Social engineering is an effective tactic that gives threat actors a way inside your organization. While security technology is constantly improving and becomes more challenging to circumvent, human nature doesn't change. Therefore, cybercriminals know that it's much easier to trick people than machines—and they use social engineering schemes to accomplish this.
Defining Social Engineering
Social engineers prey on human emotions, such as fear, and on human curiosity. The art of social engineering is thousands of years old, but the proliferation of digital tools in the modern era has elevated social engineering to a whole new level.
The technique is popular with cybercriminals because exploiting people’s trust and emotions is sadly often more effective than trying to hack a network. Another plus: It doesn't require a lot of technical savvy. Essentially, social engineering uses psychology to manipulate a person into taking an action. This could be anything from revealing sensitive data to clicking on a malicious attachment.
The social engineering process often involves multiple steps. It starts with identifying potential targets before gathering intelligence to learn as much as possible about the intended victim. Using that intelligence, threat actors then determine the best way to make an interaction with the would-be victim relevant and effective. This can be done by gaining trust, showing authority, or some other means.
Often times, social engineers don’t strategically target their victims but instead take the approach of someone walking through a parking lot and jiggling door handles to see which car is unlocked. If you’ve ever received a robocall or a generic phishing email that you identified as a scam, this is the beginning of a social engineering effort. They are robocalling or phishing thousands and thousands of people and businesses to find that one ‘unlocked door.’ In other words, that one person who answers so they can launch into their well-rehearsed story and begin deceiving you.
Social engineering can occur at any stage in an attack, and is, in fact, typically used at a few steps along the way in a multi-phase attack.
How Does Social Engineering Work?
In a typical phishing scenario, the social engineer sends targets email in bulk that looks legitimate, commonly impersonating a company or an authority figure. Often, the goal is to get recipients to click on a link or attachment with the purpose of credential harvesting or instigating financial fraud.
The Types of Social Engineering
Variations on Phishing—Smishing (via text messaging) and Vishing (via phone)
Around April, the IRS phone scam crops up frequently. Social engineers call people and essentially say, “I'm with the IRS and if you don't pay us the money you owe right now, we're going to call the police." (It's usually a little more elaborate than that, but you get the idea). The combination of urgency, bullying tactics, and power of authority creates a compelling message.
Unlike phishing, which is part of a mass campaign, spear phishing is personalized and targets specific individuals or categories of employees (such as specific departments). This requires the social engineer to do the additional legwork of uncovering organizational email lists, team structure, and if they want to be extra convincing, additional details about the organization’s inner workings, such as the types of software being used or internal processes.
Social engineers will frequently pose as the CEO of a company and use specialized information they gathered, along with a spoofed email address, to target the accounting team to request a wire transfer. Many times the accounting team will comply because they believe it to be a unique situation or it may follow their exact process but swap out one tiny detail such as an account number that goes unnoticed until well after the scam is complete.
This type of scam makes criminals a lot of money; between June 2016 and July 2019 CEO fraud cost organizations over $26 billion.
Pretexting (or Faked Scenarios)
In a conversation, typically over the phone, an attacker will try to gather sensitive information through a series of lies. This type of social engineering is often effective because the social engineer will have crafted a convincing story, they will know what they’re going to say, the questions they will ask you, and how to answer and react to any of your questions all in a way that maintains their credibility.
For example, you may get a call from someone pretending to be from your bank and telling you there's suspicious activity in your account. Using this faked scenario, and enough details to sound convincing, the caller asks you to verify some charges—which, of course, you didn't make—and in the process, asks you for authentication information like your social security number or bank account number.
Three Reasons Social Engineering Works
Social engineering works for numerous reasons, but we'll cover just three to give you an idea of how psychology comes into play.
1. Expert Influence
Why would we divulge account information when a caller claims to be from our bank?
In short: We trust the bank to take care of our money and if the bank says there's a problem, we'll do anything to fix it.
We are so focused on the problem presented and the desire to fix it that we don’t take the time to determine if the person calling is really who they say they are and we immediately want to begin the recommended steps to fix the perceived problem.
This is an example of what psychologists call informational social influence—meaning, if we are not sure what to do in a situation, we are far more likely to trust other people for help.
Social engineers use this completely natural problem-solving strategy to their advantage. They present the victim with a situation that deceptively influences the person to use the social engineer as a source of information.
Psychologists have found that some people have become especially reliant on others for information in situations of ambiguity and/or crisis.
In ambiguity, many people are trying to figure out what the right thing to do would be or the next step they must take. When faced with this uncertainty, people are far more open to being influenced by others. Enter the well-rehearsed social engineer and they can make stealing information from you seem like they’re actually doing you a favor by helping you through the ‘next steps’ that you had no clue how to navigate.
In crisis, when you may be feeling fearful or vulnerable, you're also more likely to look to others for direction. Social engineers intentionally use fear and often urgency to manipulate people. If you're worried that you’ll lose money, have your identity stolen, or go to jail, you won't appropriately consider what information you're divulging. Furthermore, social engineers often convey a sense of urgency to support the illusion that you're in the midst of a crisis.
We're naturally inclined to follow the counsel of those who appear more knowledgeable about a situation than we are; add ambiguity and fear to the situation and people will flock to and follow the instructions of the nearest expert to regain control and safety.
2. Attention to Authority
We are taught from an early age to give special attention to those in positions of authority. In an inbox full of email, we will open, read, and respond to a message from our organization’s CEO before we take a look at any messages from our co-workers. In most cases, there is added pressure to react quickly and perform the task flawlessly if we receive a request from our boss or someone else in authority.
This is why social engineering schemes like CEO fraud and the IRS scam work. Criminals posing as CEOs take advantage of our natural trust in reaction to authority. We see an email that appears to be from our CEO and because of our natural reaction to feel under pressure to act quickly, we won’t take the time to determine if they are really who they say they are.
The social engineer knows, from a psychology perspective, they can rely on the authority the CEO title carries to prevent people from wanting to disappoint the authority figure.
Social engineers don't just rely on bullying and threats to get the information they need. They also use charm, friendliness, humor, appreciation, and flattery. These characteristics are disarming and create a sense of trust.
Further, a social engineer's goal is to get in and out without being remembered. Think about it: What kind of customer interactions do you remember and talk to your co-workers about? Do you talk about the customers who politely answer all your questions, or do you talk about the crazy customers who screamed and cursed at you?
A pleasant interaction is far less memorable than an unpleasant interaction. This makes it easier for social engineers to avoid red flags, slip under the radar, cover their tracks, and raise any red flags.
How to Prevent Social Engineering
From an organizational standpoint, security awareness and policies are both critical in preventing social engineering attacks.
On the policy side, you need to ensure your procedures take social engineering into account. Do your employees follow a process to accurately verify customers or employees before giving them access to privileged information? Could a social engineer easily gain access to the information you use to verify their identity or right to access? Identify what parts of your processes can be exploited and update your procedures accordingly.
Here are two good practices to teach your employees:
No matter who someone claims to be, always verify. It may seem awkward at first, but verifying that someone is who they say they are should become second nature.
Don't break procedure for “important" people. If a given request usually goes through a certain channel or requires some sort of documentation, then those rules always apply equally to everyone. Procedures aren't there to slow things down—procedures are put in place to prevent fraud and mistakes.
In addition, make sure lines of communication are clear and consistent, and that they effectively communicate information like:
- This type of request will always come from this location.
- A request above a certain threshold requires face to face approval.
- This group should be verified in this way.
- This group is privy only to specific pieces of information.
Additionally, to protect your customers, make them aware of what normal procedures are for correspondence and interaction within your organization, and what information your company representatives would and would not ask them. If you teach people to recognize social engineering tricks, you can beat criminals at their own game.
Protecting your organization from social engineering attacks is not just about having the right policies—social engineering is also a people problem. This is where social engineers can use likability, obedience to authority, and expert influence to their advantage. Even with strong policies in place, if employees are not keeping these dangers and what to do about them top of mind, social engineers will be able to convince an employee to bend the rules and gain access to sensitive data.
To solve the people problem, you must have a strong culture of security in your organization. Your employees need to know what kinds of attacks to look out for, and understand what to do to prevent them. Keeping this information at top of mind will encourage them to not break from procedure, no matter how convincing the social engineer is.
Increase Awareness About Social Engineering
Creating a stronger, smarter workforce that is ready to spot social engineering attacks is the most effective way to defend against social engineering attacks. Arctic Wolf® Managed Security Awareness® can help create a culture of security-minded employees by preparing them to recognize and neutralize social engineering attacks and avoid human error.
Arctic Wolf Managed Security Awareness is the only employee-centric security awareness training solution delivered as a concierge service. We can help you prevent cyber risk at your organization and empower your employees to identify cyber risks and report mistakes that could expose sensitive data and result in noncompliance issues.