A Comprehensive Guide to Thwarting Cybercriminals
Social engineering may be among the most significant threats to individual, organizational, and technological security, but it differs dramatically from the technological dangers that security teams most often encounter.
Rather than engaging in digital warfare, social engineering takes place on a form of psychological battlefield.
Instead of aiming at websites, devices, or networks directly, these attacks zero in on people — particularly those without extensive security training. Social engineers exploit a vulnerable target: human nature. Clever attackers manipulate our inherent tendencies towards trust, cooperation and cordiality, exploiting these traits to achieve their objectives.
In this post, we’ll dive into the world of social engineering, exploring various common techniques and strategies malicious actors use to infiltrate secure environments and cause chaos. By understanding how they operate, you can better protect yourself and your organization from these schemes.
The Greatest Con in History
Social engineering is the modern incarnation of classic confidence games –- con artistry reimagined for the digital age.
Though it takes place nearly 100 years ago, the following tale about Victor Lustig, one of history’s most notorious con artists, is highly instructive for understanding modern social engineering threats:
In May 1925 in Paris, France, a group of businessmen received an intriguing invitation: a secret meeting with a government official, “Deputy Director General” Lustig, at a lavish hotel.
There he advised the group that the French government, in the midst of a fiscal crisis and facing financial ruin, had decided to sell the Eiffel Tower for scrap. The high maintenance costs and extensive renovation necessary had sealed the Tower’s fate.
The stunned businessmen were encouraged to submit bids, and promised immense profits from the landmark’s metal tonnage. André Poisson, the highest bidder, agreed to a staggering 1 million francs –- equivalent to nearly $8 million today.
Though something seemed off about the situation to Poisson, he couldn’t quite identify what felt wrong. Doubt began gnawing at his confidence as he questioned Lustig’s authenticity.
Sensing this uncertainty, Lustig masterfully played on Poisson’s sympathy. Lustig lamented his personal struggles — his low salary, how unappreciated he was, and his wife’s desire for a fur coat, among other troubles.
Hearing this, Poisson was immensely relieved; Lustig was no con, just a typical corrupt bureaucrat. Convinced that he was merely greasing the wheels of bureaucracy, Monsieur Poisson paid a hinted-at bribe of several thousand francs in addition to handing over a check for 70,000 francs, the first of four agreed-upon payments.
However, when no official communication followed about transferring ownership rights, Monsieur Poisson reached out to the city for clarification -– only to discover Lustig’s true identity as a fraudster, leaving him heartbroken and substantially poorer after one of history’s most audacious cons.
Modern Social Engineering
Before we dive into definitions and examples of techniques, let’s remember that social engineering itself isn’t inherently evil. In fact, it forms the backbone of various benign practices like sales, marketing, and public relations.
The difference between benign social engineering and its malignant sibling is when deception or threats are used to extract valuable information, disrupt business, or pocket ill-gotten gains.
The story of Victor Lustig’s Eiffel Tower con serves as a vivid illustration of the core principles underlying modern social engineering: the exploitation of our inherent human failings such as greed, a readiness to trust, submission to authority, and our tendency to believe compelling stories. In the above story Monsieur Poisson also tragically ignored his intuition that he was about to fall prey to a scam.
Let’s try to define social engineering: attackers perpetrate social engineering by cleverly exploiting the blindspots and weaknesses in human psychology to manipulate interactions for malicious purposes.
While it’s impossible to list every trait susceptible to exploitation, some common targets include: misplaced trust, respect for authority, self-serving motivations (greed, lust), a desire to be helpful (sympathy, empathy), ignorance or lack of awareness, and avoidance of confrontation, responsibility, or time investment.
Broadly speaking, social engineering attacks can be categorized into two types: remote and physical.
- Physical social engineering assaults involve an engineer attempting to gain physical access to restricted areas.
- Remote attacks transpire over phone calls, emails, or the internet.
Sometimes even both approaches are combined for maximum impact.
Next we’ll take a look at some of the most common social engineering tactics and how they work. The below techniques are often combined to create a dangerous attack, and you’ll notice their boundaries often overlap.
Phishing is one of the most prevalent forms of social engineering, and traditionally carried out via email. However, it doesn’t stop there -– variations like Smishing (SMS-based phishing), Vishing (voice phishing), and social media phishing attacks are also prevalent. Indeed, virtually any medium of communication is a potential vector for a phishing attack, and each have their own subtleties.
Let me give you an example: You receive an urgent email from your boss demanding immediate action on a critical project. The message includes a link or attachment that, unbeknownst to you, contains malware. Your sense of responsibility pushes you into clicking without thinking twice — and now your device may be compromised!
Phishing exploits our psychological vulnerabilities such as misplaced trust, lack of personal responsibility, and simple ignorance.
Spear phishing takes the traditional form of phishing a step further by targeting specific individuals or groups. These attacks are meticulously crafted, leveraging publicly available information about their victims to increase credibility and likelihood of success.
Whaling is an even more focused variant, honing in on high-profile targets like CEOs or other executives within organizations. The aim? To gain access to valuable data or financial resources by exploiting the trust placed in these individuals.
A prime example occurred when a series of well-crafted spear phishing emails tricked Facebook and Google employees into wiring over $120 million to fraudulent accounts, thinking they were paying valid invoices. Lesson learned: always verify large transactions via independent channels before executing them!
Scareware is a cunning form of social engineering that exploits user’s fears and vulnerabilities. It involves tricking users into believing their devices are infected or compromised. Attackers then offer bogus solutions, often disguising malicious software as genuine antivirus programs, to exploit our fear and vulnerability.
The scam preys upon the victim’s technological anxiety and lack of expertise -– think fake pop-ups mimicking trusted security software or alarming messages warning about imminent data loss if you don’t act immediately.
These deceptive warnings often include countdown timers, creating a sense of urgency. By instilling panic in the victim, attackers can manipulate them into taking rash actions without properly verifying the legitimacy of the threat or solution being offered.
In a watering hole attack, cybercriminals identify popular websites frequented by their target audience. By infiltrating a formerly legitimate and trustworthy site, they can exploit vulnerabilities to infect the visitors’ devices with malware. This technique is particularly effective when targeting specific groups, such as employees of a certain company or members of an organization.
Examples of watering hole attacks:
- Malicious advertisements: Cybercriminals embed code within ads on legitimate websites that redirect users to infected sites or trigger the download of malware onto their devices.
- Compromised websites: Attackers exploit vulnerabilities in a website’s software or infrastructure to gain access and install backdoors, allowing them to control the site and inject malicious content without detection.
A variation on this attack is a Cache Poisoning attack, also known as DNS spoofing. In cache poisoning attacks, attackers exploit vulnerabilities in DNS servers by sending fake responses with incorrect IP addresses for specific domains. Users may be redirected to malicious sites to intercept sensitive data.
Watering hole attacks rely on the assumption that popular websites are safe, making it easier for social engineers to manipulate their behavior and gain access to sensitive information or systems.
Tailgating and Piggybacking
Physical breaches, such as tailgating and piggybacking, involve manipulating individuals to gain unauthorized access to facilities or networks. These types of physical breaches are similar in nature, but with an important difference.
Tailgating occurs when attackers follow an authorized person into a secure area without being challenged — for instance, walking up to a secure door before it has closed, thus gaining entry without “badging in.”
On the other hand, piggybacking involves riding on the coattails of someone with access privileges. The distinction is that in this case the persons with access permissions are aware they are providing unauthorized entry to someone else. The social engineer may defuse suspicion by dressing like utility worker, for instance.
These attacks exploit confrontation avoidance by taking advantage of people’s unwillingness to question or challenge the identity of others and the purpose of their visit.
Pretexting is a social engineering technique where attackers create a false scenario or story to gain their victims’ trust and extract personal data. The scammers often impersonate reputable organizations, such as banks or technical support teams, in an attempt to convince unsuspecting individuals to share sensitive information willingly.
Examples of pretexting scenarios:
- Pretending to be from a bank’s fraud department and asking for account password resets under the guise of security checks.
- Posing as IT support staff, claiming there is an issue with their device or email account that requires them to provide login credentials for “diagnostic purposes.”
People tend to believe that they are dealing with legitimate entities, especially if the attacker provides convincing details or uses official-looking materials (e.g., logos). Impersonating an authoritative figure often leads people to blindly follow instructions without questioning their validity.
Moreover, those in support roles are encouraged to assist others in need, and this can result in inappropriate sharing of sensitive information or otherwise taking actions that could inadvertently compromise security.
Quid Pro Quo
In the context of social engineering, a quid pro quo attack involves offering something valuable or useful in exchange for sensitive information or access.
The attacker poses as a trusted person or organization, convincing the victim that they are providing assistance by giving away personal details or granting permission. For example, an attacker might call an engineering team lead pretending to be from IT support, and ask if anybody is having difficulties accessing systems.
The team lead confirms that access to some systems is down, but what she doesn’t know is that the attacker (or a co-conspirator) has already compromised the network and is intentionally disrupting access.
The social engineer then requests sensitive information such as specific login procedures under the guise of resolving the issue (the quid pro quo).
The quid pro quo attack exploits the natural desire to be helpful and kind.
Honeytrap attacks exploit human emotions, typically through romance or sexual enticement. Attackers manipulate victims by pretending to be someone they’re not in order to gain access to personal information or convince them to download malware onto their devices.
Honeytraps are most often remote in nature, though high profile or high value targets may be manipulated face-to-face.
A common sextortion scam (see the section on Cyber Extortion below) happens when victims are extorted under the threat of releasing explicit images or videos of them. These files are obtained either by compromising the victim’s device, or the victim might send the social engineer explicit content under false pretenses.
This attack preys on self-serving motivations driven by lust and attention-seeking behavior. It’s essential to maintain a healthy skepticism about people you meet in virtual spaces, especially if the interactions appear too good to be true.
Cyber extortion is an insidious social engineering tactic where attackers threaten to release sensitive, embarrassing or damaging information, or to directly threaten harm if their demands are not met.
The most common form of cyber extortion is the ransomware attack, where hackers encrypt victims’ files and demand payment in exchange for the decryption key. Alternatively, hackers may steal source code and threaten to release it to the public (or on darkweb markets) if their demands are not met.
These attacks exploit confrontation avoidance and self-serving motivations leveraging fear, guilt, or shame. To protect against cyber extortion, users should never pay ransoms or engage in communication with attackers, as it might encourage escalation of the attack and further threats. Instead, it is crucial to report incidents to the appropriate authorities.
Baiting and USB Drops
The USB drop (also sometimes called a road apple) is a form of “baiting” where the attacker presents an enticing item, usually a USB drive, DVD, or file, with the intention of luring users into interacting with it. The goal is to infect the user’s device with malware once they open the file or plug the device into their computer.
This attack exploits human curiosity and greed as people are often tempted by seemingly useful or entertaining files and hardware. For example, an attacker might leave a USB drive labeled “Employee Salaries” in a public place, hoping that someone will pick it up and insert it into their device, only to find their system infected with malware.
A baiting attack variation happens when a user comes into into direct contact with a social engineer. They misrepresent themselves and offer a convincing reason to attach the USB drive to the target’s computer.
This threat exploits natural curiosity, ignorance of the dangers of unknown USB devices, and the immediate trust offered to friendly strangers.
Other Social Engineering Attacks
The above sections represent the most common types of social engineering threats. Below are a few more, in brief:
Online Influence Campaigns: Attackers use influence campaigns to spread misinformation or manipulate public opinion for political or economic gain. An example is a fake job offer that lures candidates into revealing sensitive information or downloading malware.
Search Engine Optimization / Search Poisoning: By manipulating search engine results, attackers can direct users to malicious websites or phishing pages by inserting irrelevant keywords and links into search engine databases.
Wireless Network Spoofing: Attackers create fake Wi-Fi networks with names similar to legitimate ones to trick users into connecting and intercepting their traffic, potentially stealing personal information.
Quizzes & Surveys: Deceptive quizzes and surveys which pique the curiosity of the victim, then collect sensitive information through misleading questions.
How to Thwart Social Engineering Attacks
Social engineers exploit our inherent tendencies towards cooperation, politeness, friendliness, charm, authority, and empathy. But of course we cannot and should not abandon these positive traits; instead we must focus on staying vigilant in our interactions.
More directly, the fact that malicious social engineering works at all suggests a fundamental human weakness: we’re generally not good at detecting deception. That is why learning the patterns and commonalities of common social engineering threats is so valuable.
“Sunlight is said to be the best of disinfectants,” wrote Supreme Court justice Louis Brandeis. Even basic awareness of various social engineering techniques can help thwart an attempt before it takes root. For both individuals and organizations alike, staying updated with the latest trends in social engineering tactics and security practices is essential.
Practical recommendations to guard against social engineering:
- Educate users about social engineering. Interactive training programs and gamified approaches that engage people while reinforcing valuable security habits are most effective.
- Train employees to approach urgent or threatening requests critically, particularly those involving sensitive information.
- Stay alert for suspicious pop-ups or messages demanding immediate action; exercise critical thinking before responding.
- Be cautious of unsolicited emails or messages, particularly those with “too good to be true” promises. Always verify the sender’s identity before engaging.
- Practice caution when sharing sensitive information via email, social media, phone calls, or text messages.
- Consistently educate yourself on social engineering tactics and learn how to recognize them.
- Standardized security processes (e.g. enforcement of credential access through Privileged Access Management solutions) can deflect sudden, unexpected requests for permissions or privileges.
Security best practices that reduce the liklihood of a successful attack:
- Keep software up to date for optimum protection against attacks.
- Use reliable antivirus and anti-malware solutions for timely detection and removal of potential threats.
- Implement multi-factor authentication whenever possible for added security.
- Routinely update and test your incident response plan.
If there is one key takeaway, it is that adequate identification and authentication of a social engineer’s identity or the validity of their request would likely thwart most social engineering assaults.
As we enter the age of artificial intelligence and advanced machine learning systems, cybercriminals will only become more sophisticated in their methods. Training programs and security procedures must adapt to meet this challenge.
When it comes to defeating social engineering threats, knowledge is power. Staying vigilant and staying informed is key to protecting individuals and organizations alike against this ever-evolving threat landscape.