When it comes to types of risk in cybersecurity, social engineering is unique. Why? Well, it’s not technically a cyber attack, though it usually results in one. Instead, social engineering deals with the psychology of persuasion, wherein a threat actor utilizing various tactics convinces a victim to perform illegal actions or divulge confidential information.
When thinking specifically about social engineering used in cyber attacks, victims are often tricked into divulging sensitive system information, clicking on web links, or opening unsafe attachments. Nowadays, social engineering-backed cyber attacks are very popular. According to a 2022 Social Engineering Report, Proofpoint found that 98% of cyber attacks begin with social engineering, and over 70% of data breaches start with phishing or social engineering attacks.
Protecting against social engineering should be an important part of every organization’s third-party risk management strategy. Many organizations, however, struggle with tracking social engineering risks and educating employees about how to spot (and avoid) this type of risk. Let’s dig into social engineering, its use by threat actors, and the best tactics to prevent it.
What is Social Engineering?
According to the EU, social engineering involves all techniques that talk a target into revealing specific information or performing a particular action for illegitimate reasons. Social engineering has taken many forms over the years, and it manipulates human psychology and our motivations. A few of the most common feelings that social engineering attacks seek to exploit include:
- Trust: This may look like threat actors impersonating or spoofing a company that the victim knows. Examples include threat actors pretending to be bank representatives.
- Greed: These attacks appeal to a victim’s desire for wealth and often include the lure of a financial reward in exchange for information.
- Fear or urgency: Fear-based social engineering attacks prey upon a victim’s tendency to act rashly when scared or hurried. This feeling can also include fear of missing out (FOMO).
Social engineering threat actors utilize various forms of tech (and sometimes no technology!) to carry out their attacks. Let’s look at examples of no-tech, low-tech, and high-tech methods used in social engineering and how they play out in real life and on the silver screen.
Method 1: No-Tech Social Engineering
Impersonation in social engineering is when an individual uses their knowledge of a particular brand, profession, etc., to pose as an authority figure, extract sensitive information from employees, and commit crimes. Threat actors can use impersonation both on- and offline, and often, real-world social engineering schemes are backed by thorough internet research.
A great example of this is Leonardo DiCaprio as Frank Abagnale in Catch Me If You Can. In the film (and allegedly in real life), Frank uses his charm and skills of persuasion to successfully impersonate a doctor and lawyer, cash fraudulent checks, and evade the FBI.
Method 2: Low-Tech Social Engineering
Low-tech social engineering utilizes tools that have been around for a while and don’t require a sophisticated technological background to operate. These tools include technology like emails or text messaging. A great example is the Nigerian Prince email scheme: Threat actors send emails posing as a Nigerian prince, a Ukrainian businessman, or another wealthy individual from far away. The email requests help moving a large sum of money or informs the recipient that they are to receive a large sum of money. The recipient replies with their banking account number to transfer/receive the non-existent funds.
This type of social engineering is effective because it appeals to greed and usually creates a sense of urgency. It’s also much older than most people suspect. The scheme originated with an even older example of social engineering from the 1800s called the “Spanish Prisoner.” Prisoners in Spain used trade directories to mail hundreds of letters to Britain. These letters claimed an unfairly detained English officer in prison needed a large sum of money for the care of his daughter. The victim would send a small amount for the (fictional) daughter’s travel expenses in exchange for an even larger compensation fund later from the “English officer.”
Method 3: High-Tech Social Engineering
As technology advances, we’re also seeing high-tech forms of social engineering on the rise. High-tech social engineering refers to attacks utilizing the latest scientific methods, materials, and applications. One example is deepfake identities. Deepfakes use artificial intelligence/machine learning (AI/ML) to create realistic videos, pictures, audio, and text of events that never happened.
Imagine meeting with your third-party vendor contact via Zoom, only to find out that a meeting with your actual contact never happened. You may have unknowingly shared sensitive information about upcoming projects, data, and financial accounts with a threat actor. This type of threat poses a significant risk to corporations, government agencies, and regulatory bodies.
Types of Social Engineering Attacks
While the technology, motivations, and even psychology shift in each attack, security specialists still find that most social engineering attacks today fall into a few common attack types.
Attack Type 1: Phishing
Phishing is widely considered the most common form of cybercrime. IT support services firm AAG reports that threat actors send 3.4 billion phishing emails daily. IBM defines phishing attacks as fraudulent emails, text messages, phone calls, or websites that trick victims into sharing sensitive information, downloading malware, or any other action that would expose themselves or their organization to a cyber attack.
IBM’s 2022 Cost of a Data Breach Report also found that phishing was the second most common cause of a data breach. Under the phishing umbrella, there are subcategories of attacks, including spear phishing, social media phishing, and bulk email phishing. Bulk email phishing is the most common type of phishing attack where a threat actor sends an email posing as a well-known business (like Amazon or Apple). These messages may claim suspension of the victim’s account or a fraudulent order/charge. The goal is to take the victim to a fake website and have them enter their real account credentials.
Attack Type 2: Baiting
Remember that Nigerian Prince scheme? It’s actually a form of baiting. In baiting, the threat actor uses a false promise to trap the victim into sharing personal/financial information or exposing a system to malware. In addition to the scam emails that threat actors send, this type of social engineering appears in malware-infected game downloads (offered for “free” to the victim) and even physical USB drives infected with malware, conveniently left where a victim will find and use it.
Attack Type 3: Pretexting
In John Woo’s Mission: Impossible 2, super spy Ethan Hunt, played by Tom Cruise, dons a mask to double as a famous epidemiologist. Ethan kidnaps a greedy CEO, convinces him that he has a horrible disease, and promises the antidote – only if the CEO confesses to his incredible greed and gives Hunt the information he needs to take the main villain down. This scene, my friend, is pretexting.
Pretexting is where threat actors create compelling stories to gain sensitive information or access a system. While our film example is a physical form of pretexting, this also occurs online and over the phone using sophisticated technology. For example, threat actors tricked a U.K.-based energy firm into the fraudulent transfer of over $200,000 using AI-backed deepfake technology. The technology convinced the CEO that he was on a call with their parent company.
Other common types of social engineering attacks include quid pro quo, scareware, and watering hole attacks. It’s key to familiarize yourself and your organization with every kind of attack and the underlying technology to develop an effective security strategy.
How to Protect Against Social Engineering in Your Organization
While social engineering is prevalent, most organizations struggle to protect themselves against its various forms, especially when it comes to third-party vendors. With a little research, threat actors can use knowledge about your third-party vendors to stage a successful social engineering attack on your company. Threat actors utilizing knowledge of your third-party vendors could include sending an especially compelling phishing email that looks exactly like an email you’d receive from a vendor in your supply chain. So how can an organization protect itself and its employees? Here are a few considerations:
Build Security Awareness
Since social engineering threat actors target human vulnerabilities, motivations, and psychological responses to trick their victims, education is the first (and best) defense. Everyone at your company must know the signs of a social engineering attack — including ways to identify phishing emails or spot a deepfake. Education can take the form of staff training, corporate campaigns, email reminders, presentations, and certifications.
If your organization doesn’t have a security specialist who can create and implement a security awareness program, you can also purchase one or use free resources. There are many reputable sources, like the Cybersecurity & Infrastructure Security Agency (CISA).
Implement a Zero Trust Framework
Adopting Zero Trust policies in your organization is crucial when dealing with social engineering. A Zero Trust Framework is the refusal to rely on perimeter security in your organization’s infrastructure. Instead, each user, device, and application must pass authentication/authorization tests every time they access your organization’s network or company resources. Zero-trust practices include authenticating each participant in an audio or video meeting by changing passwords at the start of the session. These measures could help prevent deepfakes or other dupes from extracting sensitive information.
Consider Your (and Your Third-Party Vendors’) Ransomware Susceptibility
While building security awareness in your organization and implementing Zero Trust policies is important, what about your third-party vendors? We already know cascading and concentration risk from third-party vendors can put your organization at risk for business disruption, but what does it have to do with social engineering?
If your vendor isn’t actively on the lookout for social engineering schemes and they fall prey to an attack, then your organization can be affected. Potential risks include threat actors accessing your data through a phishing attack that turns into a data breach.
To guard against this, you’ll want to evaluate your third-party vendors’ security posture. Black Kite’s Ransomware Susceptibility Index® evaluates an organization’s security posture using common indicators of ransomware susceptibility, including email security and phishing domains, which are common social engineering entryways.
Companies can use the Ransomware Susceptibility Index® to identify and avoid third-party vendors with weak security postures who are more likely to be successfully targeted by social engineering threat actors.
When It Comes to Social Engineering, It’s a Confidence Scheme
From our favorite plays, films, and TV shows, we’ve watched social engineering play out for hundreds of years as entertainment. It could be because it taps into our fears or gives us a false sense of confidence that we’d be smart enough to spot the scheme.
In the real world, however, the situation is quite serious. Social engineering will likely continue to plague individuals and organizations, growing in scale and sophistication as technology gives threat actors new and inventive ways to trick individuals.
Education is the best defense to protect an organization from the immediate and third-party risks of social engineering. When it comes to social engineering, it’s always best to stay informed and agile.