What is Social Engineering?
In our ever-evolving digital landscape, educating and training your employees to recognise and identify cyber threats has never been more vital. In a recent report from Verizon, it was revealed that in 2023 74% of breaches involved the human element, which includes social engineering attacks, errors or misuse, and with 50% of all social engineering attacks using pretexting. This is hardly surprising when it was also revealed by Forbes Advisor that 12.7% of full-time employees work from home, while 28.2% work a hybrid model. With a likelihood for social guards to be down in a home environment this only increases risk.
So, what is social engineering and why is it so important?
Social engineering is a term used to refer to an attack strategy used by hackers. The attack relies primarily on human interaction and manipulation, eventually causing them to break standard security practises or reveal sensitive information.
Social engineering relies on the exploitation and deception of individuals rather than trying to find technical vulnerabilities within a network – if your workforce is not sufficiently trained, it’s the easiest way for cybercriminals to gain access to your organisation.
Threat actors will often disguise themselves as a trusted entity or information source in order to gain the trust of an individual (like payroll or a supplier) – As a result the victim is more willing to reveal confidential information, click on a malicious link, or grant access to an account.
How does social engineering work?
In the majority of social engineering attacks, fraudsters will begin by investigating the chosen target and further gather background information. This potential victim could be an individual or an entire enterprise – if it is the latter, the perpetrator might begin by researching the employee structure, internal processes, potential weaknesses or any other relevant information needed to proceed with the attack.
Often, a common tactic of hackers is to examine the social media accounts of employees to study their behavior and subsequently design a personalised and targeted attack. Once this information is gathered, any potential weaknesses are ready to be exploited.
Common methods of social engineering
There are various different types of social engineering attacks, the most notorious undoubtedly being phishing campaigns. If you want more information on how to spot this common form of attack, have a look at our annotation of a real scam email received and spotted by one of our staff.
Whilst phishing is the most popular form of social engineering attack, occurring when a hacker makes fraudulent contact with the victim via email or texts, there are multiple other types of social engineering methods you might not have heard as much about…
Spear phishing is (not surprisingly) an advanced form of phishing attack. Whilst phishing campaigns are often formed through identical scam emails send to thousands of individuals in the hope that one lands, spear phishing is much more targeted. A spear phishing attack is specific to the victim, using personal information to gain trust and appear valid. Unsurprisingly, the personal nature of this tactic means it tends to have a much higher success rate in deceiving the victims as opposed to regular phishing emails.
Baiting is when a cyber-criminal leaves a malware-infected device (or ‘bait’) somewhere that is likely to be found. This device would typically be a USB flash drive or CD, often marked with company information for added authenticity. The success of this method is based on the expectation that whoever finds the bait will load it into their computer out of curiosity (particularly if it is marked with something enticing that plays on the prying nature of humans), and subsequently install the malware.
In this tactic, the attacker obtains confidential information by lying to the victim and creating false circumstances in which to gain the access or data. An example of this could be the perpetrator impersonating co-workers, or official authorities and pretending to need personal information in order to confirm the victim’s identity.
Through pretexting, the scammer can gather information such as login credentials, financial details, access to networks and more. This is particularly effective as it often uses fear and intimidation on the victim if the scammer is impersonating an authoritative figure.
Tailgating is a physical social engineering method, whereby an unauthorised individual gains entry into a secure location by following behind an authorised user. This could happen by asking somebody to hold a door open for them, or even to borrow their phone to call a friend, whilst unknowingly installing malware or steal information. This technique is also sometimes known as piggybacking and targets trusting individuals.
Quid pro quo
This attack method occurs when a cybercriminal requests sensitive information from the victim in exchange for a service or some sort of compensation. An example of this could be requesting personal credentials in order to receive a free gift, or pretending to assist with IT support. This method can be particularly effective around holidays – playing on those happy to hear about Christmas offers and discounts!
This technique involves victims receiving false alarms and threats to scare the user into purchasing or installing fake antivirus protection – this would then install the attacker’s malware. Common forms of scareware include pop-up banners in your browser but can also be circulated through emails.
The list of social engineering tactics is extensive but through awareness and education, it’s easy to spot the most common methods when used.