We all know who hackers are and how good they are at breaking technical defenses. But we must not forget that there is also a special subspecies of attackers who use a creative approach in their work — these are social engineers. They act brazenly and head-on, manipulate, and, taking victims by surprise, force them to disclose confidential information.
In this article, we will look at the most known types of social engineering attacks, various phishing methods, some of the most impudent successful attacks, and tell you how you can protect from it.
What is social engineering?
Social engineering is a malicious act, when a person is forced to transfer any confidential information through manipulation. Attackers usually try to get payment data, banking information or account passwords. In some cases, through phishing, attackers can gain access to the victim’s computer in order to extract any valuable information from it, and then blackmail or sell this data on the black market.
Social engineering, when done right, is often very effective, because getting what you want from a person is always easier if you win their trust. And it is much easier than hacking some software or hardware protection, or hacking accounts, or stealing devices with valuable information directly.
Therefore, in order to be as effective as possible in their work, attackers are well prepared and study the intended victim in order to collect the maximum possible amount of supporting information, which can then be used. Then contact is made with the victim, and through tricks they try to establish good relations and extract the necessary confidential information.
Types of social engineering attacks
There are many techniques, as well as their combinations, that are used by attackers. Next, we will consider the most popular and most notable. Indeed, some of them can be called examples of amazing ingenuity.
We can say that this is a “classic” of its genre and the most common type of attack. It is in phishing that the general meaning of social engineering lies. At the same time, there are many subspecies of phishing, but all of them are united by several main characteristics:
- fraudsters actively exploit the human factor;
- distribute malware; and
- target personal information, payment card data, logins and passwords.
The most interesting thing is that in fact all phishing attacks are unique, that is, no two are the same. Scammers spend a certain amount of time planning everything and creating such an illusion for the victim that it looks as realistic as possible.
Some phishing attacks are designed in such a way that after the victim clicks on the link, malware is installed on their device — some kind of ransomware, spyware, etc. Sometimes, attackers target a specific person in a company to obtain the employee’s login information and then launch a broad attack campaign against the entire company.
As already noted, there are different types of phishing, let us look at some of them.
This is precisely the case when scammers target a specific person or company. Therefore, they carefully study the conditions of their work and collect detailed information. In general, they prepare for a long time in order to form the most believable message, which the victim is likely to peck at. That is, the person against whom the attack is organized should not even have the thought that they received an e-mail from an unreliable sender. It is almost impossible to defend against such an advanced attack by any technical means. And given that most often in such an attack, the main target is the company itself, namely its infrastructure, and not the employee, the risks here are quite high and require certain measures to be taken.
A very similar method to the previous one, with the only difference that the victim here is a high-ranking figure in the company, a person at the level of top managers or directors. That is why this attack is called so. From the “big whale” you can get much more important information than from an ordinary employee, respectively, the benefits and stakes are much higher here. Since whale phishing is a very advanced version of spear phishing, scammers must be well versed in legal or financial matters in order to prepare a serious bait, and in the right way to interest their victim.
Vishing, voice phishing
A very common method of fraud, when criminals use the phone in order to find out some personal or financial information. They may pose as employees of a bank or insurance company, advertise goods and services, as well as some kind of financial assistance, and thus receive personal data.
Very often, elderly people or people who have health problems become victims of such scammers. This is a very cynical type of phishing that requires a special mindset and mentality from scammers, since they must directly put pressure on the victim, take advantage of an unstable physical or mental state. They can also report that something allegedly happened to a loved one of the victim, and money needs to be transferred urgently.
Sometimes attackers can combine this type of phishing with whale phishing. For example, posing as major shareholders or directors, they can provoke other top managers or accountants under some convincing pretext to transfer large sums of money — of course, to the account of a fraudster.
It is also a very common type of fraud, when attackers poison e-mails disguised as “real”, while imitating e-mails from some well-known companies or reliable sources. That is, such a message can be very similar to a message from a bank or some kind of charitable organization, it can look like an advertisement for an online store with a “very profitable, unique offer” and much more. The difference here lies in the details, namely in the name of the sender, e-mail address. The goal is very simple: to convince the victim to follow the link and enter their personal data, disclose financial information, etc.
Besides phishing, there are other types of social engineering attacks.
A rather primitive form of attack, which consists in making the victim think that their computer is infected with some kind of malware. If the victim believed this, they are offered a solution to this “problem”. The solution may vary, but is usually limited to paying a certain amount, or downloading an “antivirus”, which is actually software for stealing the user’s personal information.
Quite an interesting method in terms of ingenuity, since the calculation is based on the curiosity of people. Attackers can leave infected devices in places where people gather. People find these devices and connect them to their computers, after which the malware is installed and launched. Also, bait is often scattered across the Internet: users are attracted by some interesting advertisement, or they are offered to download some software that is already infected.
Quid pro quo
Attackers, using this method, usually pretend that they are providing the victim with some important service. To do this, they preliminarily conduct preparations in order to better know what information the victim has access to. The scammer then contacts the victim and manipulates them into installing malware. This is possible, for example, if the attacker introduces himself as a technical support employee or an employee of the IT security department.
The essence of this method lies in the fact that the victims come to a “watering hole” — to a pre-infected website. Attackers inject malicious code into popular sites that people trust. Including it can be government sites, or sites of non-profit organizations. The malicious code redirects users to other websites that contain malware or ads.
Very often this method of fraud is found on dating sites and social networks. The scammers get to know the victims by pretending to be interested and sympathetic towards them, and then they act out the play of cute communication, imitate feelings and try to start a relationship and arouse an emotional attachment in the victim. Further steps are very variable, and depend on how much the scammers managed to captivate their victim: from obtaining various personal information to hacking accounts and fishing for round sums of money.
Also a rather unusual method of fraud, which is based on the previous one. The scammer gets to know a person who has privileged access to restricted areas of the company’s infrastructure and becomes they “friend”. In the future, such a “friend” comes with the victim to the office, and does his business right under the nose of the company’s security service.
As you understand, the definition of social engineering is very, very many-sided.
Examples of famous real social engineering attacks
Usually scammers combine surprise, impudence and good disguise to achieve their goals. One such example is the case that happened to a British energy company in 2019. A person called the CEO and, in the voice of the president of the company, convinced the CEO to transfer 220,000 euros to the account of the Hungarian supplier. The caller said the request was very urgent and instructed the director to pay within the hour. Of course, the bank account belonged to the scammers. This crime is also notable for being the first in Europe in which the criminals explicitly used artificial intelligence to imitate the voice.
Another one is a great example of how much damage “classic” phishing can actually do. In 2013, hackers accessed the payment information of 70 million Target store customers using a phishing e-mail. The attackers managed to install malware on Target’s system and extract the payment details of customers. In the end, the company had to pay $18 million for this data breach.
You can also highlight the case that occurred in 2016, and affected the US federal government. The hacker called the Justice Department, posing as a new employee, and asked to give him an access code to the closed web pages of the institution. As a result, the personal data of 20,000 FBI employees and 9,000 employees of the US Department of Homeland Security were disclosed.
In fact, there are hundreds and even thousands of such stories. Some of them may well serve as inspiration for a Hollywood movie script. But speaking seriously, these cases only prove that there is never too much vigilance in working with information.
So how to protect from attacks?
Of course, the best way to protect against scammers is to properly train employees to protect themselves from social engineering attacks. This training should be systematic and detailed: describing what methods and psychological techniques can be used by attackers.
Furthermore, there are several additional methods of strengthening protection:
- using of complex passwords, and their periodic change;
- using a firewall;
- two-factor authentication;
- antiviruses, anti-spyware, special software for e-mail protection;
- comfortable atmosphere among employees in the organization;
- pen testing.
In this case, a penetration test may be part of employee training. Let us look at it in more detail.
Social engineering penetration testing
A social engineering penetration test is one of the subtypes of pentest that can be performed as an independent procedure, or as part of a full penetration test. Its essence is that pentesters imitate a social engineering attack: they send phishing e-mails, call employees, and use other tricks to determine how employees will react and be able to cope with social engineering methods. Such a pen test allows you to assess the level of training of employees, as well as the possible extent of data leakage and the overall damage that an organization may suffer in the event of a successful attack by scammers.
Annual damage from social engineering attacks is hundreds of millions of dollars. You must be careful with any information, check e-mail addresses, links, and do not download suspicious files. And if you are a manager or owner of a company, you can also conduct a penetration test and, based on its results, organize special cybersecurity awareness training for employees.