Social Engineering
Unlocked padlock on laptop

How Do CyberCriminals Use Social Engineering To Target Organisations?

Social engineering remains one of the most successful causes of a cyber security breach, therefore it is important to know exactly what you should be looking out for and how you can mitigate a successful social engineering attack. 

In this article we will look at what social engineering is, the different types of attacks, how you can mitigate the risk as well as the psychological principles behind social engineering. 

What is Social Engineering? 

Social engineering is the process of using deception or persuasion to get knowledge that may have negative effects. Social engineering can be roughly divided into two categories, human-based and technological-based social engineering. 

Social engineering aims is to lure the victim into a sense of security for the purpose of obtaining credible information that can be used against them in the long run. 

There are several social engineering attacks that have caused huge loss to industries. An example of this can be seen through the phishing fraud that took place in 2019, criminals pretended to be organisations such as google or Facebook, the criminals then set up bank accounts with fake company names and sent out invoices to be sent to this account.

What are the Types of Social Engineering?

Phishing  

Phishing is a method used to fraudulently acquire sensitive data about a business or a particular person. 

Phishing is sending potential victims emails that appear legitimate but are hidden attacks. In some cases victims have encountered click bait, which is used on some websites to entice visitors to participate in activities like giving out personal and financial information. The most successful attacks will also spread malware across the system either because you have provided access to do so or it will lay in wait for permission to be granted, this can be done through the attachment of files, or a link being clicked. 

The success rate is astonishingly high despite phishing being the oldest tactic utilised by attackers. 

Smishing  

Smishing is a mobile phone assault that uses the Short Message Service (SMS). It starts with an SMS message pointing the victim to a website that can serve up numerous attack vectors, including malware. 

This attack succeeds mostly because of the use of urgency and intimidation, which may contain a warning often alongside a URL that requests personal and financial information. 

An example of a successful smishing campaign is in the case of Uber. A phishing message was sent to an employee, claiming to require two-factor authentication, this information was used to compromise data. 

Vishing 

Vishing, also known as voice over phishing, is a form of phone-based phishing where the attacker utilises a voice call. This type of advanced phishing assault involves the attacker making a fraudulent call while posing as a representative of a particular institution, such as a bank, or another entity that is interested in sensitive information. 

Typically used as an extension of email phishing, getting a target to provide sensitive information. 

Social Engineering Delivery Methods 

The delivery method commonly used by cyber criminals are spam over email, spam over instant messaging, spear phishing, and whaling. 

Using a reliable social engineering delivery method will allow the attacker to conduct a precise attack with the intended purpose to compromises an organisation. 

Any delivery method aims to breach the Confidentiality, Integrity, and Availability (CIA Triad) of a system. 

Data shows that 66 % of organisations faced at least one phishing attack in 2020, further research has highlighted that 73 % of spam emails are phishing attacks. 

Social Engineering Techniques 

The main purpose of conducting social engineering attacks is to gather sensitive information from a targeted victim. 

Information gathered will be vital data for the reconnaissance stage of the cyber-attack. The information gathered will play a vital part towards breaching the organisation confidentiality, integrity, and availability (CIA) of data that they store. 

Techniques include dumpster diving, shoulder surfing, prepending, pharming, tailgating, eliciting information and watering hole attacks.

Dumpster Diving:  Researching a targeted victim or organisation to find sensitive information such as credentials (Username and password), filenames, or other pieces of confidential data which can support towards compromising a critical system or user account. Policies and procedures detailing the correct disposal of sensitive information can help to mitigate this. 

Shoulder Surfing: Attacker directly looks over someone’s shoulder to gather sensitive information. Shoulder Surfing attacks target user who are accessing or inputting sensitive information in a manner that allows direct observation. 

Typo squatting: Typo squatting also known as URL hijacking is the most common way cyber criminals conduct social engineering attacks and manipulate user. The attack is conducted based on typographic errors that are hard to notice while quickly reading the URL of the website. 

Pretexting or Reverse social engineering: An attacker will create a narrative for the victim to disclose information. 

Pharming: Like a phishing attack the victim will believe that they are entering their personal credentials such as (username, password) to a legitimate website. However, the attacker is targeting the victim to a spoofed website where the inserted information such username and password get sent to the attacker.

Tailgating: Following a person with valid access into a restricted area. This is targeting the lack of physical access controls that are in place. The attacker will request the victim to hold the door or can simply reach for it and enter before it closes, similarly they can impersonate a cleaner or maintenance worker to get access into an organisation to be more discrete.

Psychological Principles of Social Engineering 

Psychological components of manipulating human emotions against economic objectives are the focus of social engineering terminology.  Curiosity, excitement, fear, or greed are the human emotions that drive people to open phishing emails, falling victim to them. A sense of urgency is the root cause of almost 70% of phishing attacks.

The Challenges of Social Engineering Attacks 

Businesses need technology to function in daily life, and when technology is involved, social engineering attacks are a risk. Unforeseen attacks occur with no advance notice which make them difficult to plan for and therefore difficult to mitigate in day-to-day operations of a business. 

The UK government estimates that 39% of firms experienced cyberattacks in 2022, of which 83% were phishing attempts.  This statistic highlights the seriousness of social engineering. 

How Can We Prevent Social Engineering Attacks?

Social engineering attacks cover a variety of methods therefore making it hard to predict, identify and mitigate however, there are steps that organisations can take to help reduce the opportunity of a successful attack. These include:

Policy and procedures: Every organisation should have a set of policies and procedures for both internal and external use. These should outline clearly what your organisation does to safely handle data. Internal documents should outline procedures that staff should follow as well as the correct escalation process if they feel a breach has occurred. 

Training and awareness: Having educated employees that can identify a potential social engineering campaign, becomes your first line of defence. Training should not only include the identification of breaches but the risks, the precautions and improve overall understanding of cyber threats across the team. According to a recent survey, training and awareness initiatives have protected almost 80% of the population.

Vulnerabilities testing through email phishing: This builds on our earlier point of the importance of training and awareness, however undertaking an email phishing campaign puts a technical control in place to test the vulnerability of you staff as well as the infrastructure that you have in place to prevent spam emails entering the system. 

Multifactor authentication (MFA):  MFA requires additional authentication before allowing access to the service. This is another technical control that organisations can put in place providing an additional layer of security. 

Cybercriminals are always finding alternative way to conduct social engineering attack. Today’s society requires organisations to have a robust security posture containing layered network security as well as physical layered security as social engineering attacks can occur in both layers. 

Social engineering attacks are highlighted as the art of manipulation, to help prevent employees from becoming victims’, organisation should consider training their staff on how cybercriminals manipulate their victim using psychological principles. Security technology and security policies alone are not sufficient to protect an organisation from social engineering attacks. 

How Can CyberCrowd Help?

This article aims to highlight the growing impact that we see social engineering having on day-to-day operations of an organisation. 

CyberCrowd offer a bespoke training and awareness programme that can include phishing simulations to help improve your staff’s awareness of risks as well as improving their ability to identify potential social engineering attempts. 

Alongside our training programme we offer technical services such as penetration testing, putting your policies, procedures, and technical controls to the test. 

If you would like to hear more about how CyberCrowd can help or simply better understand the risks of social engineering, please contact us today.