Social engineering

What is social engineering?

The social engineering definition boils down to various psychology-based techniques used to persuade people to disclose certain information or perform a specific action for malicious purposes. These techniques also may go under the name “social engineering fraud” or “social engineering scams.”

The term is used in various industries, including marketing, advertising, politics, and cybersecurity. In the latter case, social engineering meaning refers to a specific type of cyber attack. The answer to the question “What is a social engineering attack?” may sound like it’s an attack that involves tricking individuals into providing credentials or sensitive data, allowing threat actors to gain access to a victim’s infrastructure.

Is social engineering common?

Social engineering is one of the surefire ways to gain access to well-protected corporate infrastructure when other attack vectors cannot be exploited. Law enforcement agencies register thousands of complaints of suspected cases of cybercrime each year; a great chunk of these cases is social engineering fraud.

This tactic is used by cybercriminals so often, that the financial market even offers social engineering fraud insurance. Though it often goes as a part of cyber insurance policy, organizations typically seek to broaden social engineering fraud coverage.

Being one of the most-used types of fraud, social engineering can take many forms, such as phishing emails, phone scams, and impersonation. It is a prevalent threat in today’s digital landscape, and it is crucial to educate employees about the risks and how to prevent falling victim to these attacks.

How does social engineering work?

Social engineering attacks’ kill chain may vary dramatically depending on the exact techniques and tricks cybercriminals use. Generally, social engineering fraud involve several phases:

1. Information gathering. The attacker gathers information about the target, such as their personal information, email address, social media profiles, job title, or any other data that can be used to craft a personalized social engineering attack.
2. Trust building. The adversary builds trust with the target, often by posing as a trusted authority figure or using other tactics to gain the victim’s confidence. For instance, attackers may use impersonation fraud — a social engineering tactic that implies posing as a trusted person or authority.
3. Exploitation. The victim is tricked into providing sensitive information or access to their system.
4. Execution. The social engineering attack is executed by delivering a malware payload, stealing login credentials, or gaining access to sensitive information. This phase depends on the exact goals behind the operation, whether they’re money or cryptocurrency theft, ransomware deployment, espionage, etc.

By understanding these social engineering attack phases, individuals and organizations can better prepare to recognize and prevent such an attack. It is important to remain vigilant and take steps to protect against social engineering fraud at every stage of the process.

Why is social engineering effective?

Cyber attackers commonly use social engineering methods because it allows them to bypass many technical security controls, such as firewalls or antivirus software, designed to prevent unauthorized access. Instead of targeting the technical vulnerabilities of a system, social engineering attacks target the human vulnerabilities of the individuals who use the system.

Social engineering attacks can be highly targeted, allowing attackers to focus their efforts on a specific individual or group. For instance, C-level and heads of organizations often become victims to social engineering fraud since they have the most complete authority.

How do social engineers successfully manipulate people?

Social engineers exploit human psychology and emotions. They use tactics such as creating a sense of urgency or fear, appealing to the target’s desire to be helpful or curious, or impersonating a trusted individual or authority figure.

Social engineering tactics are designed to bypass an individual’s critical thinking skills and exploit their instincts, making them more susceptible to manipulation. Attackers need to know which buttons exactly to press to engage the target into social engineering fraud, meaning they have a deep understanding of human behavior.

Social engineering attack techniques

It is not always possible to identify a universal set of social engineering types. Attacks often combine features of different types of cybercrime, giving rise to concepts such as social engineering phishing or social engineering scams.

In addition, different researchers may categorize various types of social engineering fraud differently. For example, they may classify vishing (a type of phishing) as a separate category. In this article, we adhere to the following list of social engineering attack techniques.

Phishing

Phishing is a social engineering method that involves creating a fake website to obtain sensitive information, such as a password or credit card number. Links to phishing websites are usually distributed via emails, text messages, or social media messages. The attacker may use various tactics to make the message appear legitimate, such as using a logo or branding that is similar to the legitimate source or creating a sense of urgency by claiming that the recipient’s account has been compromised.

Baiting

Baiting is a social engineering fraud technique that typically involves offering value to the target, such as a free download or a gift card, in exchange for their personal information or access to their system. The bait may also be designed to trigger the target’s curiosity or desire to help others.

Scareware

Scareware is a type of malware designed to trick users into believing their system has been infected with a virus or other dangerous software. Scareware typically employs overlaying tactics to send fake pop-up messages or alerts that warn the user of a security threat and prompt them to take action, such as downloading and installing a fake antivirus program or providing personal information. The goal of this social engineering fraud technique is to scare users into taking action that will steal their personal information.

Pretexting

Pretexting is a type of social engineering attack that involves the creation of a false pretext or scenario to gain the target’s trust. The social engineer may impersonate a trusted individual or authority figure, such as a company employee or law enforcement officer, or  use fake documents or other forms of evidence to support the false pretext. Pretexting aims to create a sense of legitimacy and trust in the target, making it easier for the attacker to manipulate them.

Tailgating and piggybacking

Tailgating social engineering is a physical security breach that occurs when an unauthorized individual gains access to a restricted area by following closely behind an authorized person. This is similar to how a vehicle may tailgate another vehicle on the road.

Piggybacking refers to the act of using someone else’s login credentials to gain access to a system or facility, similar to how one person may ride on another person’s back like a piggyback ride. This social engineering technique is often used to bypass passwordless authentication and physical security measures, such as keycard access systems.

Piggybacking and tailgating can be difficult to detect because these social engineering scams often appear to be a harmless act of kindness, such as holding the door open for someone. However, it can pose a significant threat to organizations because it allows unauthorized individuals to gain access to sensitive areas or information.

Quid Pro Quo

Quid pro quo is a specific type of social engineering fraud that implies that an attacker poses as a technical support representative and offers to fix a non-existent problem on the target’s computer in exchange for their login credentials. Quid pro quo attacks can also involve the attacker offering a job opportunity or other type of reward in exchange for the target’s personal information or access to their system. This technique aims to create a sense of reciprocity and trust in the target.

Watering hole attacks

In the case of watering hole attacks, the threat actor targets a specific group of individuals by infecting websites or online resources that the group is known to frequent. The goal of this social engineering tactic is to infect the target group’s computers with malware, typically through the use of drive-by downloads or other types of exploits. Watering hole attacks are particularly effective because they allow the attacker to target a specific group of individuals, such as employees of a particular company or members of a particular organization. By infecting a trusted website or resource, the attacker can bypass many of the target’s security defenses and increase the likelihood that the malware will be installed on their system.

CEO fraud

This specific impersonation fraud social engineering tactic implies impersonating the targeted company’s CEO or other C-level member. Cybercriminals send emails to employees of an organization on behalf of their boss, demanding that they meet certain requirements, such as going to a phishing site. Often, the emails completely mimic the CEO’s writing style to build trust with the recipients.

Social engineering examples

Social engineering is one of the favorite tactics of cybercriminals; thus, many examples of social engineering attacks may be encountered. One of them is a recent Quid Pro Quo campaign where scammers impersonated Meta support staff. Cybercriminals created 3,200 scam profiles to steal account credentials and take over Facebook profiles.

Another example is notorious social engineering hackers known as PostalFurious. The group mimics postal and road services in different countries to trick users into stealing their payment and personal data. Read the Group-IB investigation into these infamous scammers in our blog.

One more social engineering attack case is scammers impersonating the US Social Security Administration. Attackers didn’t target a specific group of people. Instead, they bombarded recipients with requests to confirm their Social Security Numbers to eventually steal their victims’ identities.

How can you protect yourself from social engineering?

Social engineering attacks cannot be completely ruled out, as attackers exploit the vulnerability that is impossible to take under full control — the human factor. In addition, cybercriminals are constantly improving their methods and techniques.

Nevertheless, organizations can significantly reduce their chances of becoming a victim to such attacks by implementing social engineering fraud risk management strategy. It should include the following measures:

• Security training and raising awareness. Provide regular training and education to employees and individuals about social engineering attacks, how to recognize them, and how to respond to them.
• Access control. Implement access controls to limit access to sensitive information and systems to only those who need it.
• Network segmentation. Implement network segmentation to limit the spread of malware across the network.
• Critical systems monitoring. Use modern solutions, such as network detection and response, endpoint detection and response, and intrusion detection and prevention systems (IDS/IPS), to monitor your infrastructure for indicators of compromise and attacks.
• Incident response plan. Develop and maintain an incident response plan that outlines the steps to be taken during a social engineering attack.
• Regular security assessments. Conduct regular security assessments, including penetration testing and vulnerability assessments, to identify weaknesses in the organization’s security posture.

Email protection solutions. Email is one of the most popular gateways into a company’s infrastructure for social engineers. Protecting it via dedicated business email protection solutions may significantly prod the chances of falling victim to social engineering.

Does Group-IB provide solutions to protect from social engineering attacks?

Group-IB provides several solutions for social engineering prevention. To stop attacks in which cybercriminals use email as the initial attack vector, we offer Group-IB Business Email Protection. The solution automatically blocks scams and phishing emails, emails with malicious links and attachments, BEC attacks, and other threats.

Group-IB Managed XDR solution couples network and endpoint detection capabilities, ensuring the continuous monitoring of the company’s infrastructure. The service component of this solution includes 24/7 support of the Group-IB cyber defense center in detecting, proactively hunting, and responding to various types of cyber threats, including social engineering.