What is Social Engineering?
In Cybersecurity, Social Engineering is known to be an attack vector using the human factor. In other words, social engineering techniques exploit human errors and behaviors in order to gain access to credentials, physical locations, access code, etc. Thus, social engineering, unlike cyberattacks appeal to human vulnerabilities. It is considered as the most effective mean to obtain access to the abovementioned elements, without having to conduct a cyber attack. The term was popularized by the notorious hacker Kevin Mitnick, who commonly used social engineering techniques to support his actions.
In the area of Identity Fraud, Social Engineering occurs often as a fraudulent pattern with money transferring involved usually passes off with fraudsters tricking innocent people into registering for a service using their valid ID. The victims' account is then overtaken by the fraudster and used to generate value by withdrawing money or making online transfers.
What is a Social Engineering attack?
Social Engineering attacks are conducted by social engineers specialized in psychology, deception and manipulation techniques. Social Engineers can use different tactics in order to perform an attack, depending on their victims, means at their disposal, and the objective of the attack. Social engineering attacks are therefore a powerful enabler of cyber malicious acts. A social engineering attack is usually perpetrated in four steps:
- Information gathering and investigation: The attackers start by identifying their victim(s) and collect elements using open source intelligence techniques (OSINT), that will help them make their approach more credible, as well as select the method they will use to conduct their attack.
- Approaching the target: Once the gathering phase has been conducted, it is time for the attackers to leverage information obtained in order to reach the victim successfully and pose as a trustworthy figure. Different means may be used to make an approach such as emails, telephone, or even directly by meeting the victim;
- Exploitation: When the relationship or contact has been established through information obtained, this is the time where the attacker will achieve his goal. As an example, he will either obtain credentials, expose trade secrets, infect a company network through a USB flash drive, or get physical access to a company location;
- Exit: The attack ends when the attacker has obtained what he was looking for. At this point, the attacker generally makes a swift exit before the victim starts to be aware of what happened, questions the actions of the attacker. Depending on the technique used, the attacker will cover his tracks by erasing digital footprints and artifacts through dedicated tools, leaving no information behind, remaining undetected and keeping his identity safe.
Let’s illustrate these four steps by taking the example of a spear-phishing/pretexting attack targeted at employees from a strategic company.
First, the attackers will try to collect as much information as possible regarding the company and its latest developments, as well as its partners, suppliers and clients, so it will be able to impersonate one of the latter.
Then, it will create an email, using the identity and template of the impersonated entity. The attacker will contact the target under a false pretext, such as an unpaid invoice to a supplier, and include malicious link.
In this scenario, employees from the accounting department are likely to be the victims of such a campaign. Coming from a known source, the email is sent during the appropriate billing period and is related to an ongoing project so that accountants are likely to click on the hypertext link inside.
The final objective may depend, but it may well be to gain access to the company’s networks to steal trade secrets or install ransomware to earn an important financial compensation.
What are different forms of a Social Engineering attack?
Although social engineering attacks are often associated with phishing, other forms of attacks are encompassed in its realm:
- Baiting: Using false promises to draw the victim’s attention, a baiting attack tries to leverage greed or curiosity from an individual. By offering something out of the ordinary, the attacker will try to lure the victim to click on a link, in order to win an important prize, such as a smartphone or even money. Another baiting technique that is used is to disperse USB sticks in front of a company’s building, with the hopes that a far-too-curious employee will plug that stick on his professional computer to check its content, and consequently infecting his firm’s network;
- Pretexting: Pretexting is one form of social engineering attack, aiming at manipulating the victim into providing information or completing an action. Usually conducted by impersonating a trusted figure with an authoritative voice such as co-workers, police, or administrative officials, the attacker will pretend to need sensitive information in the frame of his missions, or the victim to conduct specific actions. Trust is the main driver of this technique, as the attacker will try to establish a relation through a false narrative with his victim before acting;
- Phishing and spear-phishing: Phishing is the process of attempting to gather personal information such as credentials or payment information, or get a user to click on a malicious link or attachment. While phishing is aiming at masses by emailing, texting or calling hundreds to thousands of people, spear phishing is the action of targeting specific individuals or companies, to achieve a predetermined goal. Therefore, only few victims will be selected in order to craft a customized email that will be appealing to the person receiving it;
- Scareware: Although using technology, scareware is software designed to trick users into believing they need to download an antivirus or software to prevent cyberattacks, while in fact downloading a malicious payload, such as ransomware. Usually appearing as a popup, scareware aims to frighten, so the victim will act as quickly as possible without questioning the veracity of the demand.
How to prevent Social Engineering attacks?
Given the fact that the success of a Social Engineering attack relies largely upon the vulnerabilities of human actors involved, training and education are the most efficient ways to prevent those threats. Indeed, one of the best defense is to educate personnel to detect and raise an alert in case of suspicions.
Few tips to detect a Social Engineering attack:
- You receive an email, phone call or text message from a known person or company, but the email seems off and strange;
- There is a sense of urgency in the message you receive;
- You receive an offer that seems too good to be true (e.g., a job offer way above your grade, a prize);
- Someone calls you under a false pretext and ask you for information that may be sensible (clients’ or suppliers’ information, future company developments, financial elements, etc.);
- The identity of the sender is not verified and the email may appear as suspicious.
Thus, good reflexes should be disseminated among employees and be part of the company’s culture. The following best practices may help to deter Social Engineering attacks:
- The “click reflex” is a malpractice that should be erased in order to avoid launching unwanted downloads or malicious websites;
- When an email seems off, suspicious or contains grammatical mistakes, the receiver should always check the identity of the sender, to confirm the genuineness of the demand;
- Raise an alert to the relevant person when receiving a suspicious email, phone call or having any other suspicious contacts;
- Improve technical defenses, by setting multi-factor authentication, spam filters, password policy, and conducting social engineering awareness campaign.
What is the difference in between "Social Engineering" and "Money Mules"?
As opposed to Money Mules, victims of Social Engineering are not aware that their actions may have legal consequences. In fact, their collaboration with the fraudster is not as apparent as they get involved through psychological manipulation. They are being tricked into opening accounts, for example, through job advertisements, which looks like the actual work arrangement at first glance. Other examples involve applying for a loan. The users are then convinced that the credit can be only issued under specific conditions, which usually contains opening an account with a financial institution and later passing the credentials to the fraudsters.
As a result of Social Engineering, the criminal gains access to the freshly created bank account, which may result in further financial malversations in the victim’s name. The scammer will therefore remain undetected, and the whole liability will be passed to the unaware person.
More info in our latest blog article: Understanding ‘Money Mules’ – an interview with IDnow fraud specialists