Combating Social Engineering Attacks for Improved Cybersecurity

Gone are the days when cyberattacks happened only because of software vulnerabilities. Hackers these days are becoming smarter, with new hacking techniques that leave victims absolutely clueless as to whether they've been hacked. Among the various techniques hackers use, social engineering attacks are some of the hardest to predict and defend against.

How Do Social Engineering Attacks Occur?

Social engineering attacks exploit victims' human nature to gain access to computers or networks. An attacker will approach a target in such a way that the target unwittingly provides sensitive information.

Depending on the type of techniques used to exploit a target, social engineering could be a multilayered process or just a simple interaction. Most techniques boil down to three stages:

1. Breaking the ice
2. Setting the trap
3. The silent retreat

Breaking the Ice

Hackers first pick a target, study their background and behavior, and then identify what critical information they hold. After sufficient observation, the hacker will find a way to interact with the subject in person, over the phone, or via email. After breaking the ice and establishing contact, the hacker will begin building trust with the target. Doing so increases the chance that sensitive information — like phone numbers, email addresses, or shift times — is revealed during a conversation.

Setting the Trap

After establishing trust and fetching some basic information, the hacker can employ any number of social engineering techniques (see below) to identify more sensitive information like passwords, enterprise server details, or database information.

The Silent Retreat

After successfully stealing the victim's information, hackers will cover up their tracks by cleaning up the device's access history, log files, network login history, etc.

Common Social Engineering Techniques

In its 2018 Internet Security Threat Report, Symantec argues that attackers are now favoring social engineering over zero-day vulnerabilities. The data is there to back up these claims — seventy-one percent of attack groups used spear phishing emails, a type of social engineering, to compromise systems in 2017. Now that social engineering has become so popular, it's time for organizations to learn as much about these attack vectors as possible. Below are brief descriptions of some of the most common social engineering techniques.

Phishing

With phishing, hackers send out a simple scam email or text message to lure a victim to click a link that redirects them to a fake page, or reply back with some sensitive information, such as their name, address, login information, or credit card number. For instance, by copying the appearance of a legitimate website, hackers are often able to trick the victim into typing their credentials into a fake login page. Hackers can then use this sensitive information however they please.

Pretexting

This hacking technique requires a hacker to impersonate someone else — like support personnel, a police officer, bank staff, or a tax official — while interacting with the victim. Since the victim assumes they're talking to someone they trust or someone with authority, they're more likely to take the hacker's words at face value and freely provide sensitive information.

Scareware

Scareware is one of the most common and straightforward social engineering techniques. While browsing the web, a victim will encounter a pop-up or ad that says something along the lines of "your computer is infected, please download this software to secure your system." This message scares an unwitting victim into downloading the software, which infects their system with malware. The hacker is then free to siphon off the victim's sensitive data.

Baiting

Who doesn't love free gadgets? Hackers know this, so they'll strategically place a phone or flash drive somewhere like in a restroom or on the ground next to a car. Assuming they've found something valuable, the victim will pick up the gadget and take it with them. That's when the software the hacker loaded onto the gadget springs into action and extracts sensitive information.

Other Techniques

Other social engineering attacks include spear phishing — a more targeted version of phishing —and tailgating. Both of these techniques take more time and skill to execute, but they have greater success rates than the above techniques.

Escaping Social Engineering Attacks

Social engineering attacks psychologically manipulate victims and take advantage of human errors to steal sensitive information. Unlike many attack vectors, social engineering attacks can't be fixed by deploying a patch. Only proper awareness from employees and IT security professionals can reduce the likelihood of a social engineering attack. Simple techniques like avoiding spam emails, not clicking on unknown links or attachments, staying away from anonymous USB drives, and double-checking the sender of an email by calling or texting them can all keep social engineering attacks at bay.

However, spreading awareness by educating end users takes a decent amount of time, time that IT staff can only afford to lose if they have basic IT security routines already in place. Enterprise IT security is a never-ending routine, but employing a suite of security solutions — including tools for unified endpoint management (UEM), security information and event management (SIEM), and advanced threat prevention (ATP) — can offer CIOs and CISOs more time to fully understand social engineering attacks, create awareness among their security team, and learn how to combat these social engineering attacks both proactively and reactively.