The most devastating cybercrimes don't originate from complex coding and algorithms. Their foundation is human thinking and behavior. Through social engineering, the attackers learn which of your (metaphorical) buttons to push to mislead you into engaging in risky behavior. The results of the deception range from malware to a large-scale security breach.
Since social engineering relies on human psychology and motivations, it's a particularly insidious cybercrime. The more you understand it, the better you can combat it. This article covers:
- What is social engineering and how it works
- Types of social engineering attacks
- How to identify threats and protect yourself against attacks
Understanding Social Engineering
Definition of social engineering
Social engineering is a manipulation technique that exploits human error to access private information and resources. Scams trick users into exposing data and systems or spreading malware attacks. Social engineering crimes are also known as "human hacking" since they rely on human thinking and actions.
A social engineering attacker typically has two missions: to cause disruption and damage and to steal valuable assets like information, money, or access control. The defining characteristic of this type of attack is that it misguides you to help them commit the crime.
Firewall Times reports that over 98% of cyber attacks involve some form of social engineering. Additionally, the average organization is a target for at least 700 social engineering attacks per year.
Common social engineering techniques
Attackers try to exploit how humans think and behave and where they lack knowledge. For example, a user might not realize how providing a phone number leaves them vulnerable. The efficacy of a social engineering attack is how good their powers of persuasion are. The better they are, the more likely you'll do something you wouldn't ordinarily do.
One trait of social engineering attacks is emotional manipulation. The attacker may spark emotions that drive your risky behavior. Some emotions they exploit are:
- Fear
- Excitement
- Curiosity
- Anger
- Guilt
Another is urgency. For example, you may get an email or text that requires you to visit a website immediately, or a product or service offering may only be available until midnight. When the attacker creates false urgency, you may act more irrationally, like filling out a form you'd normally overlook.
Trust is the root of what social engineering is. The attacker has done enough research on you to know exactly how to connect with you and earn your trust. For example, a CEO fraud attack could involve someone convincingly impersonating your CEO. They've done their homework on your CEO and company and may deceive you into giving them confidential HR information.
How social engineering works
To reduce risk, organizations must understand the core of what social engineering is. It's beyond launching a dangerous virus that shuts down a network. Instead, the attacker tries to compel you to fall for their traps rather than forcefully wresting your technology and private information.
A typical social engineering attack cycle starts with gathering information about your background and any group you belong to. After preparation, the attacker infiltrates your defenses by establishing seemingly trustworthy interactions. Once they gain your trust and get past your defenses, they drive their attack and disengage once you've done what they wanted.
Types of Social Engineering Attacks
Phishing attacks
Phishing is when an attacker pretends to be a trustworthy person or organization to gain access and expose your private information. Two types of phishing scams are spam phishing and spear phishing. Spam phishing is a widespread, non-personalized attack. Spear phishing uses personalized information to attack specific users, particularly high-value targets like executives, high government officials, and celebrities.
One recent example of a widespread spam phishing attack was the "UPS text" scam. It was a message claiming to be from UPS saying that the recipient missed a package delivery. The link would take the user to input sensitive information, infect the computer with malware, or pay an unnecessary fee.
Baiting and tailgating
Baiting is an attack that manipulates you to expose personal data to the attacker. The "bait" is usually a false free or exclusive reward. The result of the attack is infecting your computer system with malware.
One standard baiting method is an email attachment with a free offer or fraudulent free software. Another way to do this is through USB drives in public places like libraries and parking lots.
Pretexting
Pretexting is when an attacker uses a false identity to deceive the user into trusting them. This may mean impersonating an employee or vendor so the attacker lures you into direct interaction. After they trick you, they may do everything from launch malware to extract confidential information.
Protecting Against Social Engineering
Importance of strong passwords
Too often, people use one password that's easy to remember, like their pet's name, for multiple accounts and don't change it for a while. Cisco suggests creating policies for the type of passwords employees should use.
For example, the guidelines should include the number of letters, types of characters, etc. The policies should outline how often the employees should change their passwords or try to embed regular password changes into their current technology. A simple suggestion like urging employees not to share their passwords protects confidential data.
Where you store your password matters as much as what it is. A password manager will regularly help you create, protect, fill in, and update your passwords. Consider a password manager that can sync across your devices for greater convenience.
Two-factor authentication
High-risk network services like VPNs and modem pools should use multi-factor authentication for another layer of security. For example, an employee can verify a desktop password on their mobile phone. An attacker may be able to 'guess' a password, but they can't access information that only an employee can see on their device.
Two-factor authentication methods include one-time passcodes, biometric authentication like a fingerprint scan, SMS codes, and push notifications.
Employee awareness training
Tossing a 50-page cybersecurity manual at an employee is ineffective in learning and reinforcement. They may likely only consult the document when they have problems—if they can understand it. Instead, embedding cybersecurity into your organization's culture and operations is critical to maximizing your system protections. Your employees should be able to confidently answer the question, "What is social engineering?"
Diminish the risk of attacks through awareness training. Make the training engaging and interactive, so you're not simply talking at your employees. For example, some organizations have online training for new employees where they learn through online modules and take quizzes to reinforce their knowledge. Talk about recent attacks that have happened with similar organizations or any past cybersecurity issues your organization had.
Be creative with your cybersecurity training. Many organizations run attack simulation modules with their tech stack or even as a real-time drill.
Recognizing Social Engineering Indicators
Red flags to watch out for
Some indicators Webroot suggests are:
- Emails from a seemingly trusted source asking for your help. For example, it could be an email from your "coworker" asking you for information about a company credit card.
- Posing as a seemingly legitimate organization like a bank to extract information.
- An action or response to something you're sure you've never done. The UPS example is drawing your attention to a waiting package that you've never ordered.
Suspicious online requests
A few examples of questionable requests include:
- Asking you to donate to a charity or other cause. These attackers will use whatever the current hot-button societal issue is to tempt you.
- Notifications that you're a 'winner.' In order to receive your winnings, you'll have to fill out your form or provide information about your address or bank to access the funds.
- A response to a question you never had. An attacker may pose as your bank or other institution, knowing that an email from them will spark your curiosity more than a completely unknown organization. They might ask to authenticate you or give them access to your organization.
Unusual phone calls or emails
Concerning phone calls and emails intersect with the other indicators above. Sometimes, they're easier to spot. For example, if a criminal posing as your bank is texting you from a phone number with large spaces between the numbers, that should make you suspicious.
A sneaky type of email is one that presents a problem and asks you to verify something. Usually, the verification is through clicking a link or filling out a form. The emails and forms may accurately mimic a familiar company's logo and content style, so you may think it's actually them. These phishing scams often include a warning to act soon; otherwise, you'll face consequences, making you anxious to act.
Best Practices for Social Engineering Prevention
Regular software updates
Don't take your computer's auto-update capabilities for granted or trust that they'll always happen without your presence. Out-of-date software is easier for hackers to penetrate. Check to make sure your auto-updates consistently occur.
Securing sensitive information
Enforce multiple layers of data protection. One option is to find a solution with specific standout features for protecting sizeable amounts of sensitive data. However, be judicious when you decide to partner with a vendor like a data service provider because they might be able to access your information.
Implementing access controls
Low-maintenance steps include password management and multi-factor authentication. Other controls like adaptive authentication verify a user's identity based on contextual factors like location, behavioral analytics, etc.
Additional Resources
LastPass security features
One key differentiator between LastPass and other password managers is its zero-knowledge encryption. Only you will have access to your data and master password through a unique key. This separates your unencrypted data from our servers and protects the integrity of your data.
Securing personal and business accounts
While you may have more security for your business accounts, consider leveling up the protection of your personal information, too. A simple step is adding multi-factor authentication to your email or accessing your bank information. A password manager or authenticator removes the hassles of forgetting your password or worrying about a security breach.
Hackers are using social engineering to deliver increasingly cleverer attacks. However, you now understand what social engineering is, so you can spot and stop attempts to manipulate you into risking your cybersecurity. When you encounter something suspicious, ask yourself questions like:
- Am I feeling more emotional than I normally would? (For example, are you suddenly scared, curious, anxious, rushed, etc.)
- Did this message come from a legitimate person or organization?
- Are there suspicious links or attachments?
- Does this seem too good to be true?
Remember, the basis of "human hacking" is exploiting your emotions and behaviors. Slow down, trust your instincts, and be judicious in your internet use and security practices to avoid social engineering schemes.
Keep a pulse on social engineering. Start your LastPass trial today.
FAQ
What is the difference between phishing and social engineering?
The difference between phishing and social engineering lies in scope.
Phishing is a type of social engineering attack that leverages email communications to manipulate victims into divulging proprietary or sensitive information.
Meanwhile, social engineering encompasses a wide range of attacks such as vishing, smishing, pretexting, baiting, tailgating, spear phishing, and whaling.
What is the difference between social engineering and identity theft?
The difference between social engineering and identity theft lies in purpose.
Social engineering involves manipulative tactics to trick you into revealing sensitive data while identity theft is the acquisition and use of your data to commit illegal acts.
For example, attackers use different social engineering tactics to discover your login credentials, home address, phone number, birth date, or banking information.
Once they have this data, they can access your accounts and perform actions like:
- Making unapproved money transfers or draining your accounts of cash
- Opening new credit lines or completing loan applications
- Filing tax returns in your name
- Carrying out social engineering attacks on people you know
What is the best defense against social engineering?
The best defense against social engineering involves a combined approach, such as:
- Creating strong passwords and storing them in a password manager
- Implementing 2FA or adaptive MFA for strong access controls to protect your accounts from unauthorized access
- Conducting regular awareness training to educate employees about the latest social engineering attacks
- Regularly updating software to prevent hackers from exploiting vulnerabilities in outdated software