Today’s organizations face numerous cybersecurity challenges, and one of the most insidious threats is social engineering. Cybersecurity is often associated with technical vulnerabilities and sophisticated defenses; however, social engineering leverages human reactions and psychology to gather information and perform attacks. This article aims to shed light on the key principles and techniques used by social engineers so your organization can safeguard its valuable assets.
Key Principles with Social Engineering
There are a range of principles leveraged to successfully socially engineer an individual, and they are commonly referred as Authority, Intimidation, Consensus, Scarcity, Familiarity, Trust, and Urgency.
- Authority: Relies on people listening to an individual who they perceive to be in charge or in a position of power. A social engineer using this principle may claim to be a supervisor, a government official, or some other person who would have authority in the current situation, regardless of whether they actually do.
- Intimidation: Relies on scaring an individual into taking the desired action of the social engineer.
- Consensus: Relies on the fact that most people want to do what others around them are doing, persuading them to act. A social engineer using this principle may create a fake online review profile with numerous positive reviews for their product or service, manipulating potential customers into trusting their business.
- Scarcity: Aims to exploit the perception of limited resources or opportunities to make it look more desirable.
- Familiarity: Relies on your positive feelings towards the social engineer or the organization they claim to represent.
- Trust: Relies on a connection with the targeted individual. Unlike familiarity, a social engineer using the trust principle will work to build a connection with their targets.
- Urgency: Relies on creating a feeling of time-sensitive pressure to prompt individuals into making hasty decisions.
Many, if not most, social engineering efforts will combine multiple principles into a single attack. Here is an example of a scenario that uses more than one key principle: An individual calls claiming to be a government official employing an intimidating tone (authority and intimidation), and then asserts that the individual’s taxes are overdue, and legal action will be taken against them if immediate payment is not made through a specific payment method provided in the call (urgency and intimidation), coercing the person to comply with the demands out of fear and respect for apparent authority.
Remembering these key principles could save you from making a false payment in this scenario. A key part of social engineering is understanding how humans react, and how stress or pressure can be leveraged to meet a desired action.
Technical & Nontechnical Social Engineering Techniques
There is more to social engineering than solely the range of principles discussed above, which include technical and nontechnical attacks that are used to leverage these key principles. It is important to note that each technique has its own distinct set of social engineering tactics and impacts that help make it unique.
- Technical Techniques
- Phishing is a broad term that describes the fraudulent collection of information, often focused on usernames, passwords, credit card numbers, and related sensitive information. While email is one of the most common avenues for phishing, other methods include smishing (phishing via SMS), vishing (voice over IP phishing), spear phishing (targeted phishing), and whaling (senior employee phishing).
- One of the best ways to defend against phishing is through employee awareness. A phishing attack can occur on anyone at an organization, so it is crucial that all employees are taught how to recognize and respond to phishing attacks.
- A social engineer can also leverage website attacks to redirect traffic away from a legitimate website to a malicious one. This is referred to as pharming and targets DNS entries. Another common website attack, referred to as typosquating, relies on the user misspelling a URL to end up at a similarly named malicious site. For example, a social engineer may deploy a website named googl.com or gooogle.com.
- Nontechnical Techniques
- Tailgating is a physical entry attack that relies on simply following someone into a building or restricted area after they have opened a door. In some cases, employees may even hold the door open for the individual walking behind them. Much like phishing, tailgating is best prevented through awareness and requiring each employee to use their own badge/credentials to access a facility.
- Shoulder surfing is the process of ‘looking over a person’s shoulder’ to view/capture credentials being entered. It is important to note that although shoulder surfing implies peering over someone’s shoulder, it can also be done by looking in mirrors or looking through windows. Encouraging employees to be aware of their surroundings or deploying privacy screens can help prevent this technique.
Social Engineering Training & Cybersecurity
Social engineering is a difficult cybersecurity threat to protect against as it targets individual reasoning. If employees are not receiving periodic social engineering training on the different forms of principles, tactics, and techniques, they may fall victim to an attack that could have negative repercussions for their organization.
Comprehensive social engineering awareness training should encompass educating employees on prevalent social engineering tactics and equipping them with the necessary tools and knowledge to identify threats and proactively avert potential risks.
At FoxPointe Solutions, our team of experts can review your existing plans, assist you in drafting a new one, and facilitate a tabletop test for you. Contact us today!