What are some of the most common social engineering examples and attack techniques that individuals and organizations need to know?
Social engineering is arguably the most successful technique used by fraudsters, both today and throughout history. Indeed, the rush of data breaches that have hit the headlines in recent years has invariably been caused by social engineering at some point during the attack. The International Association of Privacy Professionals (IAPP) wrote an article last year which sums the situation up, it is entitled: “Human error prevailing cause of breaches.”
To analyze the situation, we need to reduce attack techniques down to basics and look at the underlying techniques used in what can often be multi-part, highly sophisticated cyber-attacks.
In this blog article, we outline the most common social engineering examples and attack techniques. Understanding the ‘how’ can help in choosing the right countermeasures to mitigate socially engineered cyber-attacks.
Related Post: What is Social Engineering? Defining a Popular (Ethical) Hacking Strategy
.
Below are five of the most prevalent and successful cyber-attacks that have a social engineering element as their basis. This gives you a flavor of the complexity and success-rate of such attacks.
.
BEC is also sometimes called ‘CEO fraud’ or ‘Whaling’. Whaling emails are a form of spear phishing emails that usually involve someone masquerading as a senior level executive like a CEO, CSO or COO asking another employee, in the finance department for example, to transfer money to a vendor, partner or outside third-party entity.
The objective of this scam is to trick a company into moving large sums of money to a fraudster’s bank account. BEC cost 20,373 individual U.S. businesses around $1.2 billion in 2018, according to the FBI's Internet Crime Report (ICR). The typical sub-components of the scam involve surveillance on a target company/employee(s), by
BEC may or may not involve using hacking techniques such as email account compromise.
.
According to Proofpoint’s State of the Phish Report 2019, 83% of companies in 2018 were targeted by a phishing campaign. The targeted form of phishing, spear phishing, was experienced by 64% of companies.
Phishing via email, mobile device (SMShing) or phone call (Vishing) remains a highly successful vector with phishing being the main method used to initiate a data breach.
Related Post: Phishing: 3 Methods to Protect Yourself from Cyber Fraud
.
Watering hole attacks are the ultimate attack based on surveillance of the target company.
The attack’s ultimate goal is to either steal privileged user login credentials or infect a network with malware. The cybercriminal(s) behind the attack will learn which websites the subjects visit most often. They then search for vulnerabilities in the website. If found, they will exploit the flaw, creating a trap, and wait for the target to visit the site. Once they do, malicious code can be injected into the source network and malware infection is carried out.
.
This form of social engineering relies on creating trust and a relationship.
For example, a fraudster pretends to be from human resources. They call asking for your details to update the company records. Pretexting and faking often uses social media platforms to carry out the scam.
.
Tailgating is usually a low-tech form of social engineering. Typically, you may see this expressed as a fraudster tricking their way into a corporate building by pretending to be a delivery person or similar. A famous example of this was Colin Greenless, a security consultant at Siemens Enterprise Communications, who showed how easy it was to gain unauthorized entry to a building.
Social engineering scams may take on one or more of the above, creating multi-faceted social engineered attacks that make it hard on organizations to protect their cybersecurity posture.
⇒ If you don't know what your current cybersecurity posture is, why don't you download our self-assessment checklist by clicking down below?
The most common attack techniques behind social engineering scams include:
.
Surveillance is social engineering 101. Social engineering attacks such as Business Email Compromise (BEC) and spear-phishing are heavily reliant on good intelligence about the target. This allows the cybercriminal(s) to create highly tailored attacks.
For example, in the crime of BEC, the fraudster may spend months intercepting emails to find out which suppliers receive regular payments. They will then change the details of an invoice as part of the scam to elicit payment to a fraudster’s bank account.
.
Social grooming is often an integral part of a socially engineered attack. Building trusted relationships and creating empathy with targeted staff can help ensure a scam is successful.
Grooming is often intrinsically linked with the surveillance carried out as part of the attack. Fraudsters will prepare for the end game by building a rapport with any employees that are integral to executing the attack, e.g. someone in the finance department.
.
According to CSO Online, “deepfakes are fake videos or audio recordings that look and sound just like the real thing”.
Cybercriminals, like the rest of the business world, are always looking to optimize processes. Automation of cybercrime in the form of deepfakes is beginning to see the fruits of the cybercriminals labor. Deepfakes use Artificial Intelligence (AI) techniques to trick people into thinking they are looking at or listening to someone other than the fraudster.
In a recent example, a CEO was tricked into thinking he was talking to his parent company head using a deepfake voice call. The CEO moved $243,000 into the scammers account thinking it was a legitimate request.
.
The psychology of social engineering is low-tech in its ethos but may use hi-tech to execute the sting.
Social engineering is built upon the manipulation of natural human traits like trust, empathy, the need to do a good job, and urgency. Simple deep-rooted behavior such as reciprocity, i.e., the process of “you pat my back and I’ll pat yours”, can go a long way in executing a successful cybercrime.
Fraudsters are masters of manipulation and creating a rouse that will result in a financial gain is their area of expertise. They will use every trick in the book to get you to click on a malicious link, download an infected attachment or move money from the company account to their spoof vendor one.
.
Social engineering is here to stay. As we have seen in the common social engineering examples listt is a highly successful tactic in the execution of a cyber-attack. By using a mix of intelligence through surveillance, coupled with manipulation techniques that take advantage of human behavior, a cybercriminal can execute a cybercrime.
It is successful because technology alone cannot circumvent the use of social engineering to extract information or initiate an event. Instead, we must turn to our own staff to help us build defenses against social engineering-based cyber-threats. Making sure that employees understand how cybercriminals can manipulate behavior and operate is a fundamental step in preventing these attacks from being successful. While cybercriminals continue to exploit our own natural instincts, like trust and urgency, we must fight back with knowledge through security awareness and awareness about your current cybersecurity posture.
Curious about what your cybersecurity posture might be? Download our free checklist and find out!
