Social engineering attacks can be very convincing and, potentially, very costly for victims. Social engineers will use a variety of techniques to harvest sensitive information from victims for their own commercial, or other, benefit.
Here we explore what social engineers do, and highlight six common strategies they employ.
What is cyber social engineering?
Social engineering, in case you're unaware, is the use of various psychological techniques to defraud or gather sensitive information from an individual or organization.
In the context of this article, the term social engineering is used in reference to information security rather than centrally planned strategies used to encourage, though usually force, social change to regulate future development and behavior in a society.
"[The] use of deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes." - Lexico.com.
It is a very broad term and includes a range of malicious activities using human interactions to get data for commercial or another benefit to the attacker.
What are some examples of social engineering attacks?
Here are six examples of common social engineering attacks. The following examples are in no particular order and are far from exhaustive.
1. Phishing is a very common strategy
Phishing is one of, if not the, most common form of social engineering cyber attack. According to sites like lifewire.com, it actually accounts for a substantial amount of all spam email people receive on a daily basis.
But it can also be attempted through SMS, IM, and other forms of social media interaction.
These forms of messages attempt to trick you into divulging sensitive information like passwords, card details, etc., directly or visit a fraudulent URL to extract similar information.
The most advanced types of this form of social engineering attack attempt to mimic a reputable and trusted institution like your bank etc. They will also attempt to instill a sense of urgency in you to act, usually to avoid some form of unwanted action (fine, etc.).
2. Watering hole attacks are a common form of cyber-espionage
Watering hole attacks consist of nefarious individuals injecting malicious code into public websites to attack regular users.
"In this attack, the attacker guesses or observes which websites [a target] group often uses and infects one or more of them with malware. Eventually, some member of the targeted group becomes infected," according to Wikipedia.
When users visit the site, the comprised website opens a backdoor trojan to the user's computer. The watering hole method of attack is very common for cyber-espionage operations or state-sponsored attacks.
3. Tailgating can be a real problem
Tailgating, as the name suggests, is a form of social engineering attack that is used to give a malicious individual physical access to an area without proper authorization. In their most basic forms, an attacker will wait for an authorized person to use their access card or biometric credentials to open an electronic access door.
They will then simply pass through the door before it closes.
More advanced versions involve the use of playing on someone's generosity. For example, they may over-encumber themselves with heavy objects and wait at the access door.
When an authorized employee approaches, they will claim they cannot reach their own access card and ask them to open the door for them.
4. Pretexting can be very convincing
Pretexting, as oppose to phishing, attempts to extract sensitive information by building trust over time. The attacker will create a believable, but a completely fabricated, pretext to lay some groundwork and break down a victim's defenses over time.
For example, they call a target and pretend to require certain information in order to activate a new system account or verify their identity. The more sophisticated versions will build up a relationship over days or weeks, and they may take on the identity of an actual employee in their victim's IT department.
This kind of tactic is used to gain the victim's trust and increase the likelihood that they will divulge requested information without hesitation.
5. Whaling attacks tend to target upper management staff
Whaling is a more sophisticated form of phishing that uses more advanced social engineering techniques to harvest sensitive information. It tends to put the onus on information that has higher economic and commercial value to the attacker.
"What distinguishes this category of phishing from others is the choice of targets: relevant executives of private business and government agencies. The word whaling is used, indicating that the target is a big fish to capture." - infosecinstitute.com.
Emails from whaling attacks tend to take on the pretense of critical business emails that are sent by legitimate authorities or other important organizations. Message content also tends to be aimed at higher management and will often include fake information concerning company-wide issues or other confidential issues.
6. Baiting and Quid Pro Quo attacks
Baiting is another nefarious social engineering attack that attempts to play on victim's curiosity. A classic example will make use of malicious files disguised as something else like a software update or other generic software.
It can also be disseminated through the use of infected USB devices deposited in the real world - for example, a "lost" USB stick in a parking lot. The malware used will compromise a PC's security and provide a back door for attackers to gain access to sensitive information.
A similar, yet subtly different attack is called a Quid Pro Quo attack. This form of attack attempts to install malicious software through a process of doing something "good" for the victim.
In this kind of attack scenario, the hacker offers a service or benefit in exchange for information or access. Hackers will tend to impersonate IT staffers in an organization and contact employees to gain access to install or upgrade system software.
What are three examples of techniques used in social engineering attacks?
We have already covered 6 of the most common forms of social engineering cyber attacks above, but there are others.
- Vishing - Otherwise known as voice phishing, this is a form of social engineering attack that primarily focusses on gathering information via telephone. It can also be used by attackers for reconnaissance purposes to gain access to more critical individuals in an organization.
- Smishing - "The act of using SMS text messaging to lure victims into a specific course of action. Like Phishing, it can be clicking on a malicious link or divulging information," Wikipedia notes.
- Spear phishing - This is a form of phishing that tends to make use of highly customized emails sent to a limited number of potential victims.
What does a social engineer do?
Social engineers are people who conduct a range of malicious activities to deceive human victims into disclosing personal, or other sensitive information, or gin access to said information. This can be either through digital means (like email) or physically in the real world.
With reference to the latter, they would traditionally be termed "con-men" or "confidence tricksters."
Whatever the case, social engineers will attempt to employ a range of psychological manipulation techniques to trick victims into making security mistakes or give away information freely.
Social engineers will tend to identify and attack victims following a few key steps:
1. Investigation - Find potential victims and gather some background info/select means of attack
2. Attempt to hook them - Using the techniques previously mentioned
3. Play - Attempt to gather more and more information over time.
4. Exit - Close their interaction with the victim. They will also attempt to remove all trace of any malware used etc. and generally bring their charade to a conclusion.