Social engineering is an attempt by attackers to fool or manipulate others into surrendering access details, credentials, banking information, or other sensitive data. Once access is gained the general goal is to gain money. 

Recently, for example, Twitter was subject to a high profile social engineering attack. Attackers manipulated several Twitter employees to gain access to the platforms admin accounts. Once they got access they used the admin privileges to post a tweet saying “All Bitcoin sent to our address below will be sent back to you doubled!”  They posted on a number of celebrity and company profiles including Apple, Bill Gates, Elon Musk and Joe Biden.

Twitter shut the attack down quickly but not before the attackers got away with an estimated $120,000 USD worth of Bitcoin.

Social engineering is a creative strategy for attackers to exploit human emotion and ego, generally for a financial reward. It often forms part of other strategies as well such as ransomware. 

In this article, we take a look at some of the more common forms and tactics of social engineering as well as exploring just how an organization can protect itself from such an attack.

What are the stages of a social engineering attack?

In general, social engineering attacks are implemented in three stages.

1. Research. Attackers perform research to identify potential targets as well as to determine what strategies might work best against these particular targets. Attackers will likely collect data off company websites, LinkedIn and other social media profiles and potentially even in-person.

2. Planning. Once the attackers know who they will be targeting and have an idea of the targets potential weaknesses, they have to put together a strategy that is likely to work. The attacker needs to design the strategy and specific messages they will use to exploit the target’s individual weaknesses. Sometimes discussions surrounding plans can be found on darknet forums.

3. Implementation. The first stage of execution of their prepared strategy is often sending messages through email, social media messaging or some other messaging platform. Depending on their approach the entire process could be automated, targeting a broad number of individuals, or it might be more personal with the attacker interacting personally with their victim. Generally, they are aiming to gain access to private accounts, uncover banking or credit card details, or to install malware.

6 of the Most Common Social Engineering Attack Strategies

1. Phishing and Spear Phishing.

Phishing messages are designed to get a victim’s attention with an alarming or curious message. They work on emotional triggers and often masquerade as well known brands making it seem like the messages come from a legitimate source.

Most phishing messages have a sense of urgency about them causing the victim to believe that something negative will happen if they don’t surrender their details. For example, they might pose as a banking institute and pretend to be a fraud notice asking them to log into their account immediately, however, the email actually links to a fake login page.

Spear phishing is similar but with a more targeted individualistic approach.

2. Baiting.

A baiting attack generally pretends to offer something that the victim would find useful, for example, a software update. However, instead of a useful update or new software, it is, in fact, a malicious file or malware. 

3. Scareware. 

Playing on the targets fear this approach seeks to persuade the target that there is already a malware installed on their computer, or perhaps seek to persuade them that they already have access to their email address. This attack will then persuade the target to pay a fee to remove the malware. 

4. Pretexting.

In a pretexting atack the attacker creates a fake identity and they use it to manipulate their victims into providing private information. For example, the attacker might pretend t be part of a third-party IT service provider. They would then ask for the users account details and password in order to assist them with a problem. 

5. Quid Pro Quo. 

Similar to baiting, a quid pro quo attack promises to perform an action which will benefit the target. For example, an attacker might call an individual in company who has a technical support inquiry and then pretend to help them. However, instead of actually helping them they get the individual to compromise the security of their own device.

6. Tailgating.

Tailgating is a physical type of social engineering. It enables criminals to gain physical access to a building or secure area. An example of how this might work would be the criminal following behind someone authorized to access an area, they ask the person ahead to simply hold the door for them assuming an air of innocence.

How to Prevent Social Engineering

One of the key reasons social engineering is so difficult to protect against is because of the variety of ways it can be implemented. Attackers can be incredibly creative and this can make it very hard to spot a social engineering attack. Additionally, security professionals have to contend with skilful manipulation of the human ego.

Social engineering attacks exploit human behaviour. They target peoples fears or concerns often with messaging that centres around urgency attempting to encourage victims to take action immediately before they figure out they are part of a social engineering attack. Key to prevention then is remaining suspicious of emails, voicemails, or instant messages through platforms such as Facebook. 

Additionally, security teams need to stay ahead of the attackers. They need to be aware of each variation of a particular social engineering attack. Using OSINT tools, for example, they can learn about current messaging and strategies being implemented as well as potential exploits. Allowing them to take actions to mitigate evolving and emerging threats.

Increased awareness and vigilance though is only the first step. These attacks are common because they are effective, and they are effective because they take advantage of inherently human traits. Changing this human behaviour though doesn’t happen overnight. An internal education strategy needs to be put in place to regularly inform and teach employees about current social engineering strategies in an effort to reduce the potential for any employee to fall prey to one. In these ways, security professionals can mitigate the potential risks that surround social engineering attacks.