What is social engineering?
06 May 2016
We’ve talked about phishing a lot recently on our #clickclever content hub, and how you can spot the tell-tale signs of a potential phishing attack. It’s now time to take a step back and focus on social engineering, and why it’s such an effective method of stealing information or dropping malware on unassuming individuals. It’s because of social engineering that spear phishing and similar attacks work, so it’s important to explore.
Social engineering relies on abusing human nature
Social engineering isn’t a term unique to the world of cybercrime. The goal of social engineering is to trick somebody into fulfilling a certain action or request, often with malicious intent. This may involve persuading the victim to do something that would normally be out of the individual’s comfort zone. Alternatively, the victim is kept completely in the dark that they are even a victim of a social engineering attack – until it’s too late, of course.
A common method that social engineers use to exploit individuals is by abusing basic human nature – curiosity, trust and even concern are all traits that can result in a social engineering attack being successful. The three examples below are all examples of email phishing, each relying on a different trait:
An individual receives an email with an attachment purportedly containing company financial information or payroll data. Technically, the information isn’t relevant to the individual, but curiosity gets the better of him, and the attachment is opened, potentially executing a piece of malware within the attached “file”.
A financial controller receives an email from their CEO asking them to send over sensitive employee information, and the controller gladly obliges. However, the email wasn’t from the CEO – it was actually a whale phishing attack using a spoofed email attack. This is a common way that data is stolen from businesses – this exact scenario happened at Snapchat earlier this year.
A social engineer could also threaten an individual using a well-crafted email, stating that “something will happen” unless something is provided, e.g. a bank account will be frozen unless the email address and password are confirmed. If done correctly, and the email looks legitimate, the natural process for an individual worried that their bank account will be frozen will of course do anything they need to do in order to prevent this from happening – in this example, giving our social engineer their login details…
Spear phishing: How it works
The above cases are all legitimate examples of phishing that implement social engineering tactics. The “trust” example above requires knowledge of the victim (e.g. job title, seniority, access to data etc.) and also knowledge of the CEO (e.g. email address for spoofing, signature, maybe even style of writing). This personalised method of attack is known as spear phishing, as it’s targeted to a specific individual or group (compared to normal phishing, which casts a large net over a wide area with the hope of one person falling for the bait).
Spear phishing can be ruthless in its approach, and when done well, can be extremely difficult to spot. Using information easily available on line on social media and corporate sites can be enough to learn about an individual’s interests, occupation and experience, meaning that an email can be tailored to fit.
Within the world of cybercrime, social engineering tactics are often carried out without any hacking taking place – this means this style of attack can infiltrate your firewalls and security systems by bypassing it through human error. The sad truth is that no business or industry is safe from potentially being a target of a phishing attack, and it’s because of this that awareness is so key.
The only way to avoid becoming a victim of a social engineering attack through email is to become savvy and aware that any email you receive may be malicious in intent. Being #clickclever and aware of malicious links and attachments within emails and across the internet is an invaluable trait to have in today’s digital age. Worried you might be phish-prone? Teach yourself to be #clickclever by reading the resources available on www.clickclever.co.uk.