What is social engineering

Social engineering is the term used for a broad range of malicious activities
accomplished through human interactions. It uses psychological manipulation
to trick users into making security mistakes or giving away sensitive
information.

Social engineering attacks happen in one or more steps. A perpetrator first

investigates the intended victim to gather necessary background information,
such as potential points of entry and weak security protocols, needed to
proceed with the attack. Then, the attacker moves to gain the victim’s trust
and provide stimuli for subsequent actions that break security practices, such
as revealing sensitive information or granting access to critical resources.

Social engineering attack techniques

Social engineering attacks come in many different forms and can be
performed anywhere where human interaction is involved. The following are
the five most common forms of digital social engineering assaults.

Baiting
As its name implies, baiting attacks use a false promise to pique a victim’s
greed or curiosity. They lure users into a trap that steals their personal
information or inflicts their systems with malware.

The most reviled form of baiting uses physical media to disperse malware.
For example, attackers leave the bait—typically malware-infected flash
drives—in conspicuous areas where potential victims are certain to see them
(e.g., bathrooms, elevators, the parking lot of a targeted company). The bait
has an authentic look to it, such as a label presenting it as the company’s
payroll list.

Victims pick up the bait out of curiosity and insert it into a work or home
computer, resulting in automatic malware installation on the system.

Baiting scams don’t necessarily have to be carried out in the physical world.
Online forms of baiting consist of enticing ads that lead to malicious sites or
that encourage users to download a malware-infected application.

Scareware
Scareware involves victims being bombarded with false alarms and fictitious
threats. Users are deceived to think their system is infected with malware,
prompting them to install software that has no real benefit (other than for the
perpetrator) or is malware itself. Scareware is also referred to as deception
software, rogue scanner software and fraudware.

A common scareware example is the legitimate-looking popup banners

appearing in your browser while surfing the web, displaying such text such as,
“Your computer may be infected with harmful spyware programs.” It either
offers to install the tool (often malware-infected) for you, or will direct you to a
malicious site where your computer becomes infected.

Scareware is also distributed via spam email that doles out bogus warnings,
or makes offers for users to buy worthless/harmful services.

Pretexting
Here an attacker obtains information through a series of cleverly crafted lies.
The scam is often initiated by a perpetrator pretending to need sensitive
information from a victim so as to perform a critical task.

The attacker usually starts by establishing trust with their victim by

impersonating co-workers, police, bank and tax officials, or other persons who
have right-to-know authority. The pretexter asks questions that are ostensibly
required to confirm the victim’s identity, through which they gather important
personal data.

All sorts of pertinent information and records is gathered using this scam,
such as social security numbers, personal addresses and phone numbers,
phone records, staff vacation dates, bank records and even security
information related to a physical plant.

Phishing
As one of the most popular social engineering attack types, phishing scams
are email and text message campaigns aimed at creating a sense of urgency,
curiosity or fear in victims. It then prods them into revealing sensitive
information, clicking on links to malicious websites, or opening attachments
that contain malware.

An example is an email sent to users of an online service that alerts them of a

policy violation requiring immediate action on their part, such as a required
password change. It includes a link to an illegitimate website—nearly identical
in appearance to its legitimate version—prompting the unsuspecting user to
enter their current credentials and new password. Upon form submittal the
information is sent to the attacker.

Given that identical, or near-identical, messages are sent to all users in

phishing campaigns, detecting and blocking them are much easier for mail
servers having access to threat sharing platforms.

Spear phishing
This is a more targeted version of the phishing scam whereby an attacker
chooses specific individuals or enterprises. They then tailor their messages
based on characteristics, job positions, and contacts belonging to their
victims to make their attack less conspicuous. Spear phishing requires much
more effort on behalf of the perpetrator and may take weeks and months to
pull off. They’re much harder to detect and have better success rates if done
skillfully.

A spear phishing scenario might involve an attacker who, in impersonating an

organization’s IT consultant, sends an email to one or more employees. It’s
worded and signed exactly as the consultant normally does, thereby deceiving
recipients into thinking it’s an authentic message. The message prompts
recipients to change their password and provides them with a link that
redirects them to a malicious page where the attacker now captures their
credentials.

Social engineering prevention

Social engineers manipulate human feelings, such as curiosity or fear, to carry
out schemes and draw victims into their traps. Therefore, be wary whenever
you feel alarmed by an email, attracted to an offer displayed on a website, or
 when you come across stray digital media lying about. Being alert can help
you protect yourself against most social engineering attacks taking place in
the digital realm.

Moreover, the following tips can help improve your vigilance in relation to
social engineering hacks.

 Don’t open emails and attachments from suspicious sources – If you don’t
know the sender in question, you don’t need to answer an email. Even if you
do know them and are suspicious about their message, cross-check and
confirm the news from other sources, such as via telephone or directly from a
service provider’s site. Remember that email addresses are spoofed all of the
time; even an email purportedly coming from a trusted source may have
actually been initiated by an attacker.
 Use multifactor authentication – One of the most valuable pieces of
information attackers seek are user credentials. Using multifactor
authentication helps ensure your account’s protection in the event of system
compromise. Imperva Login Protect is an easy-to-deploy 2FA solution that
can increase account security for your applications.
 Be wary of tempting offers – If an offer sounds too enticing, think twice
before accepting it as fact. Googling the topic can help you quickly determine
whether you’re dealing with a legitimate offer or a trap.
 Keep your antivirus/antimalware software updated – Make sure automatic
updates are engaged, or make it a habit to download the latest signatures first
thing each day. Periodically check to make sure that the updates have been
applied, and scan your system for possible infections.

Definition

Social engineering refers to all techniques aimed at talking a target into

revealing specific information or performing a specific action for
illegitimate reasons.

Social engineering in IT

Though such form of trickery has always existed, it has significantly

evolved with ICT technologies. In this new context, social engineering
techniques in IT can be looked at from two different angles:

 either by using psychological manipulation to get further access to an

IT system where the actual objective of the scammer resides, e.g.
impersonating an important client via a phone call to lure the target
into browsing a malicious website to infect the target's workstation;
 or using IT technologies as support to psychological manipulation
techniques to achieve an objective outside the IT realm, e.g. obtaining
banking credentials via a phishing attack to then steal the target's
money.

The increasing use of IT technologies has naturally led to an increase in the

use of such techniques, as well as to their combination, to such a point that
most cyber attacks nowadays include some form of social engineering.

Social engineering Techniques

This entry will cover some of the most common techniques: pretexting,
baiting, quid pro quo and tailgating. Phishing attacks also rely upon social
engineering; this topic has been covered in a previous
entry: Phishing/Spear phishing.

Pretexting

This technique the use of a pretext - a false justification for a specific

course of action - to gain trust and trick the victim.

 Example: the attacker claims to work for IT support and requests the
target's password for maintenance purposes.

Proper identification and authentication processes, policies and trainings

should be in place to circumvent such attacks.
Baiting

Baiting involves luring the victim into performing a specific task by

providing easy access to something the victim wants.

 Example: a USB flash drive infected with a keylogger and labelled "My
private pics" left on the victim's doorstep.

Security policies such as an air gap and the blocking of non-authorised

software and hardware will thwart most attempts, though staff should also
be reminded not to trust unknown sources.

Quid pro quo

Quid Pro Quo, "something for something" in Latin, involves a request for
information in exchange for a compensation.

 Example: the attacker asks the victim's password claiming to be a

researcher doing an experiment, in exchange for money.

Quid pro quo attacks are relatively easy to detect given the asymmetrical
value of the information compared to the compensation, which is opposite
for the attacker and the victim. In these cases the best countermeasure
remains the victim integrity and ability to identify, ignore and report.

Tailgating

Tailgating is the act of following an authorised person into a restricted area

or system.

 Example: the attacker, dressed as an employee, carries a large box

and convinces the victim, who is an authorised employee entering at
the same time, to open the door of the data-centre using the victim's
RFID pass.

Access to non public areas should be controlled by access policies and/or

the use of access control technologies, the more sensitive the area the
stricter the combination. Th obligation to wear a badge, the presence of a
guard and actual anti-tailgating doors such as mantraps with RFID access
control should be sufficient to deter most attackers.
Recommendations

Any organisation should identify its critical assets and implement the
appropriate security policies and protocols. When necessary, these should
be reinforced through the use of technology.

Nevertheless, the single most efficient countermeasure to social

engineering attacks remains common sense. In this light, ENISA
recommend the following:

 frequent awareness campaigns: posters, presentations, emails,

information notes;
 staff training and exercising;
 penetration tests to determine an organisation's susceptibility to
social engineering attacks, reporting and acting upon the results.

In a social engineering threat, an attacker uses human emotion (usually

fear and urgency) to trick the target into performing an action, such as
sending the attacker money, divulging sensitive customer information, or
disclosing authentication credentials.

 Social engineering is an illegal activity that accounts for 98% of cyber-

attacks.
 Social engineering is characterized by attackers coercing victims into
divulging sensitive information by pretending to be a known person or
legitimate entity.
 Identity theft through phishing attacks is the most common form of
social engineering.
 Over 70% of data breaches start with phishing or social engineering
attacks.
 You can employ several prevention strategies to avoid social engineering,
from setting up multifactor authentication for your accounts to training
employees to identify suspicious behavior.

 Standards and approaches to cybersecurity are improving all around the

world, with organizations beginning to implement state-of-the-art
technical defenses to their network and computer systems. Upon
realising this, hackers are deciding that the effort and resources needed
to get through these defenses aren’t worth it, instead they are targeting
 the end-user with increasingly effective social engineering attempts. In
a Verizon Data Breach Incident Report for 2020, it was discovered that
phishing, a form of social engineering, was responsible for 22% of
incidents that were reported.
 From our previous blogs, you know what is social engineering and the
common types of social engineering attacks. We also looked at how
what employees can do to prevent these attacks.
 However, how can organisations prevent social engineering attempts
like phishing from being successful?
 Below are eight key ways your organization can prevent social
engineering attempts from being successful:

 #1. Security Awareness Training

 One of the best ways to defend against social engineering attacks is
ensuring that the employees of your organization understand how
cybercriminals work. Due to the fact that social engineering is designed
around taking advantage of flaws in human behaviour, designing a
comprehensive security awareness training program is crucial in
defending your organization and its employees.
 For example: Phishing is one of the most popular social engineering
tactics and usually takes the form of an email that encourages a
recipient to click on a link or download a file that gives the attacker
access to a computer or network systems in the organization.
 A successful phishing campaign preys on a victim’s inability to identify
certain red flags like a spoof email address or hyperlink, teaching
employees of these telltale signs can help them easily identify and
eliminate social engineering threats like Phishing.

 #2. Simulating Social Engineering

Attempts
 Great, your organization has implemented a thorough security
awareness training program, so what’s next? Instead of stopping at
educating employees on cybersecurity, it is vital that your organization
goes one step further and tests employees via social engineering
simulations.
 For example: Phishing simulations can be acquired by vendors and are
typically cloud based, hence these simulations can be run remotely by
 your organization and tailored to it’s unique needs. These simulations
can teach you how effective an actual phishing campaign would be on
your organization.
 Simulation can help improve your organization’s training and awareness
procedures and policies. It can alert you to the areas that need to be
focused on and improved so that your employees successfully avoid
and detect social engineering attempts.

 #3. Increase Spam Filtering via Email

Gateways
 Cyber criminals love using email as a tool to carry out their social
engineering attempts, therefore it is vital that your organization
implements the right email gateways to flag these attempts as spam in
your employees' inbox. Spam makes up 45% of all emails, with a
majority of it being socially engineered to compromise computer
systems, networks and steal data, implementing a good email gateway
can prevent up to 99.9% of all spam.

 #4. Implement Policies Around Social

Media Usage
 Cyber criminals tend to collect intelligence on their victims via social
media, for example, spear phishing is a type of phishing that is targeted
and personalised to a specific individual. The degree to which these
attempts are successful is dependent on the amount of information the
attacker can gather on their victim. As oversharing can be an issue,
having a policy around how and what employees post on social media
can help reduce the chances of social engineering attempts from being
successful.

 #5. Implement Appropriate Policy For Key

Procedures
 Technological processes are limited in the amount they can help when it
comes to social engineering attempts. Social engineering is designed in
a way to trick human beings, so anti-malware, anti-virus, network
 firewalls etc. fail to prevent social engineering from being successful.
Therefore implementing appropriate policies when dealing with
procedures like transfering money or making payments can help reduce
the success rate of cyber criminals.
 For example: CEO Fraud is a type of spear-phishing email attack in
which the attacker impersonates the CEO of your organization. Typically,
the attacker aims to trick employees into transferring money to a bank
account owned by the attacker. Implementing a strict policy around
money transfers e.g. face to face confirmation of transfers over a
certain amount, can easily eliminate social engineering attempts by
cyber criminals.

 #6. Multi-Factor Authentication

 Social Engineering schemes usually rely on increasing privilege levels to
gain access to an organization’s systems and networks. Implementing
multi-factor authentication such as two-factor authentication, which
needs another factor other than username and password to enable
access, can increase the chances of preventing social engineering
tactics before their completion.
 For example: attackers who gain access to login credentials from
employees will then need to jump through another loop to gain full
privileged access to an organization’s network and systems. Also
making sure only certain employees are authorized to access privileged
resources.

 #7. Monitor Critical Systems 24/7

 To increase the efficiency in identifying cyber threats, make sure your
critical systems that house sensitive information are monitored 24/7 by
your information security officer or team. Certain social engineering
tactics like Trojan attacks, manipulate users into running seemingly
innocent programs that hide malicious ulterior motives. Vulnerability
assessments can help scan internal and external systems of your
organization for vulnerabilities.

 #8. Utilise SSL Certification

 Encrypting data can help minimise the repercussions of hackers gaining
access to your organization’s communication systems. Encryption can
 be achieved by obtaining SSL certification from authorities. An SSL
certificate is a type of digital certificate that provides authentication for
a website and enables an encrypted connection, a simple analogy is that
it acts like an envelope and seal for a letter.

 To conclude
 Social Engineering is becoming an increasingly effective method for
cybercriminals to breach an organization’s security measures. It is vital
that your organization implements the appropriate defenses that
include but isn’t limited to the above eight precautions, to prevent social
engineering attacks. StickmanCyber's team is equipped to help your
employees recognise such attempts, and prevent social engineering
attacks.