Social engineering attacks are becoming an increasingly way for malicious parties to enter into business systems and siphon off critical data, or disrupt business processes. What makes them highly dangerous is that businesses and employees never know that they are unwittingly becoming the entry point for such attacks.
Let's take a closer look at understanding these types of attacks and how too prevent them.
What is Social Engineering?
Social Engineering is the process of hackers manipulating human psychology rather than utilising technical hacking tools to breach your organization’s data and systems. Hackers psychologically manipulate employees to perform certain actions for them or divulge confidential information.
For example: instead of exploiting a vulnerability in an organization’s system to gain access to data, a hacker may pose as a technician trying to help, but instead is trying to trick a target into divulging his or her confidential data, such as login credentials.
Often hackers resort to social engineering tactics like the one described above rather than resorting to actually hacking into systems to gain such data. Criminals do this because it is easier to manipulate a human’s trustworthy nature versus actually successfully completing a hack on any organization’s software. This phenomenon was popularized by famous hackers such as Kevin Mitnick, Frank Abagnale Jr, Susan Headly and James Linton to name a few.
How does Social Engineering work?
Let's take a look at the two fundamental theories that hackers use to form their attack strategy when it comes to carrying out social engineering techniques.
Cognitive Biases
All social engineering techniques are built on the cognitive biases of human decision making. A cognitive bias is a flaw in your reasoning that leads you to misinterpret information from the world around you and to come to an inaccurate conclusion. These cognitive biases can inform a hacker’s attack strategy.
Below are a few of examples of how individuals may take advantage of certain cognitive biases to successfully carry out their social engineering tactics:
#1. The Halo Effect: A cognitive bias called the halo effect refers to the tendency to allow one specific trait or our overall impression of a person, company or product to positively influence our judgment of their other related traits. This bias has led to many individuals falling for social engineering traps set by malicious actors, for instance, emails or pop ups that claim that you have won an iPhone or a large sum of money rely on you missing huge red flags due to you focussing on the huge positive of winning something valuable.
#2. Recency Bias: Recency bias is a cognitive bias that favors recent events over historic ones. A memory bias, recency bias gives "greater importance to the most recent event’’. The recency effect takes advantage of the tendency to remember recent events, such as using information about COVID-19 vaccinations in the subject lines of phishing emails.
#3. Authority Bias: Authority bias is another cognitive bias and is based on people’s likelihood to obey the instructions of an authority figure. An attacker using authority bias may impersonate a senior manager or even the CEO, and send an email to an employee requesting for a payment for an illegitimate invoice, the employee may disregard major red flags due to the request being made by what seems like an authoritative figure.
Cialdini’s 6 Principles of Influence
Social engineering is also heavily based on Robert Cialdini's principles of influence, In 1984, Robert Cialdini published his book ‘Influence: The Psychology of Persuasion’, in which he explored the factors that influence an individual's decision making. These six factors are reciprocity, commitment and consistency, social proof, authority, liking and scarcity.
Hackers have learned to make use of the six principles of persuasion described in his book to inform their social engineering tactics.
Below are a few examples of how these principles are applied by hackers in their social engineering tactics:
#1. Authority: Authority is one of Cialdini’s principles of influence, it refers to how individuals are more likely to obey figures who give an impression of authority regardless if it is genuine or faked. This principle is frequently used by hackers to trick employees into divulging confidential information, for instance: a hacker may call an employee of your organization on his or her phone and act like a supervisor requesting for sensitive information, this employee is unlikely to object if enough signs point to the fact that the person they are talking to holds some authority at their company.
#2. Scarcity: Scarcity is another of Cialdini’s principles of influence, it refers to the perception that products are more attractive when their availability is limited, which is why most pop-ups or phishing emails that claim a prize is up for grabs are accompanied with a countdown or claim that availability is scarce.
#3. Reciprocity: Reciprocity is the first principle of influence stated by Cialdini, it refers to how individuals are more likely to do a favour for you if they receive something in return. A malicious actor may pose as technical support and call employees claiming that he/she is returning a call in the hopes that a desperate employee was in fact looking to solve a technical problem they had, the actor will then on the pretense of helping the employee, convince them to type in commands onto their device that gives the actor access to their systems.
The Four Vectors of Social Engineering
#1. Phishing: Phishing is a type of social engineering attack often used to steal user data, including login credentials and credit card numbers. It occurs when an attacker, masquerading as a trusted entity, dupes a victim into opening an email, instant message, or text message.
#2. Impersonation: Impersonation is one of several social engineering tools used to gain access to a system or network in order to commit fraud, industrial espionage or identity theft. Impersonation differs from other forms of social engineering because it occurs in person, rather than over the phone or through email.
#3. Vishing: Vishing is the phone's version of email phishing and uses automated voice messages to steal confidential information. Attackers commonly use IVR technology to convince victims.
#4. Smishing: The act of using SMS text messaging to lure victims into a specific course of action.
Stages of Social Engineering
- Reconnaissance - this is when the attacker gathers information on their victim, information like interests and personal details.
- Engagement - this stage consists of the attacker contacting the victim via email, phone, social media or even in person.
- Attack - this is when the attacker tries to collect the desired information from the victim.
- Escape - the attacker having retrieved the information or gained access to the employee’s or organization’s systems, quietly retreats without alerting suspicion.
Common countermeasures
Training of employees - make sure employees are adequately trained to identify social engineering attempts
Establish frameworks - establish an understanding and level of trust amongst employees on the handling of sensitive information
Organizing Information - organize and understand the sensitivity of information and ensure adequate security is in place to protect information depending on its sensitivity.
Security Policies & Protocols - Establishing security protocols, policies, and procedures for handling sensitive information.
Testing - apart from training employees on how to identify social engineering attempts, it is important that information security awareness is tested. A great way of ensuring no one in your organization falls prey to social engineering, is to expose employees to similar attempts designed to test their knowledge on security protocols and procedures when met with a social engineering tactic.
Social engineering attacks on businesses are on the rise as most employees are never aware of the methods and tactics used by hackers, and cannot identify if they are falling victims to it. StickmanCyber's team is equipped to help your employees recognise such attempts, and prevent social engineering attacks.