When it comes to this popular (ethical) hacking practice, what exactly is social engineering and how does it work?
Recently, the CEO of a British company transferred $243,000 over to a Hungarian supplier, after being asked to do so by the parent company CEO. This is a fairly common scenario in business. Unfortunately, the parent company CEO was not who they seemed to be. The British CEO had been scammed by a Deepfake, a fraud that is clever and subtle and uses artificial intelligence to scam people.
Deepfakes and similar modern scams all use the same principles of social engineering to exact their malicious ends.
According to TechTarget, “social engineering is an attack vector that relies heavily on human interaction and often involves manipulating people into breaking normal security procedures and best practices in order to gain access to systems, networks or physical locations, or for financial gain”.
⇒Indeed, social engineering is nothing new.
The use of psychological controls to trick a person into doing something is as old as human society. An early recorded example of fraud was in 300BC in Greece. Hegestratos bought insurance for his merchant ship to purposely sink it. The story didn't end well, with the scam being outed and Hegestratos drowning himself.
The modern version of social engineering is often centered on financial fraud, identity theft and general theft of data.
⇒Modern social engineering uses a toolbox of tricks.
These tricks use our own natural human behavior to encourage us to do something, for example clicking on a link in a phishing email or move a large amount of money to a fraudster’s bank account. Modern social engineering is often a mix of human interaction and technology.
⇒Social engineering is a highly successful form of cyber-attack.
Often times, it is much easier to trick someone into doing something they would naturally do than to hack an account from the outside. In other words, if a cybercriminal wants to steal a password, it is much easier to get the password holder to share it than to hack into an account.
In ethical hacking, social engineering has become a popular (and very effective) strategy of testing how vulnerable an organization’s staff really is.
When used in an ethical way, social engineering allows you to detect weaknesses to better address your staff-related security issues. An additional objective of a social engineering mandate is to establish solutions to increase the global level of the confidentiality, integrity and availability of your corporate data.
Social engineering works because it uses our own natural behavior against us. Examples can help to point out the tricks of the social engineering trade.
The recipient receives an email, seemingly from their bank. However, this is a phishing email attempting to steal login credentials and other personal data. The fraudster behind the phishing email exploits certain human behavior to ensure that their scam works:
Related Post: Tips For Protecting Yourself From Phishing Attacks
The story at the beginning of this article is a perfect example of the use of technology to augment social engineering. Deepfakes use the same psychological tricks as other fraud but add artificial intelligence into the mix.
The CEO in the Deepfake scam was tricked through a phone call. The caller seemed to be his boss, but it was a manipulation of the fraudsters voice using AI. It sounded in every way like the expected voice and so it tricked the CEO to transfer money. Again, it used trust and urgency to exert an outcome in the fraudster’s favor.
Here are some typical steps that a fraudster will take to steal your personal data, login credentials, money or all of these things.
Fraudsters often carry out surveillance on an individual and/or an organization. This can come in many forms, even calling employees and building up a relationship – effectively grooming an individual. The intelligence gathered is used to make the scam successful.
Psychological tricks are the way that social engineering works.
The execution of the scam takes many forms. In the case of Business Email Compromise (BEC), this may be a direct transfer of money to a fraudster’s bank account; in the case of a phishing email it may be the collection of login credentials using a spoof website.
Social engineering is a very successful way to exploit human behavior and execute a cyber-attack. Recent statistics show just how successful it is as a technique:
Social engineering and confidence tricks are part of human society since days of old. The tricks may have been updated using technology to augment the scam, but the sentiment remains the same: manipulating natural human behavior is easier than forcing your way in.
The modern enterprise has to counter this clever use of our own behavior through the use of smart security. The best ways to fight-back against the likes of phishing, BEC scams, and Deepfakes is to use a similar mix of socio-technical measures. This includes using security awareness training and applying robust security measures such as two-factor authentication and antimalware endpoint solutions. It also requires that a business becomes cybersecurity aware and improves its security posture by putting the necessary checks and balances in place, such as having a business process to double-check when a large money transfer is requested. Using these measures can stop social engineering in its tracks.