What is Social Engineering?

Social engineering attacks employ a wide range of tactics to manipulate targets into disclosing sensitive information or granting unauthorized access. We can categorize these attacks based on the methods used, the channels through which they are delivered, and the targeted groups or individuals.

Phishing is a common social engineering technique that involves sending fraudulent emails, text messages (SMS phishing or smishing), or instant messages to trick recipients into revealing sensitive information, clicking on malicious links, or downloading malware-laden attachments. Phishing attacks can be further classified into:

• Spear phishing is a phishing attack that targets specific individuals or organizations.

• Whaling is a phishing attack targeting a high-profile executive, senior official, wealthy individual, etc.

• Angler phishing is when attackers impersonate customer support accounts on social media to trick customers into divulging personal information.

• Vishing (voice phishing) is when attackers use phone calls to deceive targets into revealing sensitive information or granting access to systems.

   

   

Impersonation involves attackers pretending to be trusted individuals or entities, both in digital and physical contexts, to gain access to information or systems. This can include scenarios where attackers pose as colleagues, authority figures, or well-known organizations. Examples include:

• Pretexting is creating a fabricated scenario to convince the target to disclose sensitive information.

• Business Email Compromise (BEC) takes place when attackers gain access to business email accounts to conduct unauthorized transactions or gather sensitive data.

• Deepfake attacks involve using the AI-generated likeness of another person in video or audio format to deceive individuals that they are interacting with a trusted person.

   

Physical impersonation involves attackers physically following authorized personnel into restricted areas (tailgating) or posing as delivery persons or technicians.

• Baiting entices victims with appealing offers, such as free downloads, gift cards, or exclusive content, to trick them into providing personal information or installing malware. 

• Quid pro quo attacks are similar, with the attacker promising a benefit in exchange for information or access. These attacks can occur online or through physical media, such as malware-infected USB drives left in public spaces.

• Honey trap is the term used for cases when attackers lure victims into revealing information through romantic or sexual relationships, often targeting specific individuals. 

• Disinformation campaign attacks are politically motivated attacks that use some type of impersonation designed to mislead the public on social or political issues, often employing technology like deepfake or voice cloning.

   

   

• Scareware tricks victims into believing their device is infected with malware, prompting them to install fake security software or pay for unnecessary repairs.

• Tech support scams operate similarly, with attackers impersonating I.T. support personnel and offering to resolve fabricated issues in exchange for access to the target's device or sensitive information.

   

   

These are targeted website attacks that involve compromising websites frequently visited by a targeted group or organization. The goal is to infect visitors' devices with malware or trick them into divulging sensitive information.

In the early days of the internet, social engineering attacks were relatively simplistic, often relying on generic phishing emails that were easily identifiable. Technology progressed, and so did the attackers' tactics. Today, the impact of these threats is growing at an alarming rate.

The 2013 Target data breach served as a wake-up call, exposing the vulnerability of third-party vendors and resulting in the theft of 40 million credit and debit card accounts. This incident proved that attackers could successfully exploit the expanded attack surface created by digital communication, taking advantage of the inherent trust and reduced face-to-face interactions.

As social media platforms proliferated and people shared more personal information online, attackers gained access to a wealth of data about their targets' interests, relationships, and professional activities. This enabled them to craft highly convincing and contextually relevant scams, such as the 2016 Democratic National Committee (DNC) email leak, which also revealed the consequences of inadequate email security.

Attackers constantly adapt to emerging technologies and societal trends, such as the rise of cryptocurrency, as seen in the 2020 Twitter Bitcoin scam, where they accessed high-profile accounts to promote fraudulent schemes.

In more recent years, the wide adoption of artificial intelligence (A.I.) has taken social engineering attacks to new heights. In 2024, scammers used deepfake technology to impersonate executives during a video call, tricking an employee into transferring over $25 million to fraudulent accounts.

The financial and reputational impact of social engineering attacks has grown exponentially and is impossible to accurately quantify. What everyone agrees on is that businesses are losing tens of billions of U.S. dollars annually to business email compromise (BEC) scams, data breaches, and ransomware attacks. This has prompted organizations to invest more in employee training, multi-factor authentication, and advanced threat detection technologies.

Social engineering attacks in cybersecurity typically use a logical process that involves several key stages. Note that these stages may not always occur in a linear fashion, and attackers may need to repeat or adapt certain stages based on the target's responses and defenses.

Gathering as much information as possible about the target individual or organization may include researching publicly available information - social media profiles, company websites, news articles, etc. Attackers may also use more advanced techniques, such as searching through discarded documents (a.k.a. “dumpster diving”), observing someone’s screen or keyboard input (“shoulder surfing”), or monitoring the target’s physical activities and behaviors to obtain sensitive information that can be used in later stages of the attack.

The trust-building stage involves establishing a rapport with the target, often by impersonating a trusted authority figure, colleague, or service provider. Attackers may use the information gathered in the previous stage to create a convincing pretext, such as referencing a shared interest or recent event, to make their approach seem more credible.

This stage may involve manipulating the target into revealing sensitive information (login credentials, confidential business data, and so on) or convincing them to perform an action that compromises security, like clicking on a malicious link or granting unauthorized access to systems.

In the final stage, the attacker executes their ultimate objective, which may include stealing data, installing malware, or gaining persistent access to the target's systems. This stage often involves leveraging the information or access obtained during the exploitation stage to carry out further attacks or maintain a foothold in the target's environment.

Social engineering attacks come in many forms, but there are common examples that have emerged over the years, basically, templates of attack. Let’s examine some real-world scenarios, how these attacks unfold, and learn to recognize the signs of potential threats.

• Phishing Email Scam: In this classic social engineering example, an attacker sends an email posing to be from a legitimate company or organization, such as a bank or a social media platform. The email might claim that there is an issue with the recipient's account and urge them to click on a link to resolve the problem. The link is to a fake login page that steals the user's credentials. Sometimes, the email might contain an attachment that, when opened, installs malware on the user's device. 

• CEO Fraud: Also known as Business Email Compromise (BEC), this attack is based on impersonating a high-level executive within an organization. The attacker sends an email to an employee, typically in the finance department, requesting an urgent wire transfer or payment. The employee, believing that the request is legitimate, complies and transfers the funds to the attacker's account. As tedious as internal financial procedures can be, not implementing them can lead to millions in losses.

• Romance Scam: It all begins with an attacker creating a fake online dating profile. After striking up a relationship with their target, over time, the attacker gains the victim's trust and begins to request money, often claiming to need help with an emergency or to fund a visit. The victim, emotionally invested in the relationship, sends the money, only to discover later that their supposed partner was a scammer. 

• Tech Support Scam: This scam involves an attacker posing as a technical support representative from a well-known company, such as Microsoft or Apple. The attacker contacts the victim, claiming that their device is infected with malware or that there is a technical issue. The attacker then convinces the victim to grant remote access to their device or to make a payment for unnecessary software or services, which may actually install malware or compromise the victim's system.

• Baiting: In a baiting attack, the attacker offers something enticing to the victim, such as a free download, a gift card, or exclusive content. However, to claim the reward, the victim must provide personal information or download software that is actually malware. A common example is an attacker leaving a malware-infected USB drive in a public place, labeled with an enticing name like "Company Salary Info," hoping that an employee will find it and plug it into their work computer.

   

   

A skilled social engineer is typically a master of manipulation and persuasion. They are often charming, confident, and able to quickly befriend their targets. They are also highly adaptable and able to think on their feet, adjusting their approach based on the target's reactions and responses. They are patient and often invest significant time and effort into building trust and credibility with their targets before launching an attack.

However, a successful social engineer does not need all the above skills, as long as the threat actor is well aware of fundamental aspects of human psychology, relying on the most powerful, tested persuasion techniques. These techniques are well-documented in Robert Cialdini's work on influence and persuasion. Social engineers take these principles to the next level, using them to craft their deceptive strategies and manipulate their targets. Below is a list of the most often used psychological vulnerabilities that scammers employ in their attacks.

• Trust and Authority. There is an innate human tendency to trust authority figures. People are more likely to comply with requests from someone they think has authority or expertise, even if they don't know the person. Social engineers often impersonate authority figures like I.T. support personnel, executives, or government officials to take advantage of this trust.

• Social Proof and Conformity. Another important psychological factor is social proof, a concept that refers to the fact that people tend to look to others for cues on how to behave in a given situation. Social engineers may use this principle by creating a sense of urgency or suggesting that others have already complied with their request, making the target feel pressured to conform.

• Reciprocity and Obligation. The principle of reciprocity suggests that people feel obligated to repay favors or kind gestures. Social engineers may exploit this by offering something of value to the target, such as a free gift or assistance with a problem. This creates a sense of obligation that can be used to extract sensitive information or convince the victim to comply with a malicious request.

• Scarcity and Fear of Missing Out (FOMO). People tend to place a higher value on things that are scarce or difficult to obtain. Social engineers may create a false sense of scarcity or exclusivity to pressure targets into taking action. They might claim that an offer is only available for a limited time or that the target has been specially selected for an opportunity.

• Emotions and Stress. Social engineers often try to manipulate their targets' emotions, particularly by creating a sense of fear, anxiety, or excitement. When people are in a heightened emotional state, they may be less likely to think critically and more likely to make impulsive decisions. Social engineers may use tactics like claiming there is a security breach or a time-sensitive emergency to create a sense of panic and urgency.

   

   

Protecting yourself and your organization from social engineering attacks is a complex process that requires a combination of prevention and recovery methods – from technical safeguards to security awareness training and sticking to agreed best practices. One can significantly reduce the risk of falling victim to these increasingly sophisticated attacks by adhering to the key strategies below. Remember that social engineering techniques constantly evolve; therefore, it is essential to stay one step ahead and invest in keeping yourself up to date.

• Strengthen Cyber Hygiene - This is one of the most effective ways to protect against social engineering. Basic cyber security measures include always using strong and unique passwords for each account, updating software and operating systems on a regular basis, and using anti-malware software. On the human level, it's essential to always be wary when clicking on links or downloading attachments, particularly from unknown sources.

• Implement Multi-Factor Authentication - Multi-factor authentication (MFA) is an extra layer of security because it requires users to provide additional proof of identity beyond just a password. This can include a fingerprint, facial recognition, or a code sent to a mobile device. By implementing MFA, organizations can make it much harder for social engineers to gain unauthorized access to accounts and systems, even if they manage to obtain a user's password.

• Provide Security Awareness Training - Educating employees about social engineering and how to recognize and respond to potential threats is no longer optional. Regular security awareness training should cover topics like identifying phishing emails, verifying the identity of callers or emailers, and handling sensitive information securely. Training should be engaging, relevant, and regularly updated to keep pace with evolving threats.

• Establish Clear Policies and Procedures - Organizations must establish clear policies and procedures for how to handle sensitive information, respond to unsolicited requests, and report suspected security incidents. These policies should be communicated to all employees and regularly reinforced through training and reminders.

• Verify Identity and Legitimacy - One of the best countermeasures against social engineering is to always verify the identity and legitimacy of anyone requesting sensitive information or access. This can include calling the person back using a verified phone number, checking their email address against the company directory, or asking for additional proof of identity.

• Be Cautious in Urgency and High-Pressure Situations - Social engineers often try to create a sense of urgency or use high-pressure tactics to get their targets to act quickly without thinking. Be cautious of any unsolicited request that demands immediate action or threatens negative consequences for non-compliance.

• Keep Software and Systems Up to Date - Regularly updating software, operating systems, and security tools can prevent attackers from exploiting known vulnerabilities. Also, enable automatic updates when possible, ensuring that all systems and devices are running the latest security patches.

• Limit Access and Permissions - Implementing the principle of least privilege, which gives users only the access and permissions they need to do their jobs, can help limit the potential damage of a successful social engineering attack. Regularly review and update access controls and promptly revoke access for employees who leave the organization.

   

   

While social engineering is typically viewed as a malicious activity, it also has legitimate applications in the realm of cybersecurity. For instance, there are certain ethical and legal considerations that arise when using social engineering techniques for security testing. Legal implications are related to the methods that an organization employ to defend from social engineering. Organizations must carefully navigate the fine line between implementing effective security measures and respecting privacy and ethical standards.

One context in which social engineering techniques are used for legitimate purposes is in security testing programs, which use ethical hacking for penetration testing or red teaming, among others. However, even in ethical hacking, important considerations must be kept in mind. While these techniques are justified in the name of security, they are inherently deceptive, raising ethical questions about manipulation and trust. That is why security testers must obtain formal permission from the organization before conducting any tests and carefully document their activities to ensure transparency and accountability. They must also minimize any potential harm or disruption to the organization's operations during the testing process.

As organizations implement security measures to protect against social engineering attacks, they must also be mindful of privacy concerns. Some security measures, such as monitoring employee communications or requiring extensive background checks, can be seen as intrusive and may violate employees' privacy rights. Organizations must strike a careful balance between protecting their assets and respecting the privacy of their employees and customers. This may involve implementing clear policies and procedures around data collection, storage, and use, as well as providing transparency around any monitoring or surveillance activities.

Industry standards and regulations play a role in how organizations can fight against social engineering or use it defensively. Standards such as the General Data Protection Regulation (GDPR) in Europe and the California Consumer Privacy Act (CCPA) in the U.S. mandate stringent data protection measures and hold organizations accountable for breaches. Organizations must stay up to date on these standards and ensure compliance to mitigate legal risks and uphold ethical standards.

In many jurisdictions, attacks that result in the theft of sensitive information or financial losses can be prosecuted under various laws, including those related to fraud, identity theft, and computer crimes. Organizations that do not take reasonable steps to protect against social engineering attacks may also face legal liability. This can include lawsuits from customers or employees whose personal information was compromised, as well as fines and penalties for not complying with data protection laws.