What is social engineering?
Social engineering is a broad term that describes tactics of manipulating in human interaction in order to gain sensitive information or access from the victim. The purpose of these scams is often to lure users into revealing data, spreading malware, or giving access to restricted systems. Attacks can occur online, in person, and through other interactions.
Social engineering scams are built around how people think and act. As such, social engineering attacks are particularly useful for manipulating user behavior. Once an attacker understands what drives the user’s actions, they can effectively deceive and manipulate the user.
In addition, hackers try to take advantage of the user’s lack of knowledge. At the speed with which technology is developing today, many users and employees are not informed of the dangers lurking in the network. Social networks have made sharing personal details a common practice, and users often upload photos that contain sensitive information such as driver’s licenses, social security numbers, car and phone numbers, residential addresses, etc.
How does social engineering work?
Most social engineering attacks rely on some degree of interaction between the attackers and the victims. In order to carry out such attacks, it is necessary to plan in advance by collecting background information about the victim, whether it is a private person or an organization. The attackers initiate an interaction, and after exploiting the victim they quickly disappear.
This process can take place in a single email or over months of conversations.
A popular method of social engineering against organizations is impersonating IT support personnel. Through correspondence or phone calls, the attackers gain the trust of the victims and obtain personal details such as passwords and sometimes remote access to devices. From there it’s a fairly simple move of introducing malicious code under the pretext of a software update.
Common social engineering techniques
This concept is often used haphazardly over the news, but what is phishing exactly?
Phishing is an attempt to steal sensitive information by impersonation. It is a method of deception that aims to cause the user to act, usually by clicking an attached link, that will endanger their device. Phishing is the most popular method for social engineering, due to the great diversity in the types of phishing, which allow a simple and easy attack or prepared and targeted attacks, according to the preference of the imposters. SlashNext’s annual State of Phishing report shows a 61% increase in the rate of phishing attacks compared to 2021, accounting for more than 255 million attacks in 2022.
Types of Phishing attacks
- Email phishing- emails that look like they came from a reliable source such as organizations, institutions, and service providers, but were actually sent by hackers. These emails use corporate language, the company logo, and even the original typography to enhance the level of credibility. According to SlashNext, the most impersonated global brands are Microsoft, Google, Adobe, and Dropbox.
- Spear Phishing – This manipulation is tailor-made for the target. In a corporate environment, the attacker collects information about employees in a certain department and imposters a known entity, a service provider for example.
- Whaling – Within the spear phishing category there is what is known as whaling- phishing for senior executives. This phishing is aimed at executives at the management level.
- Vishing- using social engineering tactics over the phone, by pretending to be an authorized person such as a technical maintenance person or credit card company representative.
- Search engine phishing- this is an attempt to place fake and malicious sites at the top of the search engine results that appear in the browser, whether it is by ads or sites located in an organic location.
- MITM- The man in the middle is perhaps the most difficult method to detect by a non-expert. The MITM occurs when a hacker places himself between the user and the service provider, either to “listen in on the communication” between them or to impersonate one of the parties. The purpose of the attack is to steal Personal information – credit card details, passwords and account information – and usually occurs in communication between users and financial companies, SaaS, online stores and websites that require account login.
The baiting method
The method takes advantage of the natural curiosity of humans, and our human love for anything “free”. Attackers offer products or services for free – a USB flash drive left in a cafe, or an email about antivirus software to download for free.
Physical social engineering
This is a method that requires attackers to physically reach the victim in order to gain access to restricted areas. These attacks are very popular against private, public and governmental organizations, with the attackers often impersonating technical support personnel. This is high-risk, so attackers only carry out this attack when the profit potential is great.
Tailgating can also be included in this category, when an attacker follows a staff member within the organization and tries to follow him into restricted areas, sometimes by exploiting the basic human courtesy of holding doors for others.
Examples of social engineering attacks
Studies show an alarming picture- about 75% of all organizations in the world fell victim to a social engineering attack during the year 2020. Moreover, of all the global cyber attacks that have occurred so far in 2022, hackers use social engineering techniques in 98% of cases.
Despite these statistics, only 27% of companies provide their employees with training to raise awareness. These statistics are not just theoretical – in 2020 dozens of high-profile accounts with millions of Twitter followers were hacked and fraudulently distributed Bitcoin. Among the affected versions are former President Barack Obama, Joe Biden, Bill Gates, Jeff Bezos, Kim Kardashian, and Kanye West, as well as giant companies like Apple, which boasts that privacy and information security is a top value for it. Twitter realized very quickly that this was using social engineering techniques, to exploit the internal management tools of one or more of the company’s employees.
The targeted manipulations require prior knowledge of the victim. Impressive preparation can be seen in the Deepfake attack on the British energy company in March 2019, when the CEO of the energy supplier received a phone call from someone who sounded like his boss. The call was so convincing that the CEO ended up transferring $243,000 to a “Hungarian supplier” – an account at A bank that actually belonged to the fraudster.
The damage from these attacks can be enormous. The biggest social engineering attack was carried out by a Lithuanian citizen against two of the biggest companies in the world: Google and Facebook. The attacker and his team set up a fake company, posing as a computer manufacturer that worked with Google and Facebook and even set up bank accounts in the company’s name.
They then sent emails to Google and Facebook employees, handing them an invoice for goods and services the manufacturer had provided – but directing them to deposit money into their fraudulent accounts. Between 2013 and 2015, the team cheated the two technology giants in the amount of more than 100 million dollars.
Aircraft parts maker FACC also lost nearly $60 million when attackers impersonated high-level executives and tricked employees into transferring funds. After the incident, FACC spent more money trying to sue its CEO and CFO, alleging they failed to implement adequate internal security controls.
Identifying social engineering attacks
There are some simple questions we can ask ourselves when our suspicion arises:
- Are my emotions heightened?
- Did this message come from a legitimate sender?
- Did my friend really send me this message?
- Does the site I’m on have any strange details?
- Is this offer too good to be true?
- Are there any suspicious attachments or links?
- Can this person prove his identity?
Preventing social engineering attacks
Safe communication habits and account management
- Do not click on links in emails or messages – always manually type a URL
- Use multi-step verification. When more than password soup is used to protect online accounts, the chances of hacking are small. Multi-step verification adds additional layers to verify the identity of the account holder when logging into the account. These “factors” can include biometrics such as fingerprint or facial recognition, or a temporary passcode sent via text message.
- Use strong passwords (and a password manager). Each of the passwords should be unique and complex. Aim to use a variety of character types, including letters, numbers and symbols.
- Avoid sharing personal details such as the schools you attended, pets, place of birth or other personal details.
- Be very careful about building online-only friendships.
Safe online usage habits
- Compromised online networks can be another vulnerability exploited for background research. Never allow strangers to connect to the main Wi-Fi network. At home or in the workplace, access to a wireless Internet connection must be allowed for guests.
- Use a VPN. In the event that someone on the main network – wired, wireless or even cellular – finds a way to intercept the communications as in MITM, a virtual private network (VPN) can keep them out. VPNs are services that provide a private and encrypted “tunnel” through any internet connection.
- Maintain the security of all devices and services connected to the network. Many people are aware of Internet security practices for both portable and traditional computing devices. However, the security of the network itself, in addition to all the smart devices and cloud services is just as important. Be sure to protect commonly used devices such as car infotainment systems and home network routers.
Phishing tests for organizations
The phishing method has become a hacker favorite, with attacks occurring daily that can lead to losses of millions and irreversible damage. The phishing tests train employees to take precautions and be on alert for any sign of foul play. Management benefits from these tests as well, by receiving a deeper understanding of the company’s security defenses and vulnerabilities.
The phishing test is performed by a professional team that specializes in identifying these attacks.
The goal is to create a simulation of a real phishing attack, so the employees are subjected to a phishing test – will they provide data or not.
The team will usually purchase a domain and SSL certificate which will increase the credibility and lower suspicion. A message will then be sent to the company’s employees (using one of the phishing methods listed), from an address that is supposedly known. The message is usually accompanied by a link with a request to enter personal information (password, username, account information, etc.)
Once employees’ awareness of this issue increases through phishing tests, caution will increase and thus
Small businesses are at greater risk than others to a social engineering attack. A 2019 Verizon report stated that 43% of all cyberattacks were directed at small businesses. This figure is even more alarming when you consider that these breaches can be devastating, as the NSA estimates that 60% of small businesses go out of business within six months of a cyberattack. Read about all the cyber security threats to small businesses in our full article.