What Is Social Engineering?
Essentially, social engineering uses psychology to manipulate a person into taking an action. This could be anything from revealing sensitive data to clicking on a malicious attachment.
The social engineering process often involves multiple steps. It starts with identifying potential targets before gathering intelligence to learn as much as possible about the intended victim. Using that intelligence, threat actors then determine the best way to make an interaction with the would-be victim relevant and effective. This can be done by gaining trust, showing authority, or some other means.
Evolution of Social Engineering
The art of social engineering is thousands of years old, but the proliferation of digital tools in the modern era has elevated social engineering to a whole new level. Social engineers prey on human emotions, such as fear, and on human curiosity.
The technique is popular with cybercriminals because exploiting people’s trust and emotions is sadly often more effective than trying to hack a network. Another plus: It doesn’t require a lot of technical savvy.
Often times, social engineers don’t strategically target their victims but instead take the approach of someone walking through a parking lot and jiggling door handles to see which car is unlocked. If you’ve ever received a robocall or a generic phishing email that you identified as a scam, this is the beginning of a social engineering effort. They are robocalling or phishing thousands and thousands of people and businesses to find that one ‘unlocked door.’ In other words, that one person who answers so they can launch into their well-rehearsed story and begin deceiving you.
Social engineering can occur at any stage in an attack, and is, in fact, typically used at a few steps along the way in a multi-phase attack.
How Does Social Engineering Work?
In a typical phishing scenario, the social engineer sends targets email in bulk that looks legitimate, commonly impersonating a company or an authority figure. Often, the goal is to get recipients to click on a link or attachment with the purpose of credential harvesting or instigating financial fraud.
The Types of Social Engineering
Variations on Phishing—Smishing (via text messaging) and Vishing (via phone)
Around April, the IRS phone scam crops up frequently. Social engineers call people and essentially say they’re with the IRS and if they don’t pay the money they owe now, they’ll call the police. The combination of urgency, bullying tactics, and power of authority creates a compelling message.
Unlike phishing, which is part of a mass campaign, spear phishing is personalised and targets specific individuals or categories of employees (such as specific departments). This requires the social engineer to do the additional legwork of uncovering organisational email lists, team structure, and if they want to be extra convincing, additional details about the organisation’s inner workings, such as the types of software being used or internal processes.
Social engineers will frequently pose as the CEO of a company and use specialised information they gathered, along with a spoofed email address, to target the accounting team to request a wire transfer. Many times the accounting team will comply because they believe it to be a unique situation or it may follow their exact process but swap out one tiny detail such as an account number that goes unnoticed until well after the scam is complete.
This type of scam makes criminals a lot of money; between June 2016 and July 2019 CEO fraud cost organisations over $26 billion.
Pretexting (or Faked Scenarios)
In a conversation, typically over the phone, an attacker will try to gather sensitive information through a series of lies. This type of social engineering is often effective because the social engineer will have crafted a convincing story, they will know what they’re going to say, the questions they will ask you, and how to answer and react to any of your questions all in a way that maintains their credibility.
For example, someone may get a call from from a bad actor pretending to be from their bank. They tell the potential victim there’s suspicious activity in their account. Using this faked scenario, and enough details to sound convincing, the caller asks verify some charges—which, of course, they didn’t make—and in the process, asks them for authentication information like social security number or bank account number.
Three Reasons Social Engineering Works
Social engineering works for numerous reasons, but we’ll cover just three to give you an idea of how psychology comes into play.
1. Expert Influence
Why would someone divulge account information when a caller claims to be from our bank?
In short: We trust the bank to take care of our money and if the bank says there’s a problem, we’ll do anything to fix it.
We are so focused on the problem presented and the desire to fix it that we don’t take the time to determine if the person calling is really who they say they are and we immediately want to begin the recommended steps to fix the perceived problem.
This is an example of what psychologists call informational social influence—meaning, if we are not sure what to do in a situation, we are far more likely to trust other people for help.
Social engineers use this completely natural problem-solving strategy to their advantage. They present the victim with a situation that deceptively influences the person to use the social engineer as a source of information.
Psychologists have found that some people have become especially reliant on others for information in situations of ambiguity and/or crisis.
In ambiguity, many people are trying to figure out what the right thing to do would be or the next step they must take. When faced with this uncertainty, people are far more open to being influenced by others. Enter the well-rehearsed social engineer and they can make stealing information from you seem like they’re actually doing you a favor by helping you through the ‘next steps’ that you had no clue how to navigate.
In crisis, when you may be feeling fearful or vulnerable, you’re also more likely to look to others for direction. Social engineers intentionally use fear and often urgency to manipulate people. If you’re worried that you’ll lose money, have your identity stolen, or go to jail, you won’t appropriately consider what information you’re divulging. Furthermore, social engineers often convey a sense of urgency to support the illusion that you’re in the midst of a crisis.
We’re naturally inclined to follow the counsel of those who appear more knowledgeable about a situation than we are; add ambiguity and fear to the situation and people will flock to and follow the instructions of the nearest expert to regain control and safety.
2. Attention to Authority
We are taught from an early age to give special attention to those in positions of authority. In an inbox full of email, we will open, read, and respond to a message from our organisation’s CEO before we take a look at any messages from our co-workers. In most cases, there is added pressure to react quickly and perform the task flawlessly if we receive a request from our boss or someone else in authority.
This is why social engineering schemes like CEO fraud and the IRS scam work. Criminals posing as CEOs take advantage of our natural trust in reaction to authority. We see an email that appears to be from our CEO and because of our natural reaction to feel under pressure to act quickly, we won’t take the time to determine if they are really who they say they are.
The social engineer knows, from a psychology perspective, they can rely on the authority the CEO title carries to prevent people from wanting to disappoint the authority figure.
Social engineers don’t just rely on bullying and threats to get the information they need. They also use charm, friendliness, humor, appreciation, and flattery. These characteristics are disarming and create a sense of trust.
Further, a social engineer’s goal is to get in and out without being remembered. This is because pleasant interaction is far less memorable than an unpleasant interaction. This makes it easier for social engineers to avoid red flags, slip under the radar, cover their tracks, and raise any red flags.
How to Prevent Social Engineering
From an organisational standpoint, security awareness and policies are both critical in preventing social engineering attacks.
On the policy side, you need to ensure your procedures take social engineering into account.
Do your employees follow a process to accurately verify customers or employees before giving them access to privileged information? Could a social engineer easily gain access to the information you use to verify their identity or right to access? Identify what parts of your processes can be exploited and update your procedures accordingly.
Here are two good practices to teach your employees:
- No matter who someone claims to be, always verify. It may seem awkward at first, but verifying that someone is who they say they are should become second nature.
- Don’t break procedure for “important” people. If a given request usually goes through a certain channel or requires some sort of documentation, then those rules always apply equally to everyone. Procedures aren’t there to slow things down—procedures are put in place to prevent fraud and mistakes.
In addition, make sure lines of communication are clear and consistent, and that they effectively communicate information like:
- This type of request will always come from this location.
- A request above a certain threshold requires face to face approval.
- This group should be verified in this way.
- This group is privy only to specific pieces of information.
Additionally, to protect your customers, make them aware of what normal procedures are for correspondence and interaction within your organisation, and what information your company representatives would and would not ask them. If you teach people to recognise social engineering tricks, you can beat criminals at their own game.
Protecting your organisation from social engineering attacks is not just about having the right policies—social engineering is also a people problem. This is where social engineers can use likability, obedience to authority, and expert influence to their advantage. Even with strong policies in place, if employees are not keeping these dangers and what to do about them top of mind, social engineers will be able to convince an employee to bend the rules and gain access to sensitive data.
To solve the people problem, you must have a strong culture of security in your organisation. Your employees need to know what kinds of attacks to look out for, and understand what to do to prevent them. Keeping this information at top of mind will encourage them to not break from procedure, no matter how convincing the social engineer is.
Increase Awareness About Social Engineering
Creating a stronger, smarter workforce that is ready to spot social engineering attacks is the most effective way to defend against social engineering attacks. An effective security awareness program can help create a culture of security-minded employees by preparing them to recognise and neutralise social engineering attacks and avoid human error.