A cyber incident response plan is a key element of business security. Having the right...
Social Engineering is a severely damaging cyber security threat that takes advantage of your organisation’s weakest aspect of it’s security - it’s employees - to gain access to your network and data systems. All employees including senior staff are susceptible to social engineering due to the increasingly ingenious tactics being utilised by attackers who craftily manipulate the psychology of unaware individuals to gain privileged access within your organisation.
What is Social Engineering?
Social Engineering is the process of hackers manipulating human psychology rather than utilising technical hacking tools to breach your organisation’s data and systems. Hackers psychologically manipulate employees to perform certain actions for them or divulge confidential information. For example: instead of exploiting a vulnerability in an organisation’s system to gain access to data, a hacker may pose as a technician trying to help, but instead is trying to trick a target into divulging his or her confidential data, such as login credentials.
Often hackers resort to social engineering tactics like the one described above rather than resorting to actually hacking into systems to gain such data. Criminals do this because it is easier to manipulate a human’s trustworthy nature versus actually successfully completing a hack on any organisation’s software. According to the IBM Cyber Security Intelligence Index Report, 95% of data breaches or cyber-attacks are mainly caused by human error. In their Cost of a Data Breach Report 2020 it states that the average cost of cyber security breaches caused by human error stands at $3.33 million.
Below is a breakdown of social engineering attacks that your organisation needs to be aware of:
Phishing is a social engineering tactic that consists of an attacker sending an employee a fraudulent message via email, instant message or text message, in the hope that the unaware employee will click a link that downloads malware onto their system, freezes the system as part of a ransomware attack or reveals sensitive information of the organisation.
Why it works:
The reason why phishing works is because the attacker masquerades as a trusted entity such as an authority figure, a technician, an employee bank, a co-worker etc. To help pull off the dupe the attacker can use clever email ids, images or familiar text styles to spoof an organisation’s identity. There are also elements of urgency incorporated into the email message that scare employees with negative consequences if they don’t comply within a certain time frame.
As the name suggests, baiting is when a malicious actor uses a trap or bait disguised as something inconspicuous to trick an employee into infecting their own system with malware or divulging sensitive information about themselves or their organisation. One of the most common methods of baiting is through the use of physical media, for example, a cybercriminal infects a USB or storage device with malware and leaves it around the workspace, an unaware employee then plugs it into their computer, which results in compromising the entire system and even network the device is connected to. Baiting can also happen online, with cybercriminals using tempting advertisements as gateways to websites that contain malware, advertisements offering ‘A free iPad’ or an offer too good to be true are often attempts by cybercriminals to bait unsuspecting individuals.
Why it works:
Baiting works because many employees are untrained as to what to look out for, security training and awareness can sometimes be overlooked by organisations or not taken seriously by employees. This leads to employees becoming easy prey for cybercriminals who take advantage of their temptation and curiosity via baiting attempts.
3. Watering Hole
The watering hole is a frequent hunting ground for predators in the wild due to it being frequented by unaware prey who believe they are safe and require a drink, predators simply wait for prey to come to them at their most vulnerable, rather than waste time chasing after them.
Similarly, this social engineering tactic involves attackers targeting websites that are visited repeatedly by a group of employees from a particular organisation. The attacker identifies a website that is commonly visited by employees, who due to repeated visits have grown to trust that website, the attacker proceeds to infect the website with malware and waits for one of the employees systems to become infected, once infected the attacker can now access their system.
Why it works:
Similar to a watering hole where animals need to go to get water, the websites that attackers target are legitimate sites that employees are required to access to complete their jobs. The legitimacy of the website makes it hard for employees to identify the traps attackers lay out, similar to how animals at watering holes are vulnerable due to their thirst and fail to identify predators lying in wait. Attackers also have a higher chance to be successful in their social engineering attempts as they are targeting a group of employees rather than an individual, again similar to how predators have a higher chance of catching prey due to them targeting multiple animals in one location rather than chasing after a single target.
This is a social engineering tactic used by cyber criminals to ensnare senior or other important individuals in an organisation by acting like another senior player, in the hopes of gaining access to their computer systems or stealing money or sensitive data.
Also commonly referred to as CEO Fraud this social engineering tactic is very similar to phishing as it also uses email and website spoofing to trick individuals, the key difference being, phishing tends to target non specific individuals while whaling involves targeting key individuals or ‘’whales’ of the company like the CEO or Finance Manager while masquerading as another influential or senior individual in the organisation.
Why it works:
Whaling has an added element of social engineering compared to phishing as staff are more likely to carry out actions or divulge information without giving it a second when the request is coming from someone who is a ‘big fish’ or ‘whale’ in the organisation, like the CEO or Finance Manager.
Pretexting is a social engineering tactic that involves an attacker creating a scenario or pretext to engage with the targeted employee and psychologically manipulate them to share valuable information or to perform actions that would be considered out of the ordinary in a normal situation. Pretexting relies heavily on an attacker creating a convincing and effective setting, story, and identity to fool individuals and businesses into disclosing sensitive information. The information can then be used to exploit the victim in further cyber attacks. The more specific the information a pretexter knows about you before they engage you, the higher the chance of convincing you to give up valuable information.
Why it works:
There are two crucial elements behind every pretexting attack, the scenario and character. The scenario is a sequence of believable situations and events, created and utilised by the social engineer to manipulate the employee and extract valuable information. It is usually backed up by factual information gathered via prior research to make the pretext convincing. The character is the role the attacker chooses to play in the chosen scenario, impersonating a real or fictitious person. Using these two elements the attacker can successfully convince their target to share valuable information or to perform actions on their behalf that are harmful to the organisation targeted.
6. Quid Pro Quo
A quid pro quo attack as the name suggests is also known as a “something-for-something attack.” It is a form of baiting, as attackers offer victims a service or benefit if the latter perform specific tasks or give out information or access. For instance, attackers usually masquerade as a technician, calling employee numbers claiming that he/she is returning a call made requesting for IT support, in the hopes that a desperate employee is in fact looking to solve a technical problem they had. The attacker will then on the pretense of helping the employee, convince them to type in commands onto their device that gives the actor access to their systems.
Why it works:
Quid Pro Quo attacks work because employees are more likely to divulge information or carry out actions when they are receiving help even if that help is fake. It is based on the principle of reciprocity, one of the six principles of influence by Robert Cialdini, it refers to how individuals are more likely to do a favour for you if they receive something in return.
How can StickmanCyber help?
Now that you understand what the different types of social engineering are and why they work it is important to know how to detect them, we have put together an article on six key ways to avoid falling prey to a social engineering tactic.
StickmanCyber can also help sensitise your teams to the different types of social engineering techniques used by cybercriminals, and how to prevent them. Most employees are not aware of the possibility that hackers can trick them into disclosing privileged information. Don’t let your team fall prey to smooth-talking hackers. See how cybersecurity experts at StickmanCyber can help you today. Contact Us.