Social engineering remains one of the most reached-for techniques in the average hacker’s toolbox. The cyberattack’s effectiveness (and many hackers viewing it as a fun and exciting game) has made the method such a common strategy over the last decade. Yet, despite its prevalence, many users couldn’t answer when asked: Social engineering is the art of what three things?
Social Engineering at a Glance
Motivated cybercriminals have plenty of tools at their disposal. But one of their most cunning and effective strategies, social engineering, is an art form that still exists in the shadows.
This guide sheds some light on social engineering through the lens of three primary questions:
- Social engineering is the art of what three things?
- What is the most common social engineering lifecycle?
- What are common social engineering examples and scenarios?
Throughout, we’ll provide useful tips for identifying and preventing social engineering attacks.
Social Engineering is the Art of What Three Things?
Almost all modern social engineering relies on a handful of common tricks, strategies, and cons. Namely, social engineering categorically involves these three fundamental elements:
- Manipulation – Most social engineering attempts try to manipulate potential victims into a state of emotional distress or urgency.
- Influence – Social engineering attempts to persuade potential victims to assist with their goal (e.g., click on an attachment, send account credentials).
- Deception – Social engineering attempts adopt an appearance of legitimacy to deceive potential victims into believing their authenticity.
To bolster their chances, cybercriminals combine these three elements with one of the following:
- Authority – Hackers often play the role of an authority figure, such as a supervisor at the target’s company or law enforcement, to easily persuade their intended victims.
- Intimidation – Some social engineers use intimidation, including threats of physical violence or other consequences, to scare their potential victims into complying with the scheme.
- Social evidence – By using facts, statistics, or real-world examples from the victims’ lives or current events, hackers can often trick their potential victims into acting in specific ways.
- Scarcity – Hackers often try to create a sense of scarcity when offering fraudulent products or services, invoking security threats or phrases like “while supplies last.”
- Urgency – Social engineers always act with a sense of urgency. They want to pull off their tactics as quickly as possible and will encourage their potential victims to operate in similar haste.
- Familiarity – Hackers and social engineers often try to create a sense of familiarity or likeability with their potential victims, befriending them to manipulate a sense of natural trust.
Being aware of these red flags is the first step toward preventing a phishing attack; the next steps involve active resilience, resisting the temptation to open or answer the messages.
The Social Engineering Life Cycle
While no social engineering attacks are exactly the same, most social engineering examples share similar lifecycles. The most common social engineering lifecycle comprises four steps:
- Intelligence gathering and collection – Although some social engineers require more intelligence than others, every attack begins with reconnaissance, such as gathering the names, contact details, and other professional or personal information on attack targets.
- Initial interaction with the intended victim – Social engineers don’t hesitate when it’s time to contact their potential victims; after learning what they need, they often initiate contact with a seemingly benign message—quick and concise to minimize exposure.
- Launching the attack – An attack can only be launched once the victim’s trust is gained; it comprises the actual email or another message through which the attacker directly solicits or accesses information via the victim. However, note that some attacks will combine manipulation, influence, deception, and the path to the hacker’s desired outcome in a single message.
- Ending the attack and covering their tracks – The final step for attackers involves disengaging from contact with the victim and executing forensic countermeasures to obscure or eliminate any evidence of the attack. Attackers may also potentially frame the victim.
Preventing social engineering attacks, or minimizing their damage, requires recognizing and responding to them as early in the process as possible. In addition, personnel need to practice vigilance and accountability by refusing to engage with and reporting all suspicious emails received.
Common Social Engineering Scenarios
Modern social engineering takes many forms. While the art used to be limited to one or two proven methods, today’s cybercriminals have access to better technology and greater knowledge that makes attacks more innovative than ever before. The most common are:
Phishing (a play on “fishing”) is the most traditional form of social engineering. Cybercriminals send out fraudulent emails, often en masse, casting a wide net and hoping for targets to take some action. Generally, cyberattackers attempt to convince potential victims to open the message (and allow malware to be installed) or engage with the attacker and directly provide sensitive information (i.e., credit card or account numbers).
These emails are disguised as legitimate communications, often from an organization or senior-level employee. But because many users are now becoming familiar with common phishing techniques, savvy hackers and social engineers have upgraded their schemes. “Spear phishing,” for example, modifies the original strategy by targeting specific individuals rather than larger, blanket campaigns. Another variation is “whaling.” As a further subtype of spear phishing, whaling targets specific, high-value individuals such as CEOs or other executives who can be leveraged for greater gain.
In all cases, phishing is best addressed with strict vigilance and disengagement. Training should emphasize specific ways to quickly identify an email as official (e.g., watermarks, names).
Vishing is another alternate form of phishing. Instead of using email, the hacker employs an interactive voice response (IVR) system to impersonate a bank or other organization. The victim is then prompted to call a toll-free number that leads directly to the hacker’s line.
Another, newer form of phishing, known as smishing, is a direct threat to smartphone users. Smishing attacks use SMS-based messaging to deceive their victims. These attacks often include hyperlinks for the user to click, which leads to a cleverly disguised website containing malicious code.
Again, vigilance is critical to avoiding these attacks: personnel need to know not to answer nor engage with suspicious calls, SMS, or other messages on their personal (or work) phones.
One of the newest social engineering examples, “water holing,” involves attackers injecting malicious code into a legitimate website. Often, this is a website (or page) that potential victims can reasonably be expected to visit, perhaps at specific times. When the victim visits the infected site, their personal computer is infected or compromised, such as with malware.
Water holing requires preparation from the attackers. First, they need to find a website that their target regularly visits. Then, they have to breach that website’s security and modify the code with their malicious scripts. Finally, they need to wait for the victim to visit the infected website one last time before the trap is finally sprung.
Because of this and the technique’s newness, water holing is rarely used today. Instead, most social engineers opt for other, easier strategies. Regardless, potential victims must only visit approved webpages and official versions thereof for pre-defined and authorized purposes.
Sometimes known as piggybacking, this social engineering tactic specifically targets an organization’s physical security. By following closely behind an individual accessing a restricted area, an attacker can easily trail them through a locked door without providing a key. In many cases, the unsuspecting victim will even hold the door for the hacker to make their entrance.
Physical and proximal security measures, such as barriers, cameras, and strict identification and authentication requirements, significantly reduce the chance of this type of attack succeeding.
Avoiding the Pitfalls of Social Engineering
Have you ever asked yourself the question: social engineering is the art of what three things? If so, or if you want to learn more about social engineering, contact RSI Security today.
Our expert team will assist you in avoiding the pitfalls of social engineering, minimizing the dangers posed by modern cybercriminals, and thriving in the fast-paced and diversified IT industry.