Social engineering attacks always happen, but they pick up during the holidays.
These cyber assaults are one of the biggest threats to your business because they take advantage of your greatest asset: your employees.
If you’re trying to hack a business, you hack its employees first.
It’s much easier to manipulate an individual than to break through a firewall or guess a password.
Cybercriminals know that. That’s why social engineering attacks are so effective.
Let’s examine social engineering attacks, review examples, and discuss how you can best defend your business.
What is a Social Engineering Attack?
A social engineering attack is the psychological manipulation of people into performing actions or divulging confidential information.
Attackers focus on obtaining personally identifiable information (PII) or financial information via email, social media, the telephone, or even physical means.
According to Barracuda, the average organization faces 700+ attempted social engineering attacks a year. Proofpoint reports 83% of American businesses have fallen victim to a social engineering attack.
Why are social engineering attacks so dangerous?
Your personally identifiable information is on the line:
- Your full name
- Your current address or address history
- Your birthday
- Your social security number
- Your email address
- Your pet names
- The names of your children
Your financial information can be compromised:
- Your bank account numbers (checking, savings, etc.)
- Your credit card numbers
- Anything that allows them to gain leverage over your financials
Why Social Engineering Attacks Work: Cognitive Bias and the Theory of Influence
Human beings are imperfect creatures. Complex but imperfect. Despite how smart or evolved we think we are, there are times when we fall into these simply constructed traps.
“A cognitive bias is a systematic pattern of deviation from norm or rationality in judgment.”
– The Handbook of Evolutionary Psychology
People create personal realities that dictate behavior. A cognitive bias can distort perception and cause irrational decision-making. Simply put, cognitive biases are bugs in our biological hardware.
Attackers, especially those well versed in manipulation, know how to exploit “human hardware” bugs just as well as they know how to hardware and software bugs on servers and workstations.
Putting all that knowledge together can lead to a perfect storm of misery and dismay for those impacted.
Robert Cialdini, a psychologist and marketing professor at Arizona State University, determined that a social engineering attack relies on six fundamental principles to properly manipulate an individual (and their cognitive bias). Cialdini calls this the Theory of Influence.
The Theory of Influence: Six Principles
#1 – Authority: In social engineering, the attacker may pose as authority to increase the likelihood of adherence from the victim.
#2 – Intimidation: The attacker (potentially disguised) informs or implies that there will be negative consequences if the target refuses to perform specific actions. Threats include phrases such as “I’ll tell your manager” and much worse.
#3 – Consensus: People will do things they see others doing. For example, in one experiment, one or more confederates would look up into the sky; bystanders would then look up to see what they were missing. This experiment was aborted at one point, as so many people looked up that they stopped traffic.
#4 – Scarcity: Perceived scarcity will generate demand. The standard advertising phrase “while supplies last” capitalizes on a sense of scarcity.
#5 – Urgency: Linked to scarcity, attackers use urgency as a time-based psychological principle of social engineering. For example, saying offers are available for a “limited time only” encourages sales through a sense of urgency.
#6 – Familiarity: People trust people they like. Cialdini cites the marketing of Tupperware in what might now be called viral marketing. People were more likely to buy if they liked the salesperson. Biases also favor more attractive people.
Like the line in “Hotel California” by the Eagles, when it comes to cognitive biases and the theory of influence, we are “programmed to receive.”
Let’s take a break from the psychology behind a social engineering attack. It’s time to start looking at the work that goes into a social engineering attack and its lifecycle.
The Lifecycle of a Social Engineering Attack
There are four critical stages in the life cycle of a social engineering attack:
Step #1 – Information Gathering
Information gathering is critical. The attack’s success depends on how much information the attacker can gather. The attacker collects information to:
- Determine the attack vector
- Probe potential passwords
- Become familiar with the target
- Identify possible security response questions
- Even worse, this cycle often repeats automatically
Step #2 – Establishing Relationships
People are more likely to do things for someone they feel connected to. Attackers know this. The attacker will either build or fake a relationship with their target to accomplish their goals (i.e., exploitation, the next step in the life cycle).
Building a relationship can include actions like:
- Connecting over the telephone
- Sharing family photos
- Creating fake social media or dating profiles
- Leveraging existing relationships through impersonation
Step #3 – Exploitation
This step is where things get set into motion. The attacker has to increase pressure without raising the target’s suspicion. The attacker uses the leverage they’ve built in the previous stages to enact their plan.
Exploitation can include:
- Convincing the target to let the attacker into the facility
- Obtaining the target’s username, password, or both over the phone
- Sending the target an email with a malicious link or infected email attachment
Step #4 – Execution
This typically happens right under the target’s nose. If the attacker is successful, the target doesn’t even know they’re compromised until it’s too late. Attackers usually:
- Tie up loose ends
- Clean up their digital footprint
- Exfiltrate information and sensitive data
There are too many variations to list when it comes to itemizing all the different things an attacker can do to complete a lifecycle stage. Still, we hope this gives you a better understanding of what might happen.
Social Engineering Attacks Take Many Forms
#1 – Phishing: a type of Social Engineering Attack where individuals are targeted by email (or, in some cases, text messages). The attacker masquerades as someone else (a co-worker, manager, or individual from an outside organization) to manipulate their target.
The attacker’s goal might be to steal sensitive information such as:
- Log-in Credentials
- Credit Card Numbers,
- Bank Routing Numbers
- Checking Account Numbers
The attacker might also try to get their target to install malware on their end-point to compromise an organization’s network for monetary or other disruptive reasons.
Things to Watch Out for in a Phishing Attack:
- Check the Sender – Hover over who sent the email to you. Often, a phishing email will spoof a sender’s address. If you hover or click on the name, you’ll see the actual address where the message originated. If you don’t recognize the address, it’s phishing.
- Links – Links are designed for clicking. And social engineering attackers know this. People blindly click links. Don’t do that. Most email browsers allow you to see where a link leads by hovering over it with your cursor (that doesn’t mean click). Don’t click if the address isn’t familiar or looks suspicious.
- Be Wary of Attachments – It’s easy to hide malicious files in attachments. If an already suspicious email has attachments, it’s a sure thing there’s something nasty hidden in it. Don’t try to download or open it.
#2 – Spear phishing/whaling: attempts directed at specific individuals or companies.
Spear phishing targets employees at organizations, typically executives or those that work in financial departments with direct access to financial data.
The previously cited phishing safeguards apply here as well.
#3 – Vishing (or Voice Phishing): a social engineering attack where an attacker uses the telephone to manipulate a person into gaining access to private personal and financial information to steal money.
The attacker might pretend to be from:
- Microsoft Tech Support
- Your Bank
- Your Doctor’s Office
- The IRS
- The Social Security Administration
#4 – Baiting: when an attacker leaves a malware-infected external storage device (ex: a thumb drive) in a place where other people can easily find it.
The attacker hopes an employee at their targeted organization will pick up the device, plug it into their computer, and compromise the entire network with malware.
#5 – Tailgating: a social engineering attack where an attacker tries to trick an employee into helping them gain physical, unauthorized access to their targeted organization.
#6 – Scareware: a form of malware that uses social engineering to cause shock, anxiety, or the perception of a threat to manipulate users into buying unwanted software.
Scareware is part of a class of malicious software that includes rogue security software, ransomware, and other scam software. It tricks users into believing their computer is infected with a virus, then suggests that they download and pay for fake antivirus software to remove it.
Usually, the virus is fictional, and the software is non-functional.
How to Spot and Stop a Social Engineering Attack
It’s difficult to spot a social engineering attack when you’re in the middle of one, and there are too many variations to list here. However, if you suspect an attack, try these steps:
Slow Down and Control Your Emotions
Remember, the attacker is trying to manipulate your emotions into making a quick decision. The more time you take to think about the situation, the more likely you’ll start to realize something’s not right.
We might be animals when it comes to our emotions, but we’re also brilliant. By slowing down, our rational brain allows us to overcome our feelings.
Think About What You’re Reading, Seeing, or Hearing
The more time you give yourself for rational thought, the better off you are when it comes to seeing through the attacker’s ruse.
Look for things like strange word choices or misspellings. Look for visual clues like off-brand graphics (if it comes from someplace like your bank or a store you frequent).
You’re more astute than you think. If something seems off, it probably is.
Check to See Who Sent the Message
Email masking is an essential part of a social engineering attack. Most email clients format the sender’s address, so it’s easier to discern its origin by displaying a name instead of the name and a full email address.
If you’ve got the feeling the message you’re reading isn’t on the level, check to see who sent it. If the name is familiar, but the email address isn’t, there’s a good chance you’re experiencing a social engineering attack.
Don’t Follow Blind Links
Links are easy to hide, just like email addresses. Don’t click on a link if you can’t discern where a link will send you.
Always hover or right-click on an email link to see where it might send you.
Be Wary of Attachments
If you’ve gone through the steps mentioned above, you probably know what I’m going to say here. Don’t download attachments from strangers.
Sometimes downloading attachments from anyone, even friends, is a bad idea. Be on the lookout for email attachments that appear to be Microsoft Word or Excel files. They might contain pretty nasty surprises.
Schedule a free consultation if you have any questions about protecting your business from social engineering attacks.