Cyber threats come in many forms. One of the most insidious is social engineering. Despite advancements in technology and security measures, social engineering remains a prevalent tactic to exploit human psychology. Cybercriminals manipulate individuals into divulging confidential information or performing actions that compromise security. In this month, dedicated to cybersecurity awareness, we want to deep-dive into social engineering so you can recognize it and avoid it.
What is social engineering?
Social engineering is a form of manipulation that relies on psychological techniques to deceive individuals into divulging sensitive information, performing actions, or providing access to restricted resources. Unlike traditional hacking methods that exploit technical vulnerabilities, social engineering targets the human element, exploiting trust, curiosity, fear, or authority to achieve its objectives.
There are several types of social engineering, some involving interacting with the victim (human-based social engineering), some using computers (computer-based social engineering), and some using mobile apps (mobile-based social engineering).
Social engineering techniques
Social engineering is always evolving, and dozens of techniques are used to extrapolate information from unaware victims. The most common are:
- Impersonation
- Vishing (phishing through telephone systems)
- Eavesdropping
- Shoulder surfing
- Dumpster diving
- Reverse social engineering
- Baiting
- Honey trapping
- Elicitation
- Pop-up windows
- Spam
- Hoax letters
- Phishing
- Scareware
- Smishing (SMS phishing)
- Fake security applications
We will dedicate some deep-dive articles to these to better understand how they work. In many cases, sophisticated attacks combine multiple techniques to increase their effectiveness.
Why do people fall for social engineering?
Social engineering is a pervasive threat that preys on the vulnerabilities of human psychology to achieve malicious objectives. People fall for these tactics because scammers are very skilled to leverage:
Trust and Authority
Social engineers often impersonate trusted entities, such as colleagues, IT support personnel, or authority figures, to gain credibility and lower their targets’ defences. By exploiting trust and authority without questioning their legitimacy, social engineers can convince individuals to comply with their requests.
Curiosity and Temptation
Social engineering tactics often leverage curiosity or the promise of rewards to entice individuals into taking action. Whether it’s clicking on a suspicious link, downloading a malicious attachment, or participating in a fake survey, the allure of discovering something new or gaining a benefit can cloud judgment and lead to unintended consequences.
Fear and Urgency
Social engineers frequently use fear tactics or create a sense of urgency to pressure individuals into acting hastily without considering the potential risks. Threats of account suspension, legal consequences, or financial loss can trigger panic responses, causing individuals to comply with demands without question.
Lack of Awareness and Training
Many people need to be made aware of the tactics used in social engineering attacks or lack the knowledge to recognize and respond appropriately to suspicious requests. Without proper education and training on cybersecurity awareness, individuals are more susceptible to falling victim to social engineering tactics.
Real cases of social engineering
BEC – Business Email Compromise
One of the boldest examples of social engineering targeted tech giants Google and Facebook. Between 2013 and 2015, their accounts receivable departments received invoices from a computer manufacturer who had provided them services. However, the emails requesting the payments for these services contained malicious links that redirected the payments to fake accounts set up in the company’s name. The authors of the scam were Lithuanian nationals, and the leader was Evaldas Rimasaukas. Rimasauskas and his associates cheated Facebook and Google out of over $120 million during that period. He was arrested in 2017 and sentenced to 5 years in prison.
Email phishing
In January 2022, a sophisticated phishing attack was implemented to impersonate the US Department of Labor (DoL) to steal Office 365 credentials. The emails were so believable because the attackers spoofed the email domain of the department (meaning that the email sender was the Department of Labor), and the links in the emails redirected users to a fraudulent web page with a look-alike domain, branding and style. The content of the emails was also particularly enticing for the recipients, enticing them to bid on a Government project. As a part of the scam, they also included a three-page PDF document with the instructions for bidding. When users entered the information, they were asked to create their own account in their system by entering their Office 365 credentials to authenticate.
Impersonation with AI Voice Deepfake
In 2019, a UK-based energy company was targeted by criminals who used AI-based software to replicate the voice of an executive at their parent company. When the CEO of the target company answered a phone call, they were convinced to speak to their boss, instructing them to transfer $243,000 to a Hungarian contractor’s account. The account the money was transferred to was, of course, the scammers’. In this case, the fraudsters managed to replicate precise traits of the voice of the person they were impersonating. They replicated their light German accent, the melody of the voice, and the tone, making the phone call completely believable.
Understanding how social engineering works can help individuals become more vigilant and resilient against these deceptive tactics. Education, awareness, and critical thinking are essential for protecting against cyber threats.
Stay informed, stay vigilant, and stay safe against social engineering tactics!
