What is Social Engineering?
To describe it briefly, social engineering is a criminal practice based on manipulating people to get confidential information, access to their devices or networks, and receive other type of benefits, such as money. Attackers tend to draw on psychological tactics and bring their targets under stress, urgency, and even terror. Victims, under those circumstances, react in the heat of the moment and do precisely what the person is telling them to do, which is not in the best of their interests.
You may know someone who has been a social engineering victim (or maybe it was yourself). In my case, it was a close friend (to protect his identity, let’s call him Charles). Charles moved to the United States in 2015 to pursue his master’s degree. While researching for a paper, he found a link to a PDF file that promised to expand on the information he needed to support the conclusions for his assignment. Even though it was on a website he had not seen before, he clicked on it without thinking twice.
As the file was downloading, a pop-up opened; its background was navy blue, had FBI seals on each corner, and a big, centered title that screamed “Warning.” To make things worse, loud sirens came out from the speakers. The pop-up told him that downloading was illegal, that the FBI was now after him, and that if he wanted to ask for a reconsideration, he needed to call them urgently. He had been in the US only around six months by then, and as terrified and stressed as he was, he did not know if he was genuinely committing a crime, so he called. The voice on the other side of the phone was harsh and accusatory. The person asked lots of questions and mentioned to Charles that he was fined and needed to pay US$200 in 24 hours to avoid any time in jail or deportation. This was a considerable sum for Charles, but he did not hesitate to pay; after all, he did not want to be in prison.
Days after, Charles shared this story with his classmates; they told him that it was a typical scam and that he was not the first on this long list. This experience left an emotional scar on Charles, who still feels embarrassed and even humiliated while talking about it.
How is Social Engineering done?
Social engineering combines several techniques to achieve its goal: fraudulent emails or texts (phishing), fraudulent phone calls (vishing), false promises to appeal to the victim’s curiosity (baiting), and fictitious threats (scareware), among others. These attacks also tend to involve human interaction to some degree. The following attitudes are part of the attackers’ toolkit:
- Intimidation: there is an explicit threat present in the interaction. The attacker -impersonating someone else- asserts that some negative consequences may follow if the victim does not follow instructions. Charles’s story shows an example of this tactic in the person who talked to him by phone and how he treated him during the conversation.
- Urgency: The action needs to be done now; if not, the offer may expire, the product may sell out, or the opportunity may disappear. The attacker encourages the victim to make an immediate decision and act in the heat of the moment, like the 24-hour time limit to pay in Charles’s case.
- Authority: The attacker, disguised as a figure of power, gives orders and asks for confidential information encouraging the victim to bypass steps in security processes.
- Familiarity: The attacker aims at the victim’s empathy or likeness to persuade them to do what they want.
Social engineering, also called “human hacking”, requires a great deal of intelligence and preparation to succeed. Attackers carefully investigate their targets: where they work, what they do, interests, social media profiles, routines, hobbies, and anything that could help engage with them. The next step is preparing the plan: what story to tell, techniques to use, when and how to approach the victim, the tone to use, and what exactly is needed from the target. The third step is execution: contacting the person using the selected method(s) and the script prepared. Finally, the last step is ending the interaction with the victim: removing traces of malware or any other tracks that could compromise them in the future.
Social Engineering in the workplace
People are the weakest link in the cyber protection chain. It’s not anyone’s fault – we’re all human, and there’s such a thing as “human error”. Regardless of all the investments made in the latest security platforms and tools, cybercriminals would find their entry point to organizations’ networks by targeting employees with multiple techniques, including social engineering. I have heard about cases where attackers get information from an organization by searching on public websites, such as the LinkedIn profiles, Facebook pages, or Twitter feeds of current employees. They can gather names, roles, recent events, and other leads that could be used to prepare a solid attack against that company.
Attackers could call pretending to be part of the HR department or the IT department, asking for confidential information to get what they need for their plan. Think about this scenario: you receive a call from an unknown number, and the voice on the other side claims to be the CEO of your company. You have not talked to him directly, but the voice sounds like the one you’ve heard in his public presentations (yes, they can also emulate voices). This “CEO” asks for all the information about the top sale you closed during the last month for an “upcoming meeting”. He is in a hurry but wants all the information now: the name of the account, the total of the transaction, conditions, contact information, etc. What would you do?
Organizations must develop and maintain a robust security culture to minimize risks. Employees should be skeptical most of the time, know their workplace’s security policies and procedures, be able to identify when they are the target of a cyberattack (regardless of the method used), and learn how to react in that situation.
What do attackers get out of social engineering?
There is no simple answer to this question. If a social engineering attack hits you, odds are your organization is the main target, but sometimes, attackers could use the collected information to social engineer another organization. With social engineering, attackers could get in minutes the same outcome that could take days with other hacking techniques. If the plan is successful, attackers could get the required credentials to penetrate the victim’s network or access to the bank account and physical access to facilities and installations, which means higher risks for the organization.
How can Lumen help?
Lumen offers Cybersecurity Awareness Training; a two-fold solution focused on educating employees on multiple cybersecurity risks. It includes an online phishing simulator (OnePhish) that enables conducting authorized phishing attacks to evaluate and re-evaluate employee susceptibility to social engineering tactics, and an online training platform (WorkWise) focused on changing behaviors to best practices. For more information on Lumen Cybersecurity Awareness Training, view the Data Sheet or visit the product website.
This content is provided for informational purposes only and may require additional research and substantiation by the end user. In addition, the information is provided “as is” without any warranty or condition of any kind, either express or implied. Use of this information is at the end user’s own risk. Lumen does not warrant that the information will meet the end user’s requirements or that the implementation or usage of this information will result in the desired outcome of the end user. All third-party company and product or service names referenced in this article are for identification purposes only and do not imply endorsement or affiliation with Lumen. This document represents Lumen products and offerings as of the date of issue.