What Is Social Engineering?

At its core, social engineering is not a cyber attack. Instead, social engineering is all about the psychology of persuasion: It targets the mind like your old school grifter or con man. The aim is to gain the trust of targets, so they lower their guard, and then encourage them into taking unsafe actions such as divulging personal information or clicking on web links or opening attachments that may be malicious.

How does social engineering work?

In a typical social engineering attack, a cybercriminal will communicate with the intended victim by saying they are from a trusted organization. In some cases, they will even impersonate a person the victim knows.

If the manipulation works (the victim believes the attacker is who they say they are), the attacker will encourage the victim to take further action. This could be giving away sensitive information such as passwords, date of birth, or bank account details. Or they might encourage the victim to visit a website where malware is installed that can cause disruptions to the victim's computer. In worse case scenarios, the malicious website strips sensitive information from the device or takes over the device entirely.

Why is social engineering so dangerous?

One of the greatest dangers of social engineering is that the attacks don't have to work against everyone: A single successfully fooled victim can provide enough information to trigger an attack that can affect an entire organization.

Over time, social engineering attacks have grown increasingly sophisticated. Not only do fake websites or emails look realistic enough to fool victims into revealing data that can be used for identity theft, social engineering has also become one of the most common ways for attackers to breach an organization's initial defenses in order to cause further disruption and harm.

How do I protect myself and my organization against social engineering?

While psychological attacks test the strength of even the best security systems, companies can mitigate the risk of social engineering with awareness training.

Consistent training tailored for your organization is highly recommended. This should include demonstrations of the ways in which attackers might attempt to socially engineer your employees. For example, simulate a scenario where an attacker poses as a bank employee who asks the target to verify their account information. Another scenario could be a senior manager (whose email address has been spoofed or copied) asks the target to send a payment to a certain account.

Training helps teach employees to defend against such attacks and to understand why their role within the security culture is vital to the organization.

Organizations should also establish a clear set of security policies to help employees make the best decisions when it comes to social engineering attempts. Examples of useful procedures to include are:

  • Password management: Guidelines such as the number and type of characters that each password must include, how often a password must be changed, and even a simple rule that employees should not disclose passwords to anyone--regardless of their position--will help secure information assets.
  • Multi-factor authentication: Authentication for high-risk network services such as modem pools and VPNs should use multi-factor authentication rather than fixed passwords.
  • Email security with anti-phishing defenses: Multiple layers of email defenses can minimize the threat of phishing and other social-engineering attacks. Some email security tools have anti-phishing measures built in.

Types of social engineering attacks

Phishing

Phishing scams are the most common type of social engineering attack. They typically take the form of an email that looks as if it is  from a legitimate source. Sometimes attackers will attempt to coerce the victim into giving away credit card information or other personal data. At other times, phishing emails are sent to obtain employee login information or other details for use in an advanced attack against their company. Cybercrime attacks such as advanced persistent threats (APTs) and ransomware often start with phishing attempts.

Other examples of phishing you might come across are spear phishing, which targets specific individuals instead of a wide group of people, and whaling, which targets high-profile executives or the C-suite.

In recent times, attackers have been taking advantage of the growth in software as a service (SaaS), such as Microsoft 365. These phishing campaigns usually take the form of a fake email that claims to be from Microsoft. The email contains a request that the user log in and reset their password because they haven't logged in recently, or claims there is a problem with the account that needs their attention. The URL is included, enticing the user to click and remedy the issue.

How to prevent phishing attacks


Watering hole attacks

Watering hole attacks are a very targeted type of social engineering. An attacker will set a trap by compromising a website that is likely to be visited by a particular group of people, rather than targeting that group directly. An example is industry websites that are frequently visited by employees of a certain sector, such as energy or a public service. The perpetrators behind a watering hole attack will compromise the website and aim to catch out an individual from that target group. They are likely to carry out further attacks once that individual's data or device has been compromised.


Business email compromise attacks

Business email compromise (BEC) attacks are a form of email fraud where the attacker masquerades as a C-level executive and attempts to trick the recipient into performing their business function, for an illegitimate purpose, such as wiring them money. Sometimes they go as far as calling the individual and impersonating the executive.


Physical social engineering

When talking about cybersecurity, we also need to talk about the physical aspects of protecting data and assets. Certain people in your organization--such as help desk staff, receptionists, and frequent travelers--are more at risk from physical social engineering attacks, which happen in person.

Your organization should have effective physical security controls such as visitor logs, escort requirements, and background checks. Employees in positions at higher risk for social-engineering attacks may benefit from specialized training from physical social engineering attacks.


USB baiting

USB baiting sounds a bit unrealistic, but it happens more often than you might think. Essentially what happens is that cybercriminals install malware onto USB sticks and leave them in strategic places, hoping that someone will pick the USB up and plug it into a corporate environment, thereby unwittingly unleashing malicious code into their organization.