Social engineering awareness is your best tool in combating these types of surreptitious attacks. This article will explore some common social engineering attack strategies and ways to recognize social engineering while suggesting some proactive defense measures that you can implement today.
What Is Social Engineering
Social engineering is a sophisticated type of cyberattack. Although, the term social engineering is not strictly related to cybersecurity.
You can use social engineering in any field. Marketing is one of the industries that rely heavily on social engineering. Essentially it is the use of human psychology to tell a convincing story.
In the best-case scenario, the seller may convince you to buy a product or onboard their services. However, the dark side of social engineering involves manipulation, lies, and impersonation.
Unfortunately, not many can spot when it is happening. In the following section, we will define some common types of social engineering techniques that should be easier to handle.
Common Types Of Social Engineering
Social engineering is broader in scope than just a few types. The imagination of the cyber attacker limits the extent of the attack. However, there are some widely used social engineering attacks that your organization should educate everyone on, which we will examine now.
One thing to keep in mind about social engineering attacks is that there is always a sense of urgency attached to the “message.” If you ever feel like unsolicited correspondence is rushing you to take action, you should always be suspicious.
Phishing is by far the most common type of social engineering out there. As the name suggests, the attackers try to “bait” or “lure” victims to give up sensitive information.
There are different phishing types within the broad category of phishing; most of them involve the attacker impersonating another person (like upper management or an authority domain).
- Email phishing: this type of phishing involves the medium of email as the primary source of contact with the victim. Attackers will send emails to the victim pretending to be someone else. For example, a typical phishing email to receive is from a fake “Paypal” domain that asks users to give up login credentials to steal money from their accounts.
- Smishing: This phishing type is almost identical to email phishing but involves using SMS texting services to gain more personal communication with the victim. This phishing type is also a gateway to encourage the victim to get them to call the attacker. The attacker will then continue the conversation over the phone for scamming purposes.
- Vishing: When the victim is on the phone with an attacker, this is vishing (voice phishing). At this stage, the victim is in real danger, unlike the other two phishing types; emotion plays a more significant role in the attack. While on a voice call, the attacker can begin to understand the victim’s emotional state, and psychological manipulation begins to play a significant role in the attack.
Unfortunately, vishing is becoming much more common, and attackers target society’s more vulnerable members, namely the elderly. But organizations are a prime target for these types of attacks too.
Although strictly not related to the attack itself, dumpster diving is a common preparatory step in a social engineering attack. The anatomy of a social engineering attack is very complex, and when a sophisticated attack occurs, it may have been months in the making.
Attackers might spend days rummaging through the information before they carry out the attack. And one of these steps involves analyzing discarded documents.
Attackers will take advantage of any vulnerability, and often one overlooked aspect of security is physical security. Some organizations will have a paper shredder in the office, but many will just throw paper in a bin without giving it a second thought.
Attackers will look through these discarded documents to look for anything that will give them an upper hand.
They may find things like memos with sensitive business information that they can then exploit. In other cases, they may discover discarded login credentials that give them system access (you would be surprised how many people have their passwords on a sticky note attached to the screen).
Pretexting is similar to phishing but does not involve a written medium. Unlike phishing, there is no effort to craft a fake domain with legitimate-looking logos; instead, the attacker might make direct contact with the victim or organization pretending to be someone they are not.
For example, the attacker may walk right up to the reception desk pretending to be a technician hired to fix something. If they get past the first line of defense, they will make their way to the target destination, possibly a server room, and steal sensitive information.
They will often “look-the-part” dressing in uniform, with a “company” van to follow suit. This type of attack is quite advanced and will usually have a lot of thought put into it. With pretext, the attacker will employ dumpster diving techniques (discussed previously) to analyze if and when the organization has scheduled any appointments that they could “intercept.”
However, these types of attacks are pretty rare, as it involves a lot of upfront effort and is a high-risk, high-reward type of attack. However, you should always remain prepared; effective internal communication and security awareness is an excellent way to combat this type of attack.
About the water cooler chat you may have in the office, a watering hole attack exploits a common space shared by your organization’s members. However, this type of attack is carried out in cyberspace.
An attacker will find a familiar website visited by a large portion of your organization. For example, if your organization services the financial industry, employees likely visit financial news websites.
Knowing this, attackers might set up a fake website that mimics a widely visited financial webpage, like the Financial Times. The victims will then input data into the web portal, thinking it’s the same website they’ve always seen.
Between clicking links and inputting data, the attacker can set up backdoors on their system, which they can exploit later.
One example of this attack happened in 2019, the Holy Water Campaign. Attackers targeted Asian religious and charity groups. Attackers hijacked legitimate websites linked to these groups; then managed to get victims to download an Adobe Flash update that infected their devices.
Victims were comfortable downloading an update on a familiar website; the attackers’ motives remain unclear.
Have you ever been at the train station or subway and you see someone going through the ticket gate, and the person right behind them moves through the gates at lighting speed just before the ticket gate locks?
This is a tactic called tailgating, which social engineers will often use to access restricted areas. They will follow a legitimate group, say employees, and use crowd mentality to meld into the environment. They may even dress like them to make the ruse more believable.
Doing this will allow them to slip through physical security measures and gain access to restricted areas.
Whaling attacks are a form of phishing, namely spear phishing. Spear phishing is a specialized type of phishing attack that is more targeted. Attackers will pick a victim based on their access by duping them into giving up sensitive information or direct entry.
Whaling is a specific kind of spear phishing that targets executive-level individuals, usually CEOs or CFOs. These individuals generally have high access levels within an information system.
Tricking these individuals will boost the access level of the hacker, as executive-level accounts have access to more sensitive information than lower privilege accounts.
The trends of whaling attacks are growing, and there is pressure on CEOs and executives to manage this threat. Some countries are also considering holding CEOs and executives personally accountable for cyberattacks of this nature.
On occasion, attackers will impersonate executive-level personnel to trick staff of lower authority into giving up sensitive information.
Imagine working late at night in the office, and your boss messages you with a sense of urgency to pay a client invoice. If the attackers play their cards right, they can use that authority position and fool you into paying an invoice to them.
How To Defend Your Organization Against Social Engineering
Knowing the types of attacks you can encounter is excellent, but defending against them is better. This section will examine some ways your organization can protect itself against social engineering attacks.
Remember that cybersecurity is an organizational issue. Never rely on just the IT or Infosec team to take care of security; involving everyone always yields better results.
Training, Training, and More Training
Having a robust security infrastructure is only going to take you so far. Without the right people behind it, vulnerabilities are easily found and exploited.
To circumnavigate these issues, ensure that your staff is always as sharp as they can be. Social engineering is exclusively a people problem; if an attacker finds that your encryption, firewall, and anti-virus software is too strong, they will often exploit your organization’s people.
Carry out staff training awareness programs regularly. We recommended at least annually (minimum). This regularity ensures that new social engineering threats are mixed into the training so your staff remains on top of the threat landscape.
Anti-Spam Filters and Anti-Virus
Although social engineering is primarily a people issue, software tools can help with any problem. These tools won’t eliminate the problem but will significantly reduce the impact.
Anti-spam filters are the worst enemy of phishing emails. Most modern-day email platforms come built-in with an anti-spam filter depending on your organization’s needs; you may want to consider using a customizable one.
The filters do a decent job of catching the lower-tier phishing emails, but occasionally a more sophisticated one will slip through. In those cases, you want to have an anti-virus installed to catch any payloads attached to the emails (if your employees click on a link or download a file).
Security Incident and Events Management (SIEM) Software
SIEM software is an excellent tool in combating a wide range of cyber threats. You can read about SIEM systems right here on our blog. SIEM systems log data on your information system and create an “organizational profile.” When the SIEM system has gathered sufficient data, it can alert you of potential breaches.
In the case of social engineering, it can help you by flagging suspicious behavior. A simple example is logging employee system time access (i.e., 9 am-5 pm). Anytime that falls outside the “standard” of that employee can suggest that there has been unauthorized access. Another thing to check is the time of day the emails arrive in the inbox. Emails sent during unorthodox working hours might indicate a phishing attempt (possibly from another time zone).
Two-Factor Authentication (2FA) is a handy tool in combating social engineering. Especially true in payment processing models. Whether your office has one, or many people handling invoices, you should consider 2FA.
2FA will add an extra layer of security between the payer and the payee. It is a way to ensure that the money paid is to a genuine contractor, third-party, or business partner. A simple way to implement this is by giving the payee a phrase during the invoicing process that only they would know.
Added security levels using a secret phrase mean any invoice requested that does not contain this phrase should be considered suspect.
Recap and Closing Remarks
Social engineering tactics can cripple your business if you are not prepared. Attacks are becoming more sophisticated and can trick even the most prominent companies out of 100 million dollars, which happened to Google and Facebook.
The first step to combating social engineering is to know its many faces. This article discussed some standard techniques:
- Dumpster Diving
- Watering Hole
- Whaling attacks (spear phishing)
- CEO Fraud
Keeping your staff up to date and maintaining a general degree of social engineering awareness will do wonders for your organization’s security culture development.
But even in those cases, advanced attackers can still make their way through. Having a dedicated security partner can help you sharpen your security infrastructure.
Contact RSI Security today and see what a Managed Security Service Provider (MSSP) can do for you. Schedule a consultation here.
Get A Free Cyber Risk Report
Hackers don’t rest, neither should you. Identify your organization’s cybersecurity weaknesses before hackers do. Upon filling out this brief form you will be contacted by one of our representatives to generate a tailored report.