Tactics, examples, and preventative measures to protect your organization
In the labyrinth landscape of the digital world, the most cunning and deceptive threats often wear the disguise of familiarity. Social engineering exploits the one weakness found in every organization: human psychology. These techniques, as innocuous as they may seem, are powerful tools in the hands of cybercriminals who can use them to manipulate individuals into revealing sensitive information or carrying out actions that compromise personal or organizational security.
This article explores the insidious realm of social engineering tactics, illustrating how these strategies are employed and offering insight into safeguarding yourself and your organization.
What are social engineering tactics?
Social engineering tactics refer to the psychological manipulation techniques cybercriminals use to deceive individuals into giving away sensitive information, such as personal data, banking details, or confidential business information. These tactics exploit human behavior and weaknesses rather than technology vulnerabilities. They can be deployed in various ways, often leveraging trust and creating scenarios that cause confusion, fear, or a sense of urgency.
The most common social engineering tactics
Phishing
Phishing is the act of sending fraudulent communications that appear to come from a reputable source, usually through email. The aim is to steal sensitive data like credit card numbers and login information. It’s the most common type of social engineering attack that can lead to identity theft and financial loss.
Phishing Example
Maria received an email that appeared to be from her bank, stating that her account had been locked due to suspicious activity. The email contains a link and urges her to click on it to unlock her account. However, the link directs to a fraudulent website designed to steal her banking credentials. Fortunately, she recognizes the odd email address and reports it to her bank instead of entering her information.
Pretexting
Pretexting is when an attacker creates a fabricated scenario (the pretext) to engage the target in a way that increases the chance the target will divulge information or perform actions that would be unlikely in ordinary circumstances. An example might be a person who impersonates a tax authority and calls a victim to ask for bank account details under the pretense of a tax rebate.
Baiting
Baiting is similar to phishing and involves offering a false promise to pique a victim’s greed or curiosity. Attackers lure users into a trap that steals their personal information or infects their systems with malware.
Baiting example
Samantha finds a USB stick in the parking lot outside her office with a label indicating it contains the upcoming season of a popular TV show. Curiosity piqued, she plugs the USB into her computer, unknowingly installing malware that sends her login credentials back to the hacker.
Quid pro quo
Similar to baiting, quid pro quo involves a hacker requesting the exchange of critical data or login credentials in return for a service. For example, an attacker calls random numbers at a company, claiming to be calling back from technical support. Eventually, they will hit someone with a legitimate problem, grateful that someone is calling back to help them.
Quid pro quo example
Henry receives a call from someone claiming to be a Microsoft support technician who noticed a problem with his computer. They say they can fix it if Henry lets them remote into his PC. Wanting to solve his slow computer issues, Henry agrees, providing the “technician” with access to his computer and, inadvertently, his personal data.
Tailgating
Tailgating or “piggybacking” involves someone without the proper authentication following an employee into a restricted area. An attacker might impersonate a delivery driver and wait outside a building. When an employee gains security’s approval and opens their door, the attacker asks that employee to hold the door, gaining access alongside the employee.
Tailgating example
Laura, an employee in a secure office building, is entering the building when she notices a man in a courier uniform with his hands full of packages. He rushes to catch the door, thanking her for holding it open. Once inside, he’s able to leave the packages and wander the building, accessing areas that should be secure.
Diversion theft
In this kind of attack, the fraudster diverts the routing of the victim’s information or valuables to gain access to them. For instance, an attacker might pose as a courier and convince a receptionist that they’re there to pick up a sensitive package, which the receptionist hands over.
Diversion theft example
A courier service receives a call from someone claiming to be Mr. Smith, a regular customer. He states that there’s been a change in his usual delivery address just for the day because of some repair work at his home. The “new” address provided is an abandoned building, and when the package arrives, an accomplice of the caller picks it up, effectively stealing the goods intended for Mr. Smith.
Spear phishing
Spear phishing is a targeted form of phishing in which the hacker knows who they are targeting, making the attack more personalized and increasing the likelihood of its success. The attacker extensively researches their victims to make the deception more credible. The emails or messages used in spear phishing are designed to appear as if they’re from a known or trusted sender, prompting the target to reveal confidential information.
Spear phishing example
Imagine an executive in a large corporation, John. One day, he receives an email seemingly from Emily, his deputy, asking him for immediate approval on an invoice that only John can authorize. The email appears to come from Emily’s corporate account, features her usual email signature, and even references a real project that Emily is known to be working on. However, the email is a spear-phishing attempt. The attacker researched John and Emily’s roles in the company and their ongoing projects, even mimicking Emily’s email style. The invoice link in the email redirects John to a page identical to his corporate login page. Unaware, John enters his credentials, inadvertently providing the attacker with access to sensitive company information.
This scenario is a classic example of spear phishing, highlighting its dangerous potential when the attacker combines technical deceit with a deep understanding of human behavior, company structure, and specific project details.
Honey trap
This method lures the victim into a trap by promising them appealing activities or goods. It could involve a scenario where the attacker pretends to be a very attractive person on a dating site to lure the victim into sharing personal or financial information.
Scareware
Scareware involves tricking a victim into thinking their computer is infected with malware or has been subject to a security breach. The victim is then convinced they need to purchase unnecessary and potentially harmful software.
Scareware example
Sarah receives an email with a subject line that reads, “Immediate Action Required: Your Bank Account Has Been Breached.” Opening the email, she sees a message warning her that her account has been compromised. The email provides a link to a “security software” that can supposedly protect her from further harm. Worried about her financial security, she clicks the link and downloads the software, unknowingly installing malware on her device.
Remember, awareness and caution are the best defenses against these tactics. Always verify the source of any information requests, don’t click on suspicious links, and don’t share sensitive information unless you’re sure it’s a legitimate request.
How to prevent social engineering targetted at your employees
Preventing social engineering involves both technical measures and human awareness. Here are some strategies to help mitigate the risk of social engineering attacks:
1. Invest in education and training
Employees should be trained regularly on the nature and impact of social engineering attacks, how they work, and how to recognize them. Real-life examples and situations should be used where possible for better understanding.
2. Create a security culture
Encourage a culture of security within your organization where employees feel comfortable questioning unusual requests and are rewarded for vigilance.
3. Implement two-factor authentication
Implementing two-factor or multi-factor authentication can provide an extra layer of security, reducing the risk of unauthorized access even if someone obtains login credentials through social engineering.
4. Secure systems and software
Regularly update and patch all systems. Many social engineering attacks take advantage of known vulnerabilities in software. Keeping systems and software updated reduces these vulnerabilities.
5. Limit information sharing
Minimize the amount of information you share publicly, especially on social media. Hackers often gather basic information about targets to make their attempts more convincing.
6. Use robust email filters
Many social engineering attacks start with phishing emails. Using an email filter can block these types of messages before they reach the user.
7. Conduct regular audits and tests
Regularly test your organization’s susceptibility to social engineering attacks. This can be done via simulated phishing attacks, pretexting scenarios, etc.
8. Develop clear policies
Develop and enforce clear policies around data sharing and security. Make sure all staff are aware of these policies and the potential consequences of breaching them.
9. Make an incident response plan
Have a clear plan in place for responding to successful social engineering attacks. This should include steps to limit damage, notify affected parties, and learn from the incident to prevent future attacks.
The best defense is a good offensive. PlexTrac is the premier offensive security reporting and workflow management platform.
Source: https://plextrac.com/common-social-engineering-tactics-2023/
