When it comes to high-profile cybercrime incidents, it’s the major tech vulnerabilities and sophisticated state-sponsored threat vectors that make the headlines.
In reality, however, most cybercrime incidents exploit the human element — the weakest link in the cyberattack kill chain. These attacks use the mechanism of social engineering. Statistics on this practice are alarming:
In this post, we'll explore how threat actors and cybercriminals use a variety of social engineering tactics and understand how to defend against a social engineering attack.
Social engineering is a collective term that describes malicious activities that involve exploiting human errors/weakness to gain sensitive information. The attackers lure their victims into compromising themselves through direct interaction with them.
This process involves four stages, which are:
A social engineering attack doesn't require a complete attack on everyone in an organization before it can cause severe damage. This makes it very dangerous. An attacker only needs to manipulate a user with enough privilege in the organization to cause severe damage.
In order to complete social engineering attacks, an attacker doesn't need to bypass system security. A system with strong security can also be attacked. This is because social engineering attacks exploit legit users to get what they want, without tampering with systems.
A successful social engineering attack can lead to identity theft. This occurs when an attacker collects details from a legit user and uses them to act as them. The attacker might use the identity of these users to commit crimes or carry out transactions that the legit users wouldn't do originally. This can lead to damage of their reputation. Social engineering allows unauthorized persons to perform actions that they're not supposed to.
In many cases, unsuspecting victims can be lured into making fraudulent financial commitments and purchases through social engineering. In cases like this, a social engineering technique is used to collect the bank card details of unsuspecting victims. These details can then be stored by the attackers and used for future purposes.
In most cases, social engineering can cause data loss, credential theft, and also malware and ransomware attacks. Basically, an attacker gains control over resources that they were originally not supposed to have access to.
Social engineering typically involves manipulation of human psychology by fraudsters. Fraudsters manipulate unsuspecting victims' sense of fear, trust, and curiosity by employing social engineering techniques.
The following are common techniques scammers use in manipulating their victims with social engineering.
Phishing attacks are the most common social engineering attack technique. With this technique, the attacker makes use of personal communication tools such as email, SMS, and social media to entice an unsuspecting user to click on a malicious link, download a dangerous file, or reveal personal details like account login credentials.
Although phishing attacks involve sending malicious links to victims through personal communication platforms, it's also important to note that phishing attacks are not just targeted at individuals alone. An attacker can use unsuspecting individuals in an organization to complete a phishing attack. Phishing attacks are separated into "angler" phishing and "spear" phishing.
In spear phishing, the attacker disguises themselves as a trusted individual (for example, a co-worker or a friend) and then tries to steal sensitive information from specific individuals in an organization. These individuals might have certain privileges and access that can cause great damage if not properly handled. So, the attacker tries to convince unsuspecting victims to divulge sensitive information or perform actions that can lead to data loss or financial loss.
On the other hand, angler phishing does not target a particular person. An angler phishing attack is launched on several individuals in the organization. It is not as specific as spear phishing
Just as the name suggests, baiting is a type of social engineering attack where the scammer lures unsuspecting users with false promises. The aim of the scammer is to get victims to either reveal their personal details or to install malware onto their computers.
Baiting can happen physically when an attacker leaves malicious hardware, like a malware-infected flash drive, for victims to find. When an unsuspecting person sees this flash drive, they may not necessarily question the authenticity of the device, and they may go ahead and plug it into their computers. These device might be designed to:
The attacker can get this information by stealing the device from their victim through physical engagements.
Baiting can also happen online in the case where the attacker places an ad that promises the user something, in order to entice their interest. These ads have malicious links attached to them. So, when the user clicks on this link, they are redirected to download a malicious file onto their computer. In some cases, the attacker might ask their victims to provide personal data like bank credentials through these ads. Then after collecting this data, the attacker will use it to perform actions on behalf of their victims.
Pretexting is another social engineering attack that can be done physically and online. It involves impersonating a real person or position in order to deceive unsuspecting persons.
In a physical scenario, the attacker disguises themselves as a legit entity to gain the trust of their victims. Once a conversation is established, they start asking them to divulge sensitive personal information about themselves. The victims, unsuspecting, will give out this information. Depending on the kind of information received, the attacker can cause damage ranging from identity theft to financial loss.
Online, attackers can disguise themselves as a high-profile individual and use communication platforms to engage their victims in a conversation. Again, depending on the kind of information that was divulged, the attacker can cause much damage.
With a scareware technique, the attacker creates a malicious websites and lures their victims to visit it. Then in these websites, they add code that causes a pop-up window to appear. This pop-up window usually contains a false alert, informing unsuspecting victims of viruses on their systems.
This technique basically capitalizes on the sense of fear of unsuspecting individuals to create an engagement. The attacker asks their victims to purchase their security software. If a victim falls into this scam, the attacker will steal their banking details. In some cases, the attacker might offer their security software as a free tool. But when the victims download the suggested file, they end up downloading malware into their computers.
Scareware techniques are not only completed on malicious websites — they can also be distributed through emails.
Just like the phishing technique, a whaling technique interacts with victims through personal communication mediums. Attackers masquerade as trusted persons to engage their victims in a conversation.
The difference between the whaling technique and phishing is that the whaling technique is more personalized when compared to phishing. Instead of targeting all individuals in an organization, the whaling technique targets a specific individual. These individuals usually have high privileges in the organization. They are mostly high-level executives or people involved in making top decisions.
Also, whaling techniques have a higher success rate than phishing. This is because more sophisticated research is done on a particular individual (the target). These investigations are done by reviewing the social media and public activities of these individuals.
Social engineering poses a critical threat to every organization. Everyone in an organization should prioritize preventing and mitigating it. Below are some tips on preventing social engineering.
The first step in mitigating social engineering is creating awareness of it. Everyone in the organization needs to know about the different techniques used in carrying out social engineering. Every member of the organization needs to be trained and equipped with the knowledge of social engineering, as well as the most common techniques.
Employees, staff, and general members of the organization should be educated on common social engineering tactics and how to identify a social engineering threat. They should know how to prevent social engineering techniques from completing. For example, a successful phishing attack relies primarily on the victim's inability to identify spoof email address and hyperlinks. So, employees should be taught how to identify spoof email addresses and hyperlinks.
Aside from educating members of the organization, it's important to implement policies that will mark suspicious emails as spam. This way, malicious content won't make its way to employees' inboxes.
Additionally, it's important to implement tight policies on key procedures like funds transfer and major decisions that affects the operation of the organization. This will reduce the impact level and success rate of social engineering techniques.
Another good policy that should be implemented is regulating the amount of information members of the organization can share on social media. This will reduce the amount and type of information an attacker can gather.
A good security policy that should be implemented on key procedures is multifactor authentication. With multifactor authentication, the attacker will be asked to provide additional credentials apart from the login credentials of their victims. This will prevent an attack from completing since the attacker won't be able to provide it.
(Related reading: cyber hygiene & the CIS Critical Security Controls.)
It's also very important to regularly update the passwords of organization's members. This will prevent an attack from being too impactful, just in case their passwords get leaked and fall into the wrong hands. Also, making use of complex passwords while creating accounts will help keep passwords secure and hard to guess.
See an error or have a suggestion? Please let us know by emailing [email protected].
This posting does not necessarily represent Splunk's position, strategies or opinion.
The Splunk platform removes the barriers between data and action, empowering observability, IT and security teams to ensure their organizations are secure, resilient and innovative.
Founded in 2003, Splunk is a global company — with over 7,500 employees, Splunkers have received over 1,020 patents to date and availability in 21 regions around the world — and offers an open, extensible data platform that supports shared data across any environment so that all teams in an organization can get end-to-end visibility, with context, for every interaction and business process. Build a strong data foundation with Splunk.