We have talked about social engineering in many of our previous phishing-related blog posts. Social engineering plays a critical role in a variety of cyberattacks. They are widely used in low-tech scams but can also be part of complex targeted cyberattacks including ransomware, business email compromise, etc.

In this blog post, we will discuss social engineering in greater detail including the types, common methods, examples, and more importantly how to protect yourself against social engineering attacks. And answer the following questions about social engineering:

1. What Is Social Engineering?

2. What Is The Purpose Of Social Engineering?

3. How Does Social Engineering Work?

4. What Are Common Social Engineering Attack Vectors?

5. What Are The Common Social Engineering Techniques?

6. What Are The Principles Of Social Engineering?

7. How To Protect Against Social Engineering?

Social engineering is the technique of manipulating people into performing actions or divulging sensitive information. Social engineering exploits human emotions such as curiosity, fear, and an inclination to trust, and cognitive biases. By playing on emotions, inherent biases, and vulnerabilities, criminals try to prevent their victims from thinking rationally. They do this by creating a sense of urgency, using scare tactics, and emotional manipulation.

Cybercriminals commonly employ social engineering to manipulate victims into clicking malicious links, installing malware, or divulging sensitive information. Social engineering techniques can be used via different mediums including emails, phone calls, messaging, and even in-person.

Social engineering attacks come in various forms. They can range from simple phone calls, which try to elicit your personal information, to multistep attacks involving emails, text messages, robocalls, and social media messages for information gathering, before launching targeted cyberattacks.

Tricking people into giving up personal information is much easier than hacking passwords or deploying ransomware. This is the reason why social engineering attacks are much more common than hacking and password attacks.

The purpose of social engineering is to trick the victim into performing actions that they normally would not. Criminals use social engineering with one of the goals in mind:

• Gaining unauthorized access to accounts, devices, or networks

• Obtaining personal information that can be used for identity theft or financial fraud

• Deploy malware to spy, steal data, and cause harm or inconvenience.

Ultimately the social engineering attackers seek financial gains either by directly defrauding the victim or selling their data to other cybercriminals.

Social engineering attacks usually begin with a contact initiated by the attacker. The pretext of such contacts is that the attacker either has the right to access the information or needs the information to help the victim. Typically the attackers masquerade as someone in authority such as the CEO of the company, representatives of financial institutions, law enforcement agencies, IT support, etc.

The social engineers fabricate stories to convince the victims that they are who they claim to be and exploit cognitive biases to lull them into a false sense of security. Scammers often use publicly available information found on social media to establish trust. Once the attackers establish trust, they glean information or manipulate the victim into performing actions such as downloading malware.

Most common social engineering attacks include spam emails sent to or robocalls made to hundreds and even thousands of people at a time. These kinds of social engineering attacks are easy to spot and avoid. However, there are targeted attacks where the victims are selected based on their affiliation to certain institutions, relationship with businesses, etc. The targeted attacks are more difficult to spot because the messages are carefully crafted based on extensive information gathered from various methods, including phishing, smishing, and vishing.

The following are the most common paths that cybercriminals take to launch social engineering attacks:

1. Phishing

Phishing is the most common form of social engineering attack. It uses email as its primary medium. The senders of such emails usually pose as legitimate individuals or representatives of well-known companies or government agencies and use various techniques to trick the victims into providing sensitive data such as personal information, passwords, banking details, credit card information, etc.

To help you identify and protect yourself from phishing scams, we have written the following guides:

• How To Identify A Phishing Email

• Types Of Phishing Attacks And Prevention

• What is Business Email Compromise (BEC) And How To Prevent It

2. Vishing

Vishing or “voice-based phishing” is a type of social engineering attack that uses voice calls as an attack vector. The goal of vishing is also to gather sensitive information that can be used either for committing financial fraud or for launching further attacks.

To help you learn more about vishing, we have written an exhaustive guide containing everything you need to know about vishing, its types, examples, how to protect yourself from it, and what to do if you get vished.

You can read the vishing guide here: What Is Vishing And How To Avoid Voice Scams

3. Smishing

Smishing or “SMS-based phishing” is a type of social engineering attack that uses text messages as an attack vector. Smishing is usually a relatively low-tech cyberattack that relies on the psychological manipulation of its victims. But it can also be part of an elaborate cyberattack assisted by malware or fraudulent websites.

To help you combat such text message-based phishing attacks, we have written a comprehensive guide that shares everything you need to know about smishing and how to protect yourself from it.

You can read the smishing guide here: What Is Smishing And How To Protect Yourself Against It

Here’s a list of 8 commonly utilized techniques in social engineering attacks:

1. Pretexting

2. Baiting

3. Tailgaiting and Piggybacking

4. Quid Pro Quo

5. Scareware

6. Dumpster Diving

7. Honeytrap

8. Watering Hole Attack

In the following sections, I describe each type of scam in detail.

Pretexting is a social engineering technique of creating made-up scenarios to engage a target and lure them into a vulnerable state or false sense of security so that they are easy to manipulate.

The made-up scenarios or “pretexts” are designed to instill trust, lower the perception of threat, and increase susceptibility to act in haste, fear, or excitement. Once engaged in the pretext, the victims are manipulated into divulging sensitive information or performing actions that they would not perform under normal circumstances.

For example, a threat actor may create a pretext of being an external IT auditor and convince an employee to divulge sensitive information about the IT infrastructure and security systems. Then they can use this information to find weaknesses and launch targeted attacks.

Baiting is a social engineering technique that uses bait or a false promise to lure a victim into divulging information or performing actions they normally would not perform.

For example, attackers may leave malware-infected USB flash drives near office buildings. To pique the curiosity of the targets, the drives may carry labels saying “HR confidential: new salary structures”. Connecting such infected media would result in infection of the computer and in severe cases, compromise of the entire network.

Enticing ads that lead to malicious websites and free software that comes bundled with spyware or adware are also examples of baiting.

Tailgating and piggybacking are social engineering techniques used in person with the aim of entering restricted locations. The goal of the attacker in such cases is to gain physical access to documents, desktops, or critical IT infrastructure such as servers, network switches, routers, etc.

Tailgating is the act of sneaking into a restricted space without the knowledge of the person providing access. An example of tailgating is an attacker sneaking in behind an employee after they swipe their access card.

Piggybacking is the act of gaining unauthorized access to a restricted location by tagging along with someone who has authorized access. The authorized individual is tricked into believing the piggybacker either has authorized access or has a legitimate business. An example of piggybacking is an attacker pretending to be a food delivery agent to gain access to an office space.

Quid pro quo is a social engineering technique in which an attacker offers a trade of service for information. This technique is different from pretexting and baiting because there are no elaborate made-up stories, preparations, or tools involved. There is simply an upfront promise of benefit or advantage in exchange for information.

Here’s an example of how a quid pro quo scenario plays out: an attacker calls a small business pretending to be their IT service provider and claims to be calling back to help an employee who is having a problem with their computer. And if the attacker reaches someone in the company having a legitimate issue with their device, they will “offer to solve the problem” in exchange for access to the device.

If a user is having a problem with their device and is expecting a call back from IT support, in such a scenario, it may seem logical to give an IT person access to your device to solve the issue you are facing. The attacker will then proceed to either ask for login credentials or install malware on the device.

Scareware is malware that uses social engineering tactics to manipulate victims into believing that their device is infected with malware, accounts compromised, or that they have done something illegal. These tactics usually include pop-up ads that display fake warnings or threats such as virus infection messages to instill fear that can be exploited by the attacker. The goal of the attacker using scareware is to sell useless tools or services, install malware, or gain access to sensitive information.

A common example of scareware tactics use fake pop-ups warning of virus infection. These pop-ups are usually displayed on compromised or malicious websites. They are designed to look like system-generated messages and ask the user to call a phone number for virus removal. The phone number connects to a fake call center where scammers instruct the victim to download a useless application and pretend to remove the non-existent virus. At the end of the call, the scammers demand payment for removing a virus that did not exist in the first place.

In cybersecurity, dumpster diving is a social engineering technique of going through someone’s trash to find information that can be used to launch targeted attacks. While finding passwords written on sticky notes would be like finding gold, the scammers can use even apparently innocuous information such as phone or email lists, organizational charts, etc. to craft their attacks.

Scammers use the information retrieved from dumpster diving to create “pretexts” and contexts relevant to their target. This elaborate preparation helps establish trust and makes their messages more believable. Dumpster diving is often the first step in spear-phishing, business email compromise (BEC), and other targeted attacks on businesses.

Honeytrap is a social engineering technique of luring someone into a fraudulent romantic relationship using a fake online profile. The term “honeytrap” comes from old spy tactics of using attractive women to target and entrap enemies.

Honeytrap attacks involve scammers creating an attractive online persona and befriending their targets on one or more social media platforms. The criminals then exploit the relationship to elicit the victim’s personal details, borrow money, or convince them to steal sensitive data from their workplace.

A watering hole attack is a complex cyberattack that combines social engineering with advanced hacking and other techniques. It involves hackers targeting a group of people or organizations that frequently visit a website. Watering hole attacks require extensive preparation, thorough planning, and meticulous execution.

The watering hole attack relies on the fact that when users are on a trustworthy website that they frequent, they let down their guard and are not as vigilant. The criminals use social engineering techniques to lure the targeted users into divulging information or visiting compromised websites.

In advanced watering holes attacks, hackers may find vulnerabilities in the website and use techniques such as Cross-site scripting (XSS), SQL Injection, DNS cache poisoning, etc. to launch devastating cyberattacks on individuals and organizations.

Scammers use knowledge of common behavioral traits of humans to increase the effectiveness of their attacks. The following principles are commonly used by scammers to foster trust and persuade their victims:

1. Authority

2. Intimidation

3. Consensus/Social Proof

4. Scarcity

5. Urgency

6. Familiarity / Liking

1. Authority

Most people learn to respect authority as they grow up, and rarely think twice before complying with the requests of someone of authority. This is why social engineers impersonate someone in authority such as the company's CEO, law enforcement agencies, etc. The scammers count on this form of compliance with authority for the success of their attacks.

2. Intimidation

Intimidation is a common tactic used by scammers to force the victim into taking action. It is usually combined with the impersonation of someone in authority. Common intimidation themes used by scammers include job loss, legal action, suspension of bank accounts or credit cards, hacked emails, etc.

3. Consensus/Social Proof

Most people follow what others are doing without giving it much thought. If you find that difficult to believe here’s one of many similar experiments demonstrating the power of consensus:

Scammers know this and try to actively use it by dropping names of colleagues. They use phrases like “Maria in accounting and Adam in HR sent me their passwords and now I need your password to finish the setup.”

4. Scarcity

Scarcity is a social engineering tactic that capitalizes on the natural inclination of people to act quickly to obtain something that is rare or limited. The rarity of an item makes it more desirable and accelerates the decision processing so as not to lose the opportunity. The scammers count on this haste of the victims to bypass common sense and logic.

To leverage this, scammers use phrases such as “act now while stocks last!”, “limited time offer”, etc. to entice the targets. This tactic is often combined with social proof to make the social engineering attack even more effective.

5. Urgency

Similar to scarcity, urgency is also used by scammers to hasten the decision-making process of their targets. Time-based psychological principles such as urgency and scarcity work well when used along with authority intimidation.

Knowing the effectiveness of this principle, scammers abundantly use it in their messages. Urgent emails from the CEO or scareware with a countdown timer are much more likely to elicit a quick response.

6. Familiarity / Liking

People are more likely to comply with requests from those they know or like. Hackers know this and try to exploit it by spoofing the accounts of friends, colleagues, or family members.

The liking principle plays a big role, especially in honeytrap attacks. So the scammers make attractive personas and establish a rapport with the target before initiating their scam.

Here are steps you can take to protect yourself and your organization against social engineering attacks:

1. Train employees to identify social engineering attacks

2. Empower employees to always follow procedures no matter who the request may be coming from.

3. Empower employees to stop and think before handing out sensitive information.

4. Use two-factor authentication (2FA) on all accounts

5. Use spam filters and firewalls to filter out suspicious emails, IP addresses, and malicious attachments.

6. Configure company email to display a banner on emails coming from outside the organization.

7. Establish robust social media and email usage policies.

8. Establish a simple IT security reporting process.

9. Conduct regular phishing and smishing simulations to test employee preparedness.

10. Create policies for destroying sensitive documents and e-waste disposal

Conclusion

Social engineering techniques are abundantly used in cyberattacks. Scammers rely on psychological techniques to coerce and deceive users into bypassing security measures. So, traditional security systems alone are ineffective at stopping all social engineering attacks.

An educated workforce will be able to spot social engineering techniques and stop most of the attack dead in their tracks. And regular cybersecurity training combined with a layered defense can stop close to 100% of social engineering attacks.

Can you spot the red flags of social engineering attacks? Have you received cybersecurity training recently? If you would like to test your knowledge, try out the phishing test and smishing tests on our free IT resources page.

If you are a customer of Jones IT, feel free to reach out to your dedicated IT consultant to schedule a phishing simulation or cybersecurity training.

If you liked the blog, please share it with your friends