What Is a Social Engineering Attack? Types and Preventative Tips

Human beings, businesses and civilizations thrive on a foundation of trust – and hackers thrive on manipulating that trust. Social engineering is the phrase used to describe the many actions involved when an individual or group engages in lying and using technology to manipulate trust relationships.

The goal of a social engineer is to carefully create a condition of “false trust,” where an individual reveals information or otherwise takes an action that leads to a security breach. While social engineering can involve the use of malware and ransomware, that is not the focus. The focus is exploiting the natural behavior of human beings. In many ways, that “false trust” condition is the result of what you could call a “reality distortion effect.” In fact, some social engineers will refer to the practice of manipulating a person as putting that person “in the zone.”

Social Engineering: Manipulating the Human Element

Social engineers try to put victims in a mindset that makes them highly suggestible and willing to take actions that they would otherwise find questionable.

Most human beings have very good defense mechanisms they rely on to avoid being deceived. The average person can quickly evaluate a situation and determine that something is amiss – similar to a “lie detector” filter. Yet, social engineers find ways to manipulate motives as a way of lowering our defense mechanisms and even our inhibitions.

Attackers who engage in social engineering attempt to manipulate very human motivations, including:

The need to help: Many times, the simple impulse to be helpful often results in security incidents. Individuals have often unwittingly taken actions that defeated sophisticated security controls and led to the loss of an organization’s goodwill or loss of revenue.
An impulse to respond to urgent requests: Many times, attackers are able to convince victims that they need to act immediately, which can cause individuals to take questionable actions.
Our sense of self interest: Few things motivate some people more than greed. Focusing on this motivation can cause a person to lower their guard.

Social Engineering Hub Article Graphic 1

These are just a few of the motivations; a good social engineer can identify additional motivations by carefully profiling an individual, group or company. A social engineer is always more successful if they have large amounts of data about the intended victim.

Why Social Engineering Succeeds

Most social engineers find ways to wrap a lie inside of many truths. A well-prepared attacker can find it relatively easy to create the right kind of situation to make you feel comfortable or make you feel that the attacker is worthy of your trust. Once that one lie (a bad hyperlink in an email, or a simple request for information, for example) is carefully couched inside a plausible – but fraudulent – context, the attacker can get you to take action. It’s all about context and a social engineer’s ability to manipulate your natural human instincts.

When a human being is distracted, or otherwise not paying sufficient attention, it is possible for attackers to succeed. The goals of a social engineer are to get you to:

Forget that they were the party to contact you first
Take an action that you normally wouldn’t take
Misplace your trust
Lower your natural defense mechanisms
Deactivate your suspicion filter

Anatomy of a Social Engineering Attack: The Process of Social Engineering

In a nutshell, the steps involved in a social engineering attack include those listed below in Table 1.

Stage	Description
Business plan development	This is the attack plan. Sophisticated attackers have a clear understanding of how they will profit from their activities, just like a successful business. Attackers adopt careful planning of specific tactics, techniques and procedures to bring them success. For example, if they wish to steal passwords, they have a very clear idea of how they will monetize those passwords to increase profit, yet lower risk.
Research	Successful attackers spend the most time on the research stage. Attackers investigate the target very carefully – as carefully as a marketing professional studies a target audience. Successful attackers conduct detailed data analysis of the victim, including the subject’s behavior patterns, interests and computing devices. They study “data exhaust” left behind by the intended victim. Research can involve stalking, dumpster diving, the use of data analytics and even artificial intelligence (AI). By the end of this stage, the attacker has intimate knowledge of the victim.
Pretext development	Next to research, this is the most vital, time-consuming stage. Once the attacker knows the intended victim, they choose two things: The appropriate medium (e.g., email, phone call, personal contact) and the appropriate message. Medium and message are both equally important to success; attackers know that the right message delivered using the wrong technology will lead to failure.
Weaponization	This is the attack preparation stage. The most sophisticated social engineering attacks involve creating software to exploit the breach of trust.
Infiltration	The physical breach. During an in-person attack, the stage where perpetrators get inside an organization and manipulate its business processes and existing security procedures.
Delivery	The delivery stage. When the victim receives the weaponized technology. This can include the delivery of an email, the gift of a USB thumb drive or the sale of a compromised element to the victim.
Attack	The weaponized technology is activated. The insidious nature of social engineering is that the end user is often the party that initiates the attack. Sometimes, infiltration, delivery and attack all happen at once. In many cases, though, they happen in discrete stages.
Exploitation	The attacker activates the code used to compromise the system. Many times, exploitation occurs a considerable amount of time after delivery and attack.
Monetization	The profit stage. This can be as simple as using stolen credit card data. More sophisticated attackers monetize successful attacks by passing off assets to networks of third parties. This helps lower risk while maximizing profit.

Check out The Process of Social Engineering infographic

The Most Critical Stages

For the end user especially, the most critical stages of a social engineering attack are the following:

Research: Everyone has seen the ridiculous attempts by social engineering rookies who think they can succeed with little preparation. Effective attackers spend considerable resources researching their targets. This allows them to carefully craft lies so that they appear plausible and actionable.
Pretext development: Any solid pretext includes an action statement meant to breach trust and avoid security controls.

These two stages are where the attacker needs to be the most creative and ingenious. If they fail to gain critical information or fail to craft the correct pretext, the exploit will fail.

Secondarily, attackers need to use technology that is not easily detectible. But, in many cases, the social engineering research and pretext are so thorough that the attacker can use well-known, relatively “off the shelf” software exploits and malware. Attackers carefully weigh the cost-to-benefit ratio of their methods. In many cases, developing a sophisticated pretext is more cost effective than creating sophisticated software.

The Anatomy of Pretexting

There are a few keys to successful pretexting:

The pretext needs to be plausible and actionable.
Yet, it can’t be obvious enough to arouse suspicion. The best pretexts take advantage of an individual’s need to hold certain things in soft focus. In other words, as we go about our day, we can’t afford to focus on routine things to the exclusion of all else. We put such routine things in soft focus because they are things that we expect to happen in a normal way. Hackers take advantage of this by crafting careful messages and situations that exploit our need for soft focus.
The pretext should exploit human behavior to create a breach of trust without the attacker realizing it.
The pretext should feel natural.
The pretext must avoid or obviate a security control.
For example, the pretext should be able to get around access controls, firewalls and/or an antivirus.

The Most Sensitive Stage for the Attacker

After research and pretexting, the most sensitive stage for the attacker is successfully completing the attack. They need to use software that is effective but not easily discovered. After research, pretext creation and exploitation, another area of risk is monetizing the stolen information or access. But attackers, like pickpockets, have sophisticated networks that allow them to fence their ill-gotten goods.

Additional Methods of Undermining Trust

Listed below are a few additional methods for manipulating human behavior:

Fear: A good pretext will quickly instill a sense of fear on a visceral level. In a business context, no one wants to be seen as lazy or incompetent in business. On a personal level, few people want to be seen as insensitive to a social issue. Attackers know this and will focus on fear.
Curiosity: A well-honed pretext will take advantage of a person’s natural curiosity.
Decisiveness: In a business context, individuals often want to demonstrate their willingness and ability to act decisively. If an attacker can get you to think you’re being useful, then they may succeed.
Greed: Some people are motivated by a need to get ahead and get a good deal.

Social Engineering Hub Article Graphic 2

Types of Social Engineering Tactics

So many attack methods exist. Here are the most common types of social engineering tactics:

Business email compromise (BEC): Manipulating email technologies and user behaviors to avoid security controls and creating a security breach.
Business process compromise (BPC): Manipulating documented – and undocumented – business practices to defeat security. BPC can involve exploiting business partners, janitorial services, repair crews and interdepartmental communication pathways.
Phishing: Targeting a group of people and trying to trick them into taking an inappropriate action that defeats security.
Spear phishing: Targeting a specific individual.
Whaling: Going after a specific high-profile target, such as the chief executive officer (CEO) or business leader.
Vishing: Using voicemail as a social engineering tool.
SMiShing: Using text messages as a social engineering tool.
Pharming: Luring users to a bogus resource, such as a website or Wi-Fi hotspot, which helps the attacker obtain sensitive information. This can also be called a “watering hole” attack.
Tabnabbing: Exploiting the behavior of a web browser’s tab to help deceive an individual during a phishing attack.

How To Avoid Being a Victim

So, now you know the problem. Table 2 lists a few tips for avoiding being a victim.

Tip	Description
Train end users	People tend to behave differently at work than at home when it comes to responding to social engineering requests. Savvy organizations create programs that help their employees recognize sophisticated social engineering attacks.
Create a healthy sense of skepticism	Individuals should be ready to ask questions and avoid acting, even if the appeal – or pretext – is convincing.
Avoid haste	Take a deep breath, go for a quick walk or do something else and think about what you’re doing. Once you develop a habit of thoughtfully approaching your use of technology, you’ll be a much safer user of technology.
Verify the source	If you receive a request, verify that it really came from a legitimate source. It is important to trust but verify.
Avoid distraction	Develop ways to recognize when you’re distracted.
Use a spam filter	A good set of email spam filter rules can block even sophisticated social engineering attempts.
Become technologically literate	Learn enough internet technology to recognize when tech is being used against you.
Use out-of-band communication	If you receive a request via email, verify that request by texting or phoning the individual who made it. Don’t use the initial form of communication to respond. Using a separate form of communication is often called communicating out-of-band.
Remember who made first contact	Social engineers do their best to make you forget that you were just minding your own business before the attacker started manipulating you.
Avoid clicking on links and attachments	Yes, most computers are protected by automated security tools (e.g., antivirus). But think before you click.
Have a response plan	Be ready to contact IT support or take appropriate action if you feel you have fallen victim. Write down your plan.
Read carefully	Your internal lie detector will work better if you take the time to examine requests.

Check out How to Avoid Social Engineering Attacks infographic

Social engineers are just one type of cybercriminal, and they put in the work to stay ahead of cybersecurity professionals. As these types of attacks become more sophisticated, it’s up to IT pros to build a line of defense that includes going on the offense. The more you know about how attackers work, the better chance you have of catching them in the act and preventing a major loss.

Read more about Cybersecurity.

Tags : Cybersecurity