Social Engineering (SE) poses serious challenges to the security of cyberspace. It is defined as a strategy used by cyber attackers that relies heavily on human interactions and involves tricking people to break standard security practices. Through social engineering attacks, impostors try to manipulate and exploit humans into giving up login access, banking details, personal credentials, or other sensitive data and personal information. It is also known as human hacking as it tricks the weakest link in the security chain i.e., the human workforce to get important data and personal information or gain access to corporate networks. The attackers tend to exploit human vulnerabilities through influence, deception, persuasion, inducing, and manipulation in order to breach the integrity, confidentiality, availability, auditability, and controllability of systems and networks. Hackers use social engineering as the first step in a larger campaign to penetrate a network or system and disperse malware or steal sensitive data. Psychological manipulation and sophisticated trickery are used to cause individuals, staff, and high-profile employees, to make security mistakes and surrender sensitive information or gain access within an organization.
A social engineering attack involves three stages i.e., research, planning, and execution. In the research phase, attackers would perform reconnaissance on the target for gathering information about an organization’s network, structure, employees, and finances. This data may be collected directly through in-person visits, or company websites, or social media profiles. In the planning phase, the attackers use information that has been gathered and then select their mode of attack, design strategy, and write content/ messages that will be used to trick and exploit the targeted audience. The execution phase starts when the attacker carries out the attack by contacting the target through messages or voice calls. In some forms of social engineering attacks, the attackers keep interacting with the victim whereas, in other forms, the kill chain is activated by the user by clicking on a malicious link or visiting a malicious website. The hackers and criminals infect users’ systems, devices, and corporate networks by luring them to spoof websites and malicious links or installing malicious applications. The attackers use social engineering techniques to conceal their motives and true identities. For instance, the attacker might pretend to be a co-worker having some kind of emergency or urgent problem requiring access to additional network sources.
Social Engineering Dimensions
Cybersecurity incidents are growing rapidly with the use of advanced technology, devices, and services, which is becoming a national security threat. The terms information and network security are crucial as the cyber attacks and social engineering practices have surpassed the probability of physical terrorist attacks worldwide. Different SE techniques are used by hackers, criminal groups, extremist and terrorist networks. Some of the important dimensions of social engineering are; persuasion, fabrication, and data gathering.
- Persuasion – It involves persuading a user to comply with an unsuitable request to do something that is against the set norms or against the information security policies of a country. Persuasion includes tricking the user to give sensitive information such as passwords to certain accounts or other personal information. There are instances when such techniques of persuasion were used that included the free will of the targets. Such techniques are based on utilizing the psychological characteristics of the target to conduct persuasion. The important principles of persuasion include; reciprocity, scarcity, authority, consistency, liking and consensus. There are two main features of persuasion i.e., 1) direct interaction – how a request is started, and 2) intruder – who actively engages a target.
- Fabrication – It involves providing misleading cues to the victim to affect the dupe’s interpretation regarding the situation through the use of advanced techniques including; namedropping, impersonation, piggybacking, jargon, using false IDs. Fabrication technique stands out as a less obvious and deceptive dimension of social engineering.
- Data Gathering – SE attacks require knowledge of the operating system or device of the target. The most crucial part of SE is to acquire data prior to the attacks. There are different techniques that are being used for information gathering for further intrusion. This does not involve direct interaction for data gathering. The techniques involved for data gathering include; dumpster diving open-source information, stealing, shoulder surfing, eavesdropping, loggers, phishing, and photography. These techniques lead to the final goal i.e., infecting the user’s device or network.
Types of Social Engineering
The most frequently used SE attacks are described in the table below:
|Baiting||In this technique, the attacker puts something curious and enticing in front of the victim to bait them into social engineering trap. For instance, the attacker could offer free downloadable music, offer free gift cards, or may hand out free USBs to the users. Such free USB devices are loaded with malware, which infects the target’s computer when plugged-in.|
|Phishing||Phishing is a technique in which the attacker sends fraudulent emails and pretends them coming from well-trusted and reputable sources. They claim to have more important information about the user but require the user’s name, date of birth and account details, etc. Such emails are targeted to gain the financial or personal information of the target through malicious links.|
|Spear Phishing||This is just like phishing, but a spear-phishing attack is tailored for a particular person or an organization. The attacker uses the target’s public social media profiles through search engines for creating a compelling targeted attack.|
|Vishing||This is also called voice phishing, as it involves phone calls for taking the target’s personal information. It occurs when an attacker tricks a victim to disclose sensitive information or give them access to their computer systems or phone device.|
|Smishing||Smishing is a short form of SMS Vishing. It is similar to and also uses the same techniques as vishing and email phishing. The only difference is that it is done through SMS/ text message.|
|Whaling||This is targeting high-profile employees of an organization e.g., CEO and CFOs and tricking them to disclose sensitive information. It is called whaling because the targets attack the so-called big-fish of the company.|
|Pretexting||In this scam, the attacker creates such scenarios where the victim feels bound to comply under false pretenses. The attacker pretends to be in need of financial help in order to confirm the identity of the recipient.|
|Scareware||This involves tricking the target to consider that they have downloaded any porn image or illegal content or thinking that their system has been infected. The scareware then offers a solution to fix this bogus problem, which leads to downloading the attacker’s malware.|
|Watering Hole||The watering hole attack involves downloading malicious code from a trusted website, which is commonly visited by the target. For instance, the attackers might compromise a news website of the finance industry, knowing that the individuals would visit that website. These attacks are usually performed by highly skilled attackers and enough prior research is done before launching the attack.|
|Diversion Theft||This kind of attack targets courier companies to deliver the products to wrong locations, thus intercepting the transactions.|
|Quid Pro Quo||In this kind of attack, the attacker pretends to provide something i.e., monetary benefits, gift vouchers, or other benefits in exchange for the target’s information.|
The Social Engineering lifecycle includes information/ data gathering, engagement with the victim, attacking the target’s system or device, and closing the interaction. SE could impact and manipulate human feelings such as curiosity or fear, therefore, it could be very damaging not only to the user’s devices and networks but also to the humans’ psychological health. Following prevention mechanism could be followed in order to avoid SE attacks;
- Users should avoid opening e-mails received from unknown users and that contain malicious links. Also, avoid opening and downloading e-mail attachments that came from suspicious accounts.
- Users should be wary of tempting offers received through email or any other app. Any monetary or other kind of offers claiming to be from some organization should be counter-checked and verified through search engines or through that organization’s official website.
- It is important to keep the devices and Operating Systems (OS) up-to-date. Users must keep a check on their system in order to make sure that the updates have been applied and should regularly scan their systems for any possible malware or infections.
- It is crucial to establish security protocols, procedures and policies for handling sensitive data and important information.
- Performing periodic tests to check security framework is also helpful in the detection and prevention of social engineering attacks.
- Deleting requests received via email for financial information or passwords without opening or responding to them.
Some of the important policy recommendations for the organizations in order to protect and prevent them from social engineering attacks are as follows:
- Security awareness education/ training is the first line of defence against social engineering attacks and should be provided to all individuals. The employees may not be aware of social engineering dangers, therefore, it is important to conduct and continuously refresh security awareness among employees.
- The companies should invest in purchasing antiviruses and other endpoint security measures and install them on employees’ devices. Modern end-point protection protocols are helpful in identifying and blocking phishing messages, suspicious links to malicious websites or Internet Protocols that are listed in the threat intelligence database. They also block malicious processes when an attacker tries to execute them on a user’s device.
- The organization should have relevant means and resources to collect data regarding the identification of social engineering attacks, security incidents and alarming the staff to take necessary action. There are platforms that provide services to organizations to protect them against cyber threats and social engineering attacks.
- Ensure that the organization is regularly carrying out penetration testing using social engineering techniques. This would help in identifying security weaknesses and would learn which type of users are most vulnerable to specific types of social engineering attacks. This would also help in identifying which employees require additional security awareness training sessions.
The integration of technology in routine life has made several tasks and official working very convenient but on the other hand, this integration has provided an increased attacking surface for cyber criminals, hackers, and terrorist networks. Social engineering is becoming an important and effective tool to gain access to important devices, networks or organizations as it uses human hacking techniques. Machines are built with security in mind and can be consistently updated in order to ensure up-to-date defense, however, human minds are constantly drifting, and lack of knowledge and focus leads to social engineering risks. The most tech-savvy individuals might be able to identify or sniff out the social engineering attacks, but not everyone has that awareness and responsiveness to neutralize such attacks. Successful social engineering attacks could lead to severe financial damages and could also negatively impact and destroy the organizational image. Hence, there is a need to educate employees regarding security awareness and implement security protocols and policies in order to protect sensitive information, networks, and systems.