How to Identify and Defend Against Social Engineering Attacks


Social engineering attacks always happen, but they pick up during the holidays.

These cyber assaults are one of the biggest threats to your business because they take advantage of your greatest asset: your employees.

If you’re trying to hack a business, you hack its employees first.

It’s much easier to manipulate an individual than to break through a firewall or guess a password.

Cybercriminals know that. That’s why social engineering attacks are so effective.

Let’s examine social engineering attacks, review examples, and discuss how you can best defend your business.


What is a Social Engineering Attack?

A social engineering attack is the psychological manipulation of people into performing actions or divulging confidential information.

Attackers focus on obtaining personally identifiable information (PII) or financial information via email, social media, the telephone, or even physical means.

According to Barracuda, the average organization faces 700+ attempted social engineering attacks a year. Proofpoint reports 83% of American businesses have fallen victim to a social engineering attack.


Why are social engineering attacks so dangerous?

Your personally identifiable information is on the line:

  • Your full name
  • Your current address or address history
  • Your birthday
  • Your social security number
  • Your email address
  • Your pet names
  • The names of your children

Your financial information can be compromised:

  • Your bank account numbers (checking, savings, etc.)
  • Your credit card numbers
  • PINs
  • Anything that allows them to gain leverage over your financials


Why Social Engineering Attacks Work: Cognitive Bias and the Theory of Influence

Human beings are imperfect creatures. Complex but imperfect. Despite how smart or evolved we think we are, there are times when we fall into these simply constructed traps.

Cognitive Biases

“A cognitive bias is a systematic pattern of deviation from norm or rationality in judgment.”

– The Handbook of Evolutionary Psychology

People create personal realities that dictate behavior. A cognitive bias can distort perception and cause irrational decision-making. Simply put, cognitive biases are bugs in our biological hardware.

Attackers, especially those well versed in manipulation, know how to exploit “human hardware” bugs just as well as they know how to hardware and software bugs on servers and workstations.

Putting all that knowledge together can lead to a perfect storm of misery and dismay for those impacted.

Robert Cialdini, a psychologist and marketing professor at Arizona State University, determined that a social engineering attack relies on six fundamental principles to properly manipulate an individual (and their cognitive bias). Cialdini calls this the Theory of Influence.

The Theory of Influence: Six Principles

#1 – Authority: In social engineering, the attacker may pose as authority to increase the likelihood of adherence from the victim.

#2 – Intimidation: The attacker (potentially disguised) informs or implies that there will be negative consequences if the target refuses to perform specific actions. Threats include phrases such as “I’ll tell your manager” and much worse.

#3 – Consensus: People will do things they see others doing. For example, in one experiment, one or more confederates would look up into the sky; bystanders would then look up to see what they were missing. This experiment was aborted at one point, as so many people looked up that they stopped traffic.

#4 – Scarcity: Perceived scarcity will generate demand. The standard advertising phrase “while supplies last” capitalizes on a sense of scarcity.

#5 – Urgency: Linked to scarcity, attackers use urgency as a time-based psychological principle of social engineering. For example, saying offers are available for a “limited time only” encourages sales through a sense of urgency.

#6 – Familiarity: People trust people they like. Cialdini cites the marketing of Tupperware in what might now be called viral marketing. People were more likely to buy if they liked the salesperson. Biases also favor more attractive people.

Like the line in “Hotel California” by the Eagles, when it comes to cognitive biases and the theory of influence, we are “programmed to receive.”

Let’s take a break from the psychology behind a social engineering attack. It’s time to start looking at the work that goes into a social engineering attack and its lifecycle.


The Lifecycle of a Social Engineering Attack

There are four critical stages in the life cycle of a social engineering attack:

Step #1 – Information Gathering

Information gathering is critical. The attack’s success depends on how much information the attacker can gather. The attacker collects information to:

  • Determine the attack vector
  • Probe potential passwords
  • Become familiar with the target
  • Identify possible security response questions
  • Even worse, this cycle often repeats automatically

Step #2 – Establishing Relationships

People are more likely to do things for someone they feel connected to. Attackers know this. The attacker will either build or fake a relationship with their target to accomplish their goals (i.e., exploitation, the next step in the life cycle).

Building a relationship can include actions like:

  • Connecting over the telephone
  • Sharing family photos
  • Creating fake social media or dating profiles
  • Leveraging existing relationships through impersonation

Step #3 – Exploitation

This step is where things get set into motion. The attacker has to increase pressure without raising the target’s suspicion. The attacker uses the leverage they’ve built in the previous stages to enact their plan.

Exploitation can include:

  • Convincing the target to let the attacker into the facility
  • Obtaining the target’s username, password, or both over the phone
  • Sending the target an email with a malicious link or infected email attachment

Step #4 – Execution

This typically happens right under the target’s nose. If the attacker is successful, the target doesn’t even know they’re compromised until it’s too late. Attackers usually:

  • Tie up loose ends
  • Clean up their digital footprint
  • Exfiltrate information and sensitive data

There are too many variations to list when it comes to itemizing all the different things an attacker can do to complete a lifecycle stage. Still, we hope this gives you a better understanding of what might happen.


Social Engineering Attacks Take Many Forms

#1 – Phishing: a type of Social Engineering Attack where individuals are targeted by email (or, in some cases, text messages). The attacker masquerades as someone else (a co-worker, manager, or individual from an outside organization) to manipulate their target.

The attacker’s goal might be to steal sensitive information such as:

  • Log-in Credentials
  • Credit Card Numbers,
  • Bank Routing Numbers
  • Checking Account Numbers

The attacker might also try to get their target to install malware on their end-point to compromise an organization’s network for monetary or other disruptive reasons.

Things to Watch Out for in a Phishing Attack:

  • Check the Sender – Hover over who sent the email to you. Often, a phishing email will spoof a sender’s address. If you hover or click on the name, you’ll see the actual address where the message originated. If you don’t recognize the address, it’s phishing.
  • Links – Links are designed for clicking. And social engineering attackers know this. People blindly click links. Don’t do that. Most email browsers allow you to see where a link leads by hovering over it with your cursor (that doesn’t mean click). Don’t click if the address isn’t familiar or looks suspicious.
  • Be Wary of Attachments – It’s easy to hide malicious files in attachments. If an already suspicious email has attachments, it’s a sure thing there’s something nasty hidden in it. Don’t try to download or open it.

#2 – Spear phishing/whaling: attempts directed at specific individuals or companies.

Spear phishing targets employees at organizations, typically executives or those that work in financial departments with direct access to financial data.

The previously cited phishing safeguards apply here as well.

#3 – Vishing (or Voice Phishing): a social engineering attack where an attacker uses the telephone to manipulate a person into gaining access to private personal and financial information to steal money.

The attacker might pretend to be from:

  • Microsoft Tech Support
  • Your Bank
  • Your Doctor’s Office
  • The IRS
  • The Social Security Administration

#4 – Baiting: when an attacker leaves a malware-infected external storage device (ex: a thumb drive) in a place where other people can easily find it.

The attacker hopes an employee at their targeted organization will pick up the device, plug it into their computer, and compromise the entire network with malware.

#5 – Tailgating: a social engineering attack where an attacker tries to trick an employee into helping them gain physical, unauthorized access to their targeted organization.

#6 – Scareware: a form of malware that uses social engineering to cause shock, anxiety, or the perception of a threat to manipulate users into buying unwanted software.

Scareware is part of a class of malicious software that includes rogue security software, ransomware, and other scam software. It tricks users into believing their computer is infected with a virus, then suggests that they download and pay for fake antivirus software to remove it.

Usually, the virus is fictional, and the software is non-functional.


How to Spot and Stop a Social Engineering Attack

It’s difficult to spot a social engineering attack when you’re in the middle of one, and there are too many variations to list here. However, if you suspect an attack, try these steps:

Slow Down and Control Your Emotions

Remember, the attacker is trying to manipulate your emotions into making a quick decision. The more time you take to think about the situation, the more likely you’ll start to realize something’s not right.

We might be animals when it comes to our emotions, but we’re also brilliant. By slowing down, our rational brain allows us to overcome our feelings.

Think About What You’re Reading, Seeing, or Hearing

The more time you give yourself for rational thought, the better off you are when it comes to seeing through the attacker’s ruse.

Look for things like strange word choices or misspellings. Look for visual clues like off-brand graphics (if it comes from someplace like your bank or a store you frequent).

You’re more astute than you think. If something seems off, it probably is.

Check to See Who Sent the Message

Email masking is an essential part of a social engineering attack. Most email clients format the sender’s address, so it’s easier to discern its origin by displaying a name instead of the name and a full email address.

If you’ve got the feeling the message you’re reading isn’t on the level, check to see who sent it. If the name is familiar, but the email address isn’t, there’s a good chance you’re experiencing a social engineering attack.

Don’t Follow Blind Links

Links are easy to hide, just like email addresses. Don’t click on a link if you can’t discern where a link will send you.

Always hover or right-click on an email link to see where it might send you.

Be Wary of Attachments

If you’ve gone through the steps mentioned above, you probably know what I’m going to say here. Don’t download attachments from strangers.

Sometimes downloading attachments from anyone, even friends, is a bad idea. Be on the lookout for email attachments that appear to be Microsoft Word or Excel files. They might contain pretty nasty surprises.

Schedule a free consultation if you have any questions about protecting your business from social engineering attacks.

Jed is a Solution Advisor at Integris who has specialized in MSP solution development, sales, and marketing communications since 2003.

Keep reading

How to Create a Desktop Shortcut to a OneNote Notebook or Section

How to Create a Desktop Shortcut to a OneNote Notebook or Section

Creating a desktop shortcut to a Microsoft OneNote notebook or section can be a real productivity and organizational boost for users who frequently access specific notes or projects. A desktop shortcut enables instant access to important information, bypassing the...

vCIO vs. vCISO: What’s The Difference? 

vCIO vs. vCISO: What’s The Difference? 

Managing your IT operations is a big job, especially if you're a small or mid-sized company without the resources to hire a full internal IT staff. In these cases, most companies hire a managed IT service provider to fill the gaps. Yet, knowing who to hire and what...

Retainers for vCIOs and vCISOs: A Comprehensive Guide

Retainers for vCIOs and vCISOs: A Comprehensive Guide

If you're running an IT department at a small to mid-size company, you know— the demands on your infrastructure are greater than ever. Cyber threats are growing at an alarming pace, primarily fueled by the accessibility of AI to hackers. Cloud productivity, system...