Why Social Engineering is So Effective
You may have heard of social engineering before. It is an IT administrator's and cybersecurity professional's worst nightmare. Why? Social engineering is the one attack vector that IT professionals cannot safeguard against.
Social engineering is not just an IT problem anymore, though. During the past five years, the entire world has witnessed large-scale social engineering attacks taking place publicly inside of social media. Experts are sounding the alarms, yet, this is a problem with no easy solution. Security awareness training and even these technical cybersecurity courses might help some, but it’s still a big problem.
Let's talk about social engineering, what social engineering is, and why social engineering is so effective.
What is Social Engineering?
Social engineering is manipulating a person or a group of people into performing a desired action.
That is a very sanitary definition of social engineering. So, what does that mean?
Let's say that you and a group of friends want to go out to dinner. All your friends want to go to an Italian restaurant, but you do not like Italian food. You are a witty person, though, so you convince your friends to go to a gastropub for burgers instead.
While that is a tame example of social engineering, the point remains the same. You convinced your adversaries (friends in this case) to perform an action they did not want to perform.
Social engineering is not a new concept. Historians have found examples of social engineering attacks dating back thousands of years. Despite that, social engineering has become a major issue today.
Why is that?
Social engineering attacks are typically highly targeted attacks. Attackers will launch campaigns against specific individuals that can either act to benefit the attacker in some way or hold information that the attacker needs. With the advent of both large-scale digital communication and social media, social engineering has evolved into a broad-scale attack vector, though.
This is why social engineering is both much more dangerous and effective than it once was. Social engineers can launch campaigns against large groups of people or even entire countries today.
An Overview of Social Engineering [VIDEO]
In this video, Keith Barker covers some of the social engineering techniques and tactics that hostile actors use. Social engineering isn’t simply about stealing data or stealing money, they can also be deployed to compromise the thoughts of a group of people. If an attacker or group could modify the minds and thoughts of tens or hundreds of millions of people, the consequences could be monumental.
What is Social Engineering Used For?
Social engineering is used to either convince a person to perform an action they might otherwise not perform or gain information that social engineering attackers need. That is an overly broad definition, but that is what social engineering is used for.
IT professionals hate social engineering because it is the one vector in IT that administrators cannot control. A system is only as strong as its weakest link. In many cases, the weakest link in computer systems is the people running those systems.
Many of the hacks that you hear about in the media were launched with social engineering attacks. One of the largest crypto-malware attacks against a steel company in 2019 began as a social engineering attack. In that hack, attackers sent a malicious payload hidden inside of an Excel sheet to a specific person within that steel company. We've all been told not to click on links or open files in emails that are sent to us, but what if that Excel document is coming from a business contact at a vendor your company works with, you recently spoke to that business contact, and you were expecting that Excel document in your email? You would probably open that email, and that is exactly what happened.
In another example, Kevin Mitnick, a well-known hacker, once called a television station in the '80s posing as an IT technician. Mr. Mitnick wanted to watch a certain movie. Through social engineering, he was able to convince employees at that television station to give him the information he needed to telnet into that television station's IT network and gain control of it.
By now you probably have a good idea of what social engineering is, why it is so dangerous, and what it is used for. In most cases, it is easier to exploit humans as opposed to hacking computers. Hackers understand this, too. So, most hacking campaigns targeting businesses usually start with some form of a social engineering attack.
Social engineering has evolved beyond attacking businesses, though. Groups of people are now launching large-scale social engineering attacks against individuals, too.
The most common example of this is the phishing emails you receive. Those phishing emails are crafted to impersonate another business, such as Facebook or Amazon, to convince someone to give the attackers sensitive information like login credentials.
These kinds of social engineering attacks are a numbers game, but they work. Sending mass amounts of emails is insanely cheap. Even accounting for the low percentage of people that will be convinced by these phishing emails and spam filters that block those malicious communications, it's proven worthwhile for attackers to continue to pursue these kinds of phishing campaigns.
Social engineering attacks have evolved even further, though. With the advent of social media networks like Facebook and Twitter, social engineering attacks can be performed on a much larger scale. This is the controversy behind the 2016 United States presidential election. Many security researchers have claimed that Russia launched a large-scale social engineering campaign against United States citizens with the hope of assisting Donald Trump to win that election.
The United States is not the only country that security researchers claim that Russia has attacked in this manner, though. Security researchers believe the same types of attacks have been used against the United Kingdom, Australia, France, and other countries as well.
As technology is advanced, social engineering will only become a more powerful attack tool. Things like social media make social engineering attacks capable on a broad scale. Though social engineering might lean more towards a practice in psychology than information technology, IT administrators and security researchers need to stay informed about new forms of social engineering attacks so they can be better prepared.
Social Engineering Tactics
Social engineering attacks come in many forms. No two social engineering attacks are the same. That is because social engineering attacks need to be carefully crafted for their target to work effectively. This is true even for large-scale attacks utilizing tools like social media that are capable of targeting millions of people. Nonetheless, all social engineering attacks have similarities that exploit the human condition. Let's discuss those six different commonalities.
Using authority for Social Engineering
One common trait of social media attacks is using a state of authority. Otherwise, the attacker performing the social engineering attack imitates a person of authority.
Think about it. If a person walked up to you dressed and acted like a police officer, and that person asked you for your phone number claiming they might need to contact you later about a recent incident in the area, you may be more likely to give that person your phone number. On the other hand, if someone wearing tattered jeans and a t-shirt asked you for that same information, you would not trust them.
By nature, people trust others in a position of authority. It's not uncommon for a social engineering attacker to pose as something like a manager of a company or someone that works in an IT department because people will give a lot of weight to requests made by those kinds of people.
Using Intimidation for Social Engineering
Another common trait of social engineering attacks is intimidation. One of the more common social engineering attacks circulating currently is an IRS scam. This attack involves people posing as IRS agents stating that they will charge their victims with a crime if they do not comply with the attacker's demands.
Though that scam may sound laughable, it does work. Intimidation is a social engineering tactic that works very well. By nature, most people do not enjoy confrontation. People want frictionless interaction. Having to push back against a social engineer using intimidation goes against many people's natural state of interaction. Social engineers understand that trait about people and commonly exploit it.
Using Consensus for Social Engineering
Consensus is a common social engineering trait, too. After all, if everyone else is doing something, it must be right. Correct?
I'm sure your parents asked you when you were younger, if your friends jumped off a bridge, would you jump off of it, too?
Consensus leans closer to peer pressure. It works, though. No one wants to be the odd person out. Working against the grain of society is not natural to humans. We prefer to flow with our tribe. So, social engineers use some form of consensus to convince people to do things.
Using Scarcity for Social Engineering
Social engineering is used for more than attacking businesses. Would you believe that salespeople use social engineering to convince people to buy things?
How many times have you seen a commercial telling you to act quickly because there is only a limited quantity of a product left to buy or because a sale is only lasting for so long. This is a common exploit for people.
Scarcity can also be called FOMO or fear of missing out. It's human nature to want to be included. So, if you tell someone that there is a very limited chance to be included in something, they will most likely act on it.
Using Familiarity or Trust for Social Engineering
Familiarity and trust are unicorns of social engineering attacks. That's because if an attacker can gain your trust, there is a good chance they can get you to do just about anything. Trust does not come easy, though. Trust takes a lot of time to develop and nurture. So, using trust can be exceedingly difficult to exploit.
There are different levels of trust. As an example, if a friend tells you that a restaurant is good, you most likely wouldn't question their opinion. You would put a lot of trust in your friend and visit that restaurant. If a stranger told you the same thing, though, there's a good chance you would look for reviews about that restaurant before visiting it.
Let's rewind for a second. What if that stranger took time to get to know you. For a couple of months, you and that stranger had multiple conversations and became friends. Now, you may not give that person the same level of trust as your best friend of 20 years, but if they gave you that same restaurant recommendation at that point, you likely wouldn't question it.
This is why using familiarity and trust is so difficult for a social engineering attack. It takes time to develop, but if a social engineer can gain that level of trust, their attacks are almost sure to be effective.
Using Urgency for Social Engineering
Last, but not least, another common trait of social engineering attacks is urgency. Urgency isn't the same thing as scarcity, though both might look similar. Using urgency is about creating a situation in which a victim does not have time to react normally.
For instance, if you received a phone call from someone claiming to be the assistant of the CEO for the company you work for, and that person is claiming the CEO needs your TPS report in the next 20 minutes for a meeting, you might be inclined to help that person out.
In that scenario, the attacker is creating a sense of urgency for you to respond to. After all, if the CEO doesn't have your TPS report, they are going to look like a fool in their meeting. That might have serious repercussions for you, too. So, you give in and comply.
That example might be a little over-the-top, but the effect is the same. By using a sense of urgency, social engineering attackers exploit the human condition just enough to make you comply with their requests.
We have covered a lot of information in this article, but let's do a quick recap.
Social engineering is a form of manipulation with the goal of getting a person or group of people to perform an action or release information they might not otherwise.
Though social engineering has existed in one form or another for thousands of years, recent technological advancements, like social media, have made social engineering attacks much more powerful. That's because social engineering attacks can now target millions of people, or even entire countries, for little to no cost.
All social engineering attacks are different but do utilize at least one of six common traits — though multiple traits are typically used in conjunction with each other.