Social engineering attacks are often the first step threat actors take as part of a more sophisticated campaign. For example, social engineering can be used as a way to deploy ransomware or part of a credential theft attack. At the same time, social engineering attacks are some of the most difficult to prevent and detect because they target people, not technology. The first step to mitigating these risks is understanding social engineering and the types of attacks associated with it.
What is social engineering?
Social engineering is the process of manipulating people’s interactions and emotions in a way that gets them to take adverse action, doing things that are against a company’s or their own best interests.
Social engineering focuses on psychology, using techniques like:
- Authority: pretending to be someone in a position of power to intimidate a victim
- Likeability: building trust by appearing credible or easygoing
- Social proof: establishing trust by pretending close friends or acquaintances endorse an activity
- Reciprocity: offering value to create a sense of obligation
- Urgency/commitment: establishing a short time frame for a response as a way to get the victim to ignore risk
- Scarcity: generating demand by pretending something will run out of supply
These techniques are nothing new and not only related to cyber attacks. A good way to think about social engineering is the idea of a con artist trying to steal money from someone.
Types of Social Engineering Attacks
Social engineering cyber attacks use these methodologies by applying them to the anonymity and speed of the internet. Without visual and social cues, people are likely to be more susceptible to the methods.
Possibly the most prevalent form of online social engineering, phishing attacks start with a fake email that appears to be legitimate. Within the text of the email, the attacker suggests that the recipient take action, usually downloading a document or clicking an email. This is how the cybercriminal delivers the payload.
In addition to traditional phishing, cybercriminals also use newer techniques and technologies. Some of these variants include:
- Vishing: delivering the attack through phone calls instead of emails
- Smishing: delivering the attack through text messages instead of emails
- Spear Phishing: customizing fake emails that address the victim directly, usually leveraging publicly available information like social media posts
- Whaling: targeting specific high-profile victims within an organization, like senior leadership, that appear to be from someone else inside the company
- QRishing: embedding malicious code into a QR code to redirect people to a malicious website
Pretexting can be done physically or digitally. A malicious actor engages in research, creates a realistic story, then pretends to be someone the victim would view as legitimate.
Cybercriminals might try to impersonate:
- Customer service representatives
- IT Staff
- Survey takers
- Physical security staff
Pretexting can be used as part of tailgating which is where someone acts like they belong in a physical location to follow someone else into a building or secure location. The criminal may wear a uniform associated with the company or act like they forgot a security keycard.
Tailgating can be especially useful to carry out a baiting attack. In these attacks, the cybercriminal uses a physical object, like a USB drive, and leaves it somewhere visible. People are naturally curious and want to help others. In an attempt to return the drive to its owner, they may insert it into a device for information. Then, the malware installs and executes on the device.
Scareware is when the criminal creates a sense of urgency by telling someone that if they take an action, they will avoid harm. It may be used as part of another social engineering attack type, like whaling.
Social Engineering Examples
Between digital and physical social engineering, understanding what an attack might look like is also important.
In August 2020, Cybersecurity and Infrastructure Security Agency (CISA) published an alert that malicious actors were using a phishing campaign to send recipients to a spoofed COVID-19 loan relief website. This is an example of using people’s fears to get them to react without thinking. With many people losing their jobs as a result of global lockdowns, they were quick to react in a way that would protect their families.
Spear Phishing Example
In May 2021, CISA published an alert about a sophisticated spear phishing campaign targeting government organizations, intergovernmental organizations (IGOs), and non-governmental organizations (NGOs). The threat actors used a legitimate email marketing software company to send emails to more than 7,000 accounts. The emails contained links that redirected to a malicious URL.
In January 2022, the Federal Bureau of Investigation (FBI) issued a warning that cybercriminals were tampering with QR codes that redirected victims to malicious sites. The alert explained that they could tamper with digital or physical QR codes which could then either steal login, financial, or location information.
How to Prevent Social Engineering
Although social engineering attacks use technology, they really target people. This means that organizations need to make sure that they have the people, processes, and technologies in place that help reduce the likelihood of a successful attack.
[Related Reading: Why Humans Are the Weakest Link in Cybersecurity]
Cybersecurity Awareness Education
Having the right social engineering training in place can help mitigate many of the risks associated with these attacks. An effective training should teach users to:
- Review sources: sender email address, email headers, and any URLs
- Check text in body: images being used to evade spam filters or specifics intending to seem legitimate
- Review emotional language: anything hinting at urgency or seems “too good to be true”
- Independently validate requests: directly contacting company without using information in the email
- Never click: malicious code stored in links and downloads
- Never respond: provides data and verification of information
Preventive technologies add a layer of protection that can help reduce the success of a social engineering attack. Some technologies to consider include:
- Strong spam settings
- Anti-virus software on endpoints
- Security patch deployment automation
- Multi-factor authentication (MFA) to protect compromised credentials
- Device attestation prior to connecting to networks
Detection and Response
Although prevention is important, a defense-in-depth approach that incorporates robust monitoring, detection, and response can reduce the impact a social engineering attack can have. Continuous monitoring should include:
- Alerts for abnormal user and device activity
- Monitoring networks for abnormal traffic
- Testing and validating incident response capabilities
Managed Detection and Response (MDR) to Protect Against Social Engineering Attacks
Continuous monitoring, detection, and response is challenging enough when looking at just the technology side of cybersecurity. When companies need to validate their people and processes as well, it can be overwhelming.
With MDR, organizations get the resources they need to protect themselves from social engineering attacks. Alert Logic’s MDR platform provides global visibility for all threat activity across users, devices, and environments. With our MDR platform, customers gain machine learning detection along with fully automated and human-guided automated response capabilities to ensure that your organization has the ability to respond quickly in case an incident does occurs to minimize its impact to your IT environment. MDR provides the most comprehensive coverage for consistent security outcomes, regardless of attack type.