The term “Social Engineering” is today synonymous with the world of cybercrime, internet-based fraud and (not by accident) sits at the core of the vast majority of cyber-attacks.
Research consistently confirms that 80-90% of successful cyberattacks originate with a social engineering activity, usually a phishing email. Proofpoint research in 2022 suggested that:
- Social engineering is responsible for as many as 98% of cyber attacks
- In 2020, 75% of companies reported being victims of phishing
- Over 70% of data breaches begin with phishing or other modes of social engineering attacks
- Google recorded over 2 million phishing websites in 2021
- Approximately 43% of phishing emails impersonated well-known, large brands and organisations
- 60% of companies reported a data loss as a result of successful phishing attacks
- 18% (almost 2 in every 10) of targeted users, fall victim to phishing attacks
However, the term itself is not specific to cybercrime.
In fact, social engineering is a practice that humans have deployed for as long as time itself. If there is any scenario in which a person or organisation wishes to keep information safe and secure, there will always be many more others who want to steal and/or exploit it. In most instances, social engineering is used to achieve their nefarious objectives.
Where does the term “social engineering” originate?
The phrase was first used by the Dutch industrialist J.C. Van Marken in 1894, when suggesting that “specialists” were needed to attend to human challenges – in addition to technical ones.
Then in 1911, Edward L. Earp wrote his book “Social Engineer” as a way to encourage people to handle social relations similarly to how they approach machineries.
Today, social engineering is almost always used as a reference for deceiving people to obtain valuable information – usually as part of a cyberattack.
How and Why does it work?
Carnegie Mellon University explains social engineering as follows:
“Social engineering is the tactic of manipulating, influencing or deceiving a victim in order to gain control over a computer system or to steal personal and financial information.
It uses psychological manipulation to trick users into making security mistakes or giving away sensitive information.”
However, this definition does not mention the one core ingredient that all social engineering attempts rely on to succeed: Trust.
Humanity`s inherent and instinctive desire to “trust” others. Combined with that other key human “flaw”, our inability to focus completely, constantly, and to always exercise 100% diligence at all times.
There’s a reason for this. We are not machines.
And cybercriminals know it. In fact, they rely on it – investing in well-paid experts in the human sciences to increase their chances of success.
Social engineering takes full advantage of some of the following human behaviour traits:
- Our desire to be helpful
- Our tendency to trust
- Appealing to our ego and pride
- Reacting to authority
- Being part of the majority and following the crowd
- Fear of missing out
- Fear of shame and embarrassment
- Laziness and the temptation of shortcuts to success
- The tendency to avoid commitment
In short, social engineering means influencing and manipulating people into making decisions or acting in a way they usually would (or should) not.
Types of Social Engineering Attacks
While phishing is the most common (and well-known) of social engineering attacks, there is a wide variety of other methods – all of which deploy the basic social engineering logic to do harm:
- Phishing: scammers use communication (usually emails) to “fish” for information. The messages often look identical to ones from trusted sources that you might expect to be contacted by
- Spear phishing: attacks occur when hackers target a specific individual or organisation – with 60% of IT decision-makers believing that targeted phishing attacks are their highest security threat
- Whaling: phishing attacks that target a specific, high-profile person. Usually, these might target your MD, CEO or a senior manager
- Smishing and vishing: phishing via the use of SMS text messages or by voice – usually done over the phone
- Baiting: luring victims into providing valuable or sensitive information by promising them something valuable in return – such as pop-up ads that offer free games, music, or downloads
- Piggybacking / Tail-gaiting: a type of attack in which a person allows an unauthorised person physical access to a restricted area
- Pretexting: when a person (usually an employee) creates a fake persona or abuses their role – the most common method of “insider threat” and breaches from the inside
- Business Email Compromise (BEC): a type of email scam where an attacker targets a business to defraud them. A business email compromise is a common, significant and growing challenge – targeting organisations of all sizes
- Quid Pro Quo: a quid pro quo attack is when a social engineer offers a service, usually “tech support,” in exchange for access to secure information
- Honeytraps: global romance fraud cost individuals nearly $1 billion in 2021, the third-highest internet crime loss. Honeytraps work by people being duped into sending money to criminals, who go to extensive lengths to gain their trust and convince them that they are in a genuine relationship. The fraud process can take many months, or even years, to be uncovered, and the emotional and financial impact is significant
- Scareware: is malicious software that tricks users into visiting malware-infested websites. It is known as deception software, rogue scanner software, or fraudware
- Watering Hole: a computer attack strategy in which an attacker guesses or observes which websites an organisation often uses and infects one or more of them with malware
How can you fight back against social engineering?
The following steps will help you to reduce the chances of a social engineering attack on your organisation, but the key is diligence and consistency. As soon as one member of your team lets their guard down, is distracted, tired or stressed – the risks increase immediately.
- Build your Human Firewall: a positive, supportive business culture that has privacy and security in its foundations
- Training and Awareness: help staff to be able to identify signs or triggers that may suggest what they have received (email, text or voice-based) might not be what it says it is
- Be conscious of your weak spots and seasonality – such as days of the week when you or your team are under the most pressure or fatigued, or during periods of lower staffing levels due to annual leave etc. These times, especially in sectors such as education and finance, are specifically targeted, as they present the attacker with a higher likelihood of success
- Test and Measure: carry out simulated phishing attacks to measure how good your team is at recognising a possible attack – but do in a positive, supportive way. You are trying to develop trust – not fear
- Strong Technical Controls: ensure that you have robust technical (IT) controls in place and that they are up to date and “patched”. For example, including firewalls, antivirus and anti-malware, patch management, external/internal penetration testing, and strong and consistent access management policies
Social engineering is both a terrifying and fascinating subject, not least because it shines a light on the frailties of the human species – and highlights that cyber criminals probably understand more about us than we do ourselves.
The key to reducing social engineering risk is two-fold: Technical and Human defence.
As essential as it is to invest in strong, robust IT and technical controls – the employee remains a constant risk, and it only takes a second to make the wrong choice.
We will end this week`s Insight with a quote by Kevin Mitnick.
Kevin is an American computer security consultant, author, and convicted hacker. He is best known for his high-profile 1995 arrest and spending five years in prison for various computer and communications-related crimes. He now runs the security firm Mitnick Security Consulting and is also the Chief Hacking Officer and part owner of the security awareness training company KnowBe4
“A company can spend hundreds of thousands of dollars on firewalls, intrusion detection systems and encryption and other security technologies, but if an attacker can call one trusted person within the company, and that person complies, and if the attacker gets in, then all that money spent on technology is essentially wasted.” – Kevin Mitnick