Social engineering attacks are common tactics that hackers use to manipulate, influence, or deceive a victim to gain control over a computer system or steal sensitive information. Unlike traditional hacking that relies on exploiting software and vulnerabilities--social engineering uses psychologically to exploit human vulnerabilities. In this article, we will explore different types of social engineering attacks and prevention methods.
What are Social Engineering Attacks?
Social engineering attacks are the most prevalent cybersecurity threat, leveraging human psychology rather than technical expertise. And even unsophisticated attackers can be successful in attempting such an attack. With a staggering 98% of cyberattacks incorporating some form of social engineering, and businesses facing an average of over 700 such attacks annually reported by Splunk, it's clear that human vulnerability is a cybercriminal's primary target.
Types of Social Engineering Attacks
There are many types of social engineering attacks hackers use to manipulate individuals. Below highlights common social engineering examples
Voice Phishing and SMS Phishing
Phishing is a common cyberattack where scammers impersonate trusted entities to steal personal information. A common tactic used in social engineering attacks is voice phishing (vishing) and it involves fraudulent phone calls designed to create a sense of urgency or panic, tricking victims into revealing sensitive data.
SMS phishing (smishing) is a text-based phishing scam. Cybercriminals impersonate friends, family, or businesses to create a false sense of urgency, often claiming to have a package ready for delivery or requesting immediate financial assistance. For instance, scammers frequently pose as UPS to lure victims into clicking on malicious links. To combat this threat, UPS has issued warnings about common scam text messages and how to identify them.
Pretexting
Pretexting is a social engineering tactic employed by hackers to create fabricated scenarios while impersonating someone else, often a person with authority from a company or an IT department. They adopt a specific persona and use their assumed authority to gain the victim's trust. By cultivating trust, they increase the likelihood of the victim divulging sensitive information.
Baiting
Baiting is a social engineering attack that lures victims into revealing personal information or installing malware. Scammers use exciting offers, such as free downloads or prizes, to trick users into clicking malicious links. This technique can be executed both digitally and physically.
Online baiting often involves tempting advertisements or promotions that require victims to click on a link to claim the offer. This action can lead to malware installation or data theft.
Physical baiting involves leaving infected USB drives in public places, hoping that unsuspecting individuals will insert them into their devices. This action can automatically install malware onto the victim's system. A notable example is Paula Januszkiewicz's, CEO at CQUIRE Inc., successful infiltration of a company office. Januszkiewicz aimed to test the security of a financial house. She managed to enter the office undetected, posing as a staff member. When a trader left his desk, she inserted a USB drive and downloaded the company’s information—this could’ve ended badly for the company if it was an actual attack.
Quid Pro Quo
Quid pro quo is a social engineering tactic where a scammer offers something in exchange for information or other benefits. In an interview, Rachel Tobac, CEO of SocialProof Security, described it as a "tit for tat" situation, similar to bribery. For example, a hacker might promise a target money in exchange for their company's administrative passwords, aiming to steal sensitive information.
These are just a few types of techniques hackers use when planning social engineering attacks. Social engineering attacks can be executed through various channels as Tobac explained, including phone calls, text messages, in-person interactions, and social media. Hackers can impersonate anyone, making it increasingly difficult to distinguish legitimate communications. With the advancement of AI, it's crucial to be vigilant and critically evaluate all unknown messages, calls, and links.
The Human Element: Why We're Vulnerable
As previously mentioned, social engineering attacks in cybersecurity primarily exploit human vulnerability. Without this element, most social engineering attempts would be unsuccessful. Tobac explained the persuasive tactics employed by cybercriminals, emphasizing the principle of urgency. Tobac explains “the amygdala is our brain's emotional center and it reacts strongly to emotions, even when we're unaware of them.” This phenomenon is known as amygdala hijacking, a common social engineering tactic.
Another persuasive principle highlighted by Tobac is authority. Humans naturally trust and listen to authority figures without question. Social engineering attacks capitalize on this by impersonating individuals of authority to quickly gain the victim's trust and obtain personal information.
In her RSA Conference 2023 presentation, Rachel Tubbs IoT Village Organizer, Independent Security Evaluators, emphasized that a single influence method can exploit multiple human vulnerabilities, such as trust, fear, or urgency. Scareware, a particularly emotionally driven attack, uses fear to manipulate victims into installing malicious software. A common scareware tactic involves displaying a pop-up message claiming the user has been hacked, prompting them to click on it and unknowingly compromise their system.
Humans often think, feel, and act on emotions without conscious awareness. While we cannot completely eliminate this tendency, we can become more mindful of it to reduce our vulnerability to cyberattacks.
Real-Life Examples of Social Engineer Attacks
Tobac highlighted two real life examples of social engineering cybersecurity attacks. Below outlines them:
The 2020 Twitter Social Engineering Hack:
In 2020, a group of hackers successfully infiltrated Twitter's systems by targeting employees through phone phishing. They spoofed caller IDs to appear as IT support, urging employees to update their passwords. The attackers then directed victims to a malicious website where they entered their credentials, which were subsequently stolen. Using this access, the hackers took control of high-profile Twitter accounts, including those of Barack Obama, Elon Musk, and Kanye West. They exploited these accounts to promote a cryptocurrency scam, netting $120,000 in a few hours.
The 2023 Las Vegas Ransomware Attack:
Attackers called the help desk at casinos and resorts in Las Vegas, posing as an employee. They claimed to have been logged out and required password resets. By successfully tricking employees, the attackers gained access to employee accounts and installed ransomware. This ransomware attack cost MGM Resorts approximately $100 million.
If you want to see how criminals can spoof and impersonate someone, watch this video where Tobac demonstrates spoofing by hacking a CNN Tech reporter. To hear stories from real victims, listen to this video conducted by 60 Minutes.
Tobac emphasizes the importance of double-checking who you're talking to. As she says, "be politely paranoid." If you receive a request for a sensitive action (giving your password, sending data/money, or clicking on a URL), you should verify who they say they are with a second verification.
Mitigating Social Engineering Risks
To mitigate social engineering risks, users and organizations can take several social engineering prevention steps. Tobac advised, "Be politely paranoid." This means that if you receive a request for a sensitive action (such as giving out a password, downloading something, or going to a URL) from someone like a boss, colleague, or family member, you should verify their identity using a second method. For example, if they called you, text them; if they texted you, call them. This helps confirm that the person is who they claim to be.
Additional best practices to mitigate and prevent social engineering risks are below:
- Verify authentication: Always verify the sender's identity before providing information, clicking links, or downloading anything.
- Implement spam filtering: Use spam filters to block suspicious emails, messages, or calls.
- Identify red flags: Be aware of tactics like urgency, poor grammar, unfamiliar contacts, and unusual requests.
- Be cautious on social media: Avoid sharing excessive personal information online. In their 2021 RSAC 365 podcast Tobac and Camille Stewart Gloster, Former Deputy National Cyber Director, Technology & Ecosystem Security, The White House, they talked about mitigating risks in social engineering. Gloster explained to be critical on what you put online, she goes on to say ““you're leaving breadcrumbs that is leaving a trail that hackers can use to then build a profile and gain access to your account.”
- MFA & Strong passwords: Enable multi-factor authentication for added security. And use unique, complex passwords and store them securely.
- Education: Stay informed about social engineering tactics to protect yourself.
Social engineering remains a persistent and evolving threat. By understanding its tactics, recognizing red flags, and implementing effective mitigation strategies listed above, individuals and organizations can significantly reduce their vulnerability to these attacks. By staying informed and proactive, you can better defend yourself and your organization against the ever-changing landscape of social engineering attacks.
To keep up with the latest cybersecurity events and learn more about social engineering attacks, we invite you to visit our library.