Social Engineering Definition
Social engineering is the act of manipulating people to take a desired action, like giving up confidential information. Social engineering attacks work because humans can be compelled to act by powerful motivations, such as money, love, and fear. Adversaries play on these characteristics by offering false opportunities to fulfill those desires. The least sophisticated social engineering attacks are a numbers game: offer enough people the chance to acquire a few million dollars and a few will always respond. However, these attacks can often be quite sophisticated, and even a highly suspicious person can be fooled.
Social engineering attacks are of great concern to cybersecurity professionals because, no matter how strong the security stack is and how well-honed the policies are, a user can still be fooled into giving up their credentials to a malicious actor. Once inside, the malicious actor can use those stolen credentials to masquerade as the legitimate user, thereby gaining the ability to move laterally, learn which defenses are in place, install backdoors, conduct identity theft and — of course — steal data.
2022 CrowdStrike Global Threat Report
Download the 2022 Global Threat Report to find out how security teams can better protect the people, processes, and technologies of a modern enterprise in an increasingly ominous threat landscape.
Download NowHow Does a Social Engineering Attack Work?
A social engineering attack may be conducted by email, social media, phone, or in person. However, no matter the channel through which the attack is conducted, the methods are consistent. The attacker will pose as an individual with a legitimate need for information such as an IT worker who needs a person to “verify their login credentials,” or a new employee who urgently needs an access token but doesn’t know the proper procedure to acquire one.
Steps of a Social Engineering Attack
Social engineering attacks typically follow these simple steps:
- Research: The attacker identifies victims and chooses a method of attack
- Engage: The attacker makes contact and begins the process of establishing trust
- Attack: The attack commences and the attacker collects the payload
- The Getaway: The attacker covers their tracks and concludes the attack
Traits of a Social Engineering Attack
Pay attention to these warning signs if you think you are a recipient of a social engineering attack:
- Sense of urgency: Attackers try to panic the receiver with urgent, seemingly time-sensitive calls to action. The aim is to make recipients feel as if they’re missing out on an urgent offer or reward, or nervous about the threat of punishment.
- Asking for sensitive information via email: Legitimate businesses will never ask for credit card information, social security numbers or passwords by email. If they do, it’s likely to be a scam.
- Spoofed email address: Make sure the email is sent from a verified domain by checking the ‘sent’ field. For example, a message from Microsoft will come from @microsoft.com. It won’t come from @micrasoft.co.
What are Some Common Types of Social Engineering Attacks?
Some of the most common social engineering techniques include:
Phishing
A Phishing attack is the most well-known social engineering tactic. A phishing attack uses an email, website, web ad, web chat, SMS or video to inspire its victims to act. Phishing attacks may appear to be from a bank, delivery service or government agency, or they may be more specific and appear to be from a department within the victim’s company, such as HR, IT or finance.
Phishing attack emails include a call to action. They may ask the victim to click a URL to a spoofed website or malicious link that contains malware.
Awareness of phishing attacks is high, with even unsophisticated users knowing they exist. Yet they continue to work because people are distracted and busy or because they can be crafted so well that no one would be likely to question their authenticity.
Spear Phishing: A Spear phishing attack is a variation of phishing scam in which the attacker targets a demographic, such as employees of a certain company or finance directors in a certain industry.
Whaling: Similar to spear-phishing, a whaling attack is a targeted phishing tactic. However, the difference is that a whaling attack targets executives or senior employees.
Baiting
Baiting attacks may lure the target with a desirable offer, such as free music, games or ringtones, hoping that the password the target uses to log in and get the free digital goods is one they’ve reused from more important sites. Even if the password is a one-off, the attacker can sell it on the dark web as part of a package with thousands of others.
In the corporate environment, a baiting attack is more likely to consist of a flash drive left in an obvious location, such as a breakroom or lobby. When the person who finds the drive plugs it into the corporate network to see who it belongs to, the drive downloads malware into the environment.
Quid Pro Quo
A quid pro quo attack is a social engineering scam similar to a baiting attack, but instead of taking a scattershot approach, it targets an individual with an offer to pay for a service. For example, the threat actor may pretend to be an academic researcher who will pay for access to the corporate environment.
Pretexting
Pretexting is a form of social engineering in which the attacker will present a false scenario, or “pretext”, to gain the victim’s trust and may pretend to be an experienced investor, HR representative, or other seemingly legitimate source. Pretexting plays on a victim’s emotions by utilizing a sense of urgency, offering a deal that is too good to be true or trying to gain sympathy to scam a victim.
Tailgating
Tailgating attacks are unique because they are solely conducted in person. Also known as a piggyback attack, a tailgating attack occurs when the attacker infiltrates a facility by asking an employee to hold the door open for them. Once inside the facilities, the attacker will attempt to steal or destroy any data and information.
Social Engineering Examples
Covid-19 Email Scams
When COVID-19 spread around the planet, people were filled with emotions like fear, uncertainty and hope — which are the top ingredients for an effective social engineering campaign. Cyber criminals took full advantage of these emotions when disseminating malicious email spam attacks (malspam) across the globe.
Read about the individual email spam attacks here: Malspam in the Time of COVID-19 >
Threat Actor poses as CrowdStrike in Phishing Scam
CrowdStrike Intelligence identified a callback phishing campaign impersonating prominent cybersecurity companies, including CrowdStrike itself. The phishing email implied that the recipient’s company had been breached and insisted the victim call the included phone number. The hackers were ultimately after the victims’ sensitive information.
Read about the phishing scam here: Callback Malware Campaigns Impersonate CrowdStrike and Other Cybersecurity Companies >
Malvertising Scam posed as Flash update
Shlayer malvertising campaigns used fake Flash updates and social engineering tactics to trick victims into manually installing macOS malware and compromising their systems. Slayer is a type of malware that can quickly and discreetly infect a victim’s system.
Read about the malvertising scam here: Shlayer Malvertising Campaigns Using Flash Update Disguise >
Social Engineering Attack Prevention
The best way to prevent social engineering threats is to take both a human and technological approach to your defense strategy.
Best Practices to Prevent Social Engineering Attacks
Security awareness training is the best way to prevent being victimized. Make sure your company has a process in place to allow employees to engage IT security personnel if they have any reason to believe they might be the victims of a social engineering attack.
As a part of security awareness programs, organizations should continue to remind their employees of the following these common practices:
- DON’T CLICK ON LINKS SENT BY PEOPLE YOU DON’T KNOW. Hover over them first; trust but verify!
- Avoid opening attachments within emails from senders you do not recognize.
- Be wary of emails or phone calls requesting account information or requesting that you verify your account.
- Do not provide your username, password, date of birth, social security number, financial data or other personal information in response to an email or robocall.
- Always independently verify any requested information originating from a legitimate source.
- Always verify the web address of legitimate websites and manually type them into your browser.
- Check for misspellings or improper domains within a link (for example, an address that should end in a .gov ends in .com instead).
- Before transferring money or information, verify by voice or video call.
- Be alert to counterfeit items, such as sanitizing products and personal protective equipment, or people selling products that claim to prevent, treat, diagnose or cure COVID-19.
Software to Prevent Social Engineering Attacks
Beyond the human element, every organization should employ a cybersecurity solution that leverages the following capabilities:
- Sensor Coverage. You can’t stop what you don’t see. Organizations should deploy capabilities that provide their defenders with full visibility across their environment, to avoid blind spots that can become a safe haven for adversaries.
- Technical Intelligence. Leverage technical intelligence, such as indicators of compromise (IOCs), and consume them into a security information and event manager (SIEM) for data enrichment purposes. This allows for added intelligence when conducting event correlation, potentially highlighting events on the network that may have otherwise gone undetected. Implementing high-fidelity IOCs across multiple security technologies increases much-needed situational awareness.
- Threat Intelligence. Consuming narrative threat intelligence reports is a sure-fire method for painting a vivid picture of threat actor behavior, the tools they leverage and the tradecraft they employ. Threat intelligence assists with threat actor profiling, campaign tracking and malware family tracking. These days, it is more important to understand the context of an attack rather than just knowing an attack itself happened, and this is where threat intelligence plays a vital role.
- Threat Hunting. Understanding technology will only get organizations so far is more important now than ever before. Security technologies cannot guarantee 100% protection on their own, and understanding technology is not infallible is the first step in coming to grips with the need for 24/7, managed, human-based threat hunting.
Another best practice to prevent social engineering is to implement zero trust architecture, which grants limits a user’s access to all but specific systems to perform specific tasks, and only for a limited amount of time. When that time is up, access is rescinded. This approach limits the damage a malicious actor can do even if they are using stolen credentials to penetrate the system.