Social engineers know which buttons to press to make you do what they want. Their time-honored techniques really work. so it was inevitable that cybercriminals would apply those techniques to cybercrime.
How Social Engineering Works
From birth, we’re programmed to be helpful and polite. If someone asks you a question it takes a conscious effort not to answer it—especially if it seems innocuous. This is one of the behaviors that social engineers manipulate to achieve what they want. They do it subtly and slowly, winkling information out of their victim piece by piece. They’ll intersperse harmless questions with the ones that nudge you closer to revealing what they want to know.
Social engineering works by manipulating people using techniques that play on basic human traits. Skilled social engineers can make you feel sympathetic to them or their—fabricated—situation. They can make you want to bend the rules, just this once, either because you empathize with them and want to assist or because they’re a pain and you really want to get them off the phone. They can make you feel worried or panicked, hopeful or excited. They then leverage these emotional responses to make you act in haste, often to avert a supposed disaster or to take advantage of a special offer.
Social engineering attacks can happen in a single phone call. They may play out over a period of time, as they slowly foster a false rapport. But social engineering isn’t limited to the spoken word. The most common social engineering attacks are delivered by email.
The one thing all social engineering attacks have in common is their objective. They want to get through your security measures. With you as their unwitting accomplice.
Hacking Human Nature
People have been using social engineering techniques for as long as there have been con men. The “Spanish Prisoner” scam dates back to the 1580s. A wealthy individual receives a letter from someone claiming to represent a titled landowner who is unlawfully held captive in Spain under a false identity. Their true identity cannot be revealed because it will place him and his beautiful daughter in even more peril.
Their only hope of escape is to bribe their guards. Anyone who contributes to the bribe fund will be rewarded many times over when the captive is freed and has access to his considerable financial assets. Anyone who agrees to donate meets the middleman who collects the donation.
The victim is soon approached again. More difficulties have arisen—the captive and his daughter are to be executed, we only have two weeks!—and of course more money is required. This is repeated until the victim is bled dry or refuses to hand over more money.
Scams like these operate on different people in different ways. Some victims become ensnared because it appeals to their noble qualities like kindness, compassion, and sense of justice. To others, the increasing hostility between Great Britain and Spain would have incited them to act. Others would jump at the chance to make an easy profit.
The Spanish Prisoner scam is the Elizabethan equivalent—and direct ancestor of—the “Nigerian Prince” and other bait-and-hook scam emails that are still making cybercriminals money in 2021.
Most people today can recognize these as scams. But most modern social engineering attacks are much more subtle. And the range of human reactions to emotive events hasn’t changed. We’re still programmed the same way, so we’re still susceptible to these attacks.
Types of Attacks
The threat actor wants you to do something that is to their benefit. Their objective might be gathering account credentials or credit card details. They may want you to inadvertently install malware like ransomware, keyloggers, or back doors. They may even want to gain physical access to your building.
A common trait of all social engineering attacks is they try to generate a sense of urgency. In one way or another, a deadline is approaching. The subliminal message to the recipient is “act now, don’t stop to think.” The victim is compelled to not let the disaster happen, don’t miss the special offer, or don’t let someone else get into trouble.
The most common social engineering attack uses phishing emails. These appear to be from a reputable source but are actually fakes dressed up in the livery of the genuine company. Some present an opportunity such as a special offer. Others present a problem that will need addressing, such as an account lock-out issue.
Phishing emails are very easily reskinned to match whatever is in the news. The COVID-19 pandemic of 2020 gave cybercriminals the perfect cover to send phishing emails with new subject lines. News about the pandemic, access to test kits, and supplies of hand sanitizer were all used as hooks to snare the unwary. Phishing emails either have a link to a tainted website or an attachment that contains a malware installer.
Phishing emails are sent out by the millions, with a generic body text. Social engineering by phone call is usually tailored to a particular organization, so the threat actors must do reconnaissance on the company. They’ll look at the Meet the Team page on the website and check the LinkedIn and Twitter profiles of the team members.
Information such as who is out of the office on leave, or attending a conference, managing a new team, or being promoted can all be dropped into telephone conversations by the threat actors so that the recipient doesn’t question whether the caller really is from tech support, or from the hotel the sales team are staying in, and so on.
Calling employees and posing as tech support is a common ploy. New employees are good targets. They’re trying hard to please and don’t want to get into any kind of trouble. If tech support calls them and asks if they’ve tried to do something they shouldn’t have—trying to access privileged network shares, for example—the employee can over-compensate and become too willing to be cooperative to clear their name.
A social engineer can work that situation to their advantage and over the course of a conversation they can tease enough information out of the employee to be able to compromise their account.
Tech support can also be the target. Posing as a senior staff member the attacker rings tech support and complains that they’re in a hotel and can’t send an important email from their corporate account. A huge deal is at stake and the clock is ticking. They say they’ll send a screenshot of the error message, using their personal email. The support engineer wants this resolved as soon as possible. When the email arrives they immediately open the attachment which installs malware.
Anybody can be the recipient of a social engineering phone call. Tech support doesn’t have a monopoly. There are hundreds of variations the attackers can choose from.
Entering Your Premises
Threat actors will pose as almost anyone to gain access to your building. Couriers, caterers, florists, fire inspectors, elevator service engineers, and printer engineers have all been used. They may arrive unexpectedly or they may ring in advance and book an appointment. Booking an appointment helps establish the threat actor is who they claim to be. On the day of the appointment, you’re expecting a printer engineer to arrive and one arrives.
Rather than say they’re going to service the printer they’re likely to say they’re updating its firmware or another task that doesn’t require tools or spare parts. They’ll be very reassuring. All they need is a network connection or to jump onto one of your computers for a few moments. The printer won’t even go offline. Once they’re on your premises and on your network they can install any kind of malware. typically it’ll be a backdoor that allows them to remotely access your network.
Another attack type sees requires hiding a small device somewhere. Behind the printer is a popular place. It’s out of sight and there are usually spare mains and network sockets behind there. The device makes an encrypted connection called an SSH reverse tunnel to the threat actors’ server. The threat actors now have easy access to your network whenever they want it. These devices can be built using a Raspberry Pi or other cheap single board computers and disguised as power supplies or similar harmless devices.
Protecting Against Social Engineering
Social engineering operates on people, so the primary defense is staff awareness training, and clear policies and procedures. Staff must feel secure that they will not be penalized for sticking to protocol. Some cybersecurity companies offer training and role-playing sessions with their in-house social engineers. Seeing the techniques in action is a powerful way to show that no one is immune.
Establish procedures that give staff clear guidance on what to do if they are being asked to break protocol—no matter who is asking them. For example, they should never tell tech support their password.
Regular network scans should be employed to find new devices that have been connected to the network. Anything that is unexplained needs to be identified and examined.
Visitors should never be left unattended, and their credentials should be checked when they arrive on site.