Social engineering is a technique used by cybercriminals that focuses on psychological manipulation to gain access to critical information or obtain critical information from a user. What makes social engineering so dangerous is cybercriminals use a variety of attack methods over a given period but maintain close interactions with their victims in order build relationships and trust. They lure their victims into a false sense of security into revealing sensitive information about themselves or their organisation. Thus, they rely on human error and front as their victims making these cybercriminals hard to detect, which means they can hide their presence in plain sight.
Preparation before the Attack
These cybercriminals take their time with their victims, initially researching backgrounds before interacting with the victim so they can best promote themselves as an official source of some kind – sometimes even creating dedicated webpages, social media accounts, fake business addresses and client references to really convince victims. However, the key to their technique is the time and dedication they put towards a victim, the psychological manipulation into giving a person a false sense of security as a personal service.
After the cybercriminal does their research or gains enough information into their victim’s interests or needs, they use a variety of attacking techniques to appeal to them. Similar to how search engines or social media tracks browsing with cookies, so do these cybercriminals who formulate emails, texts, phone calls and even physical deliveries to victims in some cases to appeal to something they need or a problem they trick them into thinking they have.
Main Methods of Attack
Social engineering uses multiple methods of attack in unison:
- Phishing: Dedicated texts and emails specifically designed for victims that usually includes personal information of the victim to seem more official. Often people don’t realise how much of their personal information is accessible to the public. The email or text can either be designed for a victim to visit one of these cybercriminals official looking websites where they are requested more sensitive information, the cybercriminal good offer a phone call to obtain information or they could falsely reveal to the victim that they have some sort of compromise (virus, identity theft, account compromise etc.).
- Pretexting: This is when a cybercriminal impersonates as an existing highly official source to obtain personal information from a victim. By official source this could be a law enforcement official, family member, friend and co-worker, financial institution, tax official etc. Using highly official sources or already established relationships with the victim can sometimes save cybercriminals time or allows them to use a different angle with their phishing or baiting methods to scare, intimidate or force a victim into revealing sensitive particular information.
- Baiting: People often post their interests for public viewing on social media platforms or something as simple as where they work – a cybercriminal can formulate text, emails and phone calls to simply stimulate curiosity using vague but relatable information to a person. Cybercriminals can even take it to an extreme by using physical media, for example sending victims USBs or conveniently leaving USBs in areas within an organisation that is likely to be picked up by a potential employee. The idea is these victims – out of curiosity – insert these devices into their computers and it automatically installs malware onto their systems.
- Tailgating: Probably the most extreme method, this is when a cybercriminal physically follows a victim. Their intention is not to harm or capture the victim, but rather follow them into restricted areas within an organisation. They do this by faking passes to access an organisation, impersonating a victim’s family or friend, fronting as a delivery driver and/or some official source such as a police officer. Once they get into these restricted areas – depending on their intentions – they either use devices to spread malware onto systems, use a victim’s access codes to obtain certain information, or sabotage a victim for blackmail.
Prevention Methods
- Restrict personal information revealed to the public: This can be by not accepting random invites on social media platforms of people you don’t know or seem suspicious. Use a public viewer to see how much information is revealed about yourself on any given platform online. This is to understand just how easy it is to get information about yourself and whether that information could potentially compromise you.
- Query emails and texts: Query these emails and texts with your organisation, ask the relevant sources if this communication is legitimate before interacting with them – whether that be your organisation, financial institution you are associated, trusted persons etc.
- Too good to be true: These are texts and emails that you received that indicates you are entitled to or won something. Often these texts and emails are of things that interest you and require personal information from you – this is an immediate red flag, because these sources would have already obtained this information from you beforehand. The same can be applied to those texts and emails that say you are compromised in some way.
- Ask questions: If an unknown person contact you claiming to be an official source, you are within your rights to question the specific details of who they represent. Certain official sources should also have known information about you already, so if you are asked to re-enter information, this could be an immediate indication of a scam.
- Investing in a cybersecurity partner: The prevention methods above are all ways you can use without a cybersecurity partner. However, a cybersecurity partner will give you the answers to all the above prevention methods. Using MDR or MSS, a cybersecurity partner is capable of tracking techniques and methods that cybercriminals use to socially engineer a victim. This means a victim could be made aware or given a warning before they even realise, as well as completely nullifying the threat of the cybercriminal. On the opposite end of the spectrum, should a cybercriminal breach a system via social engineering, your cybersecurity partner will be able to mitigate or prevent that cybercriminal from doing damage that could potentially be terminal for an organisation.