Social engineering is a ploy used by threat actors to gain access or data from unsuspecting human victims. It can involve multiple mediums, including email, phone, or even the spoofing of once-trusted websites, and can have multiple goals such as credential theft or financial gain. For an individual user, a social engineering attack can look like a fraudulent email with a malicious link. For an organization, it can look like a ransomware group convincing an IT helpdesk to hand over access to internal systems.
Social engineering preys on human emotions, from fear to urgency to sympathy, and is consistently used because it is consistently effective. Humans are fallible.
While social engineering attacks can target a single individual with a single end goal such as sending one person a misleading text message in hopes they hand over banking information, more frequently they are becoming just one phase in a larger, more complex attack. The social engineering attack on MGM’s IT help desk gave the threat actors the access they needed to then launch a massive ransomware attack, shutting down systems for days. The technique can also be used in the middle of an attack to gain privileged access, or as more of a side quest to gain data or financial information while a larger attack is ongoing. Multiple kinds of social engineering attacks can be used at once, too. For example, business email compromise (BEC) attacks are a kind of phishing attack, a vishing attack can lead to a mobile payment app attack, and a social engineer can use baiting within a phishing attack. All these techniques work together to add sophistication and help ensure success.
The Social Engineering Attack Cycle
While every social engineering attack may look different in terms of techniques and goals, each follows the same cycle consisting of four parts:
- Information gathering. This is when a threat actor does research on the target to find what weakness and medium will work best for the attack.
- Establishing a relationship. This is when the threat actor lays out the plan of attack. It could involve choosing to target a specific department with a phishing email or impersonating an assistant to the CEO with a business email compromise (BEC) attack.
- Exploitation. This is the attack itself. It’s the threat actor calling MGM’s IT help desk and launching the ploy.
- Execution. This is when success is achieved.
This cycle can be repeated multiple times, and various stages can occur repeatedly as well. For example, if a threat actor is mass emailing an entire department of an organization with a spam phishing technique, part two and three may repeat until execution is achieved.
Why is Social Engineering Effective?
Users are a major part of the attack surface, often have access to various endpoints, assets, and more, and are often untrained on how to spot or respond to a social engineering attack. For threat actors launching a multi-phase attack, it’s more efficient to just trick a user to get a password than it is to use sophisticated technical means.
In addition, BEC attacks, one of the more popular kinds of social engineering attacks, have proven to be a quick payday for threat actors. According to Arctic Wolf data, the attack vector increased 29% YoY from 2021 to 2022 and caused over $2.7 billion in losses last year .
And that’s just one kind of social engineering attack.
Different Types of Social Engineering Attacks
The most common kind of social engineering attack, a phishing attack occurs when a hacker impersonates an entity known to the target and sends the target an email asking for access or data. According to the 2023 Verizon Data Breach Investigation Report, 44% of all social engineering attacks are phishing attacks.While the mind may turn to seniors getting scammed or long-lost relatives emailing and asking for money, phishing has become quite sophisticated. Attackers may mirror known email addresses, messaging accounts, or even links. For example, a victim could receive a phishing attempt in the form of a message that looks like it’s from HR asking them to click on a link and confirm their holiday schedule.While phishing refers to email phishing specifically, the term has become synonymous with any impersonation message, and has spawned a series of sub-tactics that can be just as difficult to detect.Types of phishing attacks include:
Spam (or mass) phishing: a generalized attack aimed at multiple users that prioritizes quantity over quality.
Spear phishing: a targeted, personalized attack aimed at a specific individual that appears to come from someone that individual trusts.
Whaling: A form of spear phishing aimed at high-profile, high-value targets like celebrities, public or private companies’ executives and board members, and government officials.
Vishing: Also known as voice phishing, vishing uses a phone in place of email to launch the attack.
Smishing: Also known as SMS phishing, this attack uses text messaging in place of email or telephone.
Angler phishing: This kind of phishing attack is instigated by the victim and targets social media accounts. The attacker will make a fake account (impersonating a company or customer service representation) and respond to an attacker’s social media post or complaint.
URL phishing: A threat actor will create a fake website that tricks users into handing over credentials or other information.
In-session phishing: A threat actor launches a pop-up window during an active web browsing session, tricking the user into thinking the pop-up came from the legitimate site.
Quid Pro Quo Phishing: A threat actor utilizes emotional manipulation to convince the user that they’re doing a favor by handing over information or getting something (for example IT help) in return.
Mobile Payment App Phishing: A threat actor asks for payment through a mobile payment application.
- Business Email Compromise (BEC)
A BEC attack occurs when the email account of a user has been compromised and is then used to gain financial information, or access information or payment from other users. Traditionally, after gaining access, the threat actor will send out fake emails requesting the transfer of funds. As mentioned above, BEC attacks are both increasing in volume and costing organizations. According to Arctic Wolf’s data analysis, manufacturing is the top targeted industry, seeing 63% more BEC investigations than any other industry. BEC attacks, like phishing, are a low-effort, high-value, volume-based strategy, that can result in massive financial gain.
Learn more about BEC’s impact on the manufacturing industry.
Baiting uses a false promise (an online ad for a free game, deeply discounted software, etc.) to trick the victim into revealing sensitive personal and financial information or infect their system with malware or ransomware.
Scareware attacks use pop-up ads to frighten a user into thinking their system is infected with a computer virus, and that they need to purchase the offered antivirus software to protect themselves. Instead, the software itself is malicious, infecting the user’s system with the very viruses they were trying to prevent.
Tailgating is an attempt to gain unauthorized physical access to secure spaces on company premises through coercion or deception.
- Shoulder Surfing
Shoulder surfing and eavesdropping involve the surveillance of sensitive data in public spaces like airports, coffee shops, or even an unlocked, unattended laptop in the office.
- DNS Spoofing
With DNS Spoofing attacks, a threat actor will learn the sites a user is visiting and, using that information, inject fake DNS entries into the DNS system — the cache of IP addresses and domain names of worldwide websites — allowing them to redirect you from the sites you visit often onto spoofed versions of those sites. Once on the spoofed page, you reveal sensitive information, believing the site to be trustworthy. The spoofing is often achieved through DNS cache poisoning.
How to Prevent Social Engineering Attacks
Fighting social engineering attacks is a multi-front war. From preventing credential theft to employing email filters and email security to making sure users are properly trained, a strong strategy within this field of cybersecurity is one that employs multiple methods simultaneously.
Let’s look at the target — the human element — first.
Security Awareness Training
Because users are the main target in social engineering attacks, organizations need to work to turn their employees into a major line of defense. Being able to detect and stop a social engineering attack before it turns into an incident can make all the difference, and every user has a role to play.
Strong security awareness training will include:
- Up-to-date, relevant content
- Empowering language that treats users as an asset, not a weak link
- Phishing simulations to track progress and test skills
- Microlearning for better retention and understanding
- Education that builds an organization-wide culture of security
While users serve a vital role in stopping social engineering, they are not the only tool organizations can deploy.
Combatting Social Engineering with Technology
There are multiple tools that can help an organization detect a social engineering attack, stop it before a user falls for the potential exploitation, or even shut down the incident after initial execution.
- Multi-factor authentication (MFA). This access control adds a layer of security to credentials, which can stop a BEC attack before it occurs or can stop a threat actor from making lateral moves if they gained credentials during a social engineering attack.
- Identity and Access Management tools that follow a Zero Trust framework, which prevents privileged access without verification.
- Managed Detection and Response (MDR): An MDR solution can detect and responds to unusual account activity, suspicious logins, or suspicious user behavior.
Learn how Arctic Wolf’s MDR solution was able to correlate multiple data points and take swift action against a BEC attack.
Understand how a robust security awareness training program can transform your organization’s defense and security culture.