Table of Contents
What is Social Engineering?
Social engineering is the psychological manipulation of people in the hopes of gaining access to confidential information or systems. It is a form of confidence trick for the purpose of information gathering, fraud, or system access. The attacks used in social engineering can be used to steal employees' confidential information or data, and the most common type of social engineering happens over either phone or email. Other examples of social engineering attacks include criminals posing as service workers or technicians, so they go unnoticed when access the physical site of a business.
Social Engineering Principles
The main methods that cyber criminals use to perpetrate social engineering have existed for a long time. They are based on fundamental psychological principles about human behavior — attackers use these principles to gain access to sensitive data or information.
- Reciprocity: People tend to return a favor. For example, if an attacker is in some way generous or thoughtful, the victim may feel compelled to provide special access or otherwise bend critical rules.
- Commitment: When someone commits, either orally or in writing, to do something, they become more willing to honor their commitment because they then take it as a personal responsibility to fulfill. For example, on auction sites, people will get trapped into bidding higher than they may have initially intended because they wish to ‘win’ the item in question, regardless of how much the item is actually worth.
- Social proof: People will do things that they see other people are doing. For example, a software product endorsed by a celebrity will have a greater sense of value to people, regardless of its quality, because of the endorsement.
- Authority: People will tend to obey authority figures, even if they are asked to perform objectionable acts. In a social engineering attack, this may lead an employee of a targeted organization to provide information to a caller pretending to be a law enforcement official.
- Liking: People are easily persuaded by other people that they like. Simply being pleasant and friendly is often enough to allow special access to an attacker.
Main Forms of Social Engineering
Cybercriminals use social engineering to effectively administer a number of cyber attacks:
- Phishing: A technique of obtaining private information through manipulative means. Typically, the phisher will send an email that appears to come from a legitimate business requesting authentication of information and warning the victim of complications should it not be provided. That threat leads the victim to reveal sensitive information.
- Water holing: A targeted social engineering strategy that capitalizes on the trust users have in websites they regularly visit. The victim feels safe doing things they would not do in a different situation. The attacker then readies a trap for the victim at the trusted location.
- Quid pro quo: An attacker contacts random people at a company, claiming to be calling for a legitimate reason. This person will eventually find someone with a real problem, who is grateful for the proactive help. They will then attempt to get sensitive information from the victim while assisting with their problem.
Social Engineering Defenses
There are a number of defenses available to companies that will help protect against major social engineering attempts on their employees:
- Establishing a standard trust framework: Establishing a strong framework of trust on an employee/personnel level by training personnel on how sensitive information should be handled.
- Scrutinizing information: Identifying which information is sensitive and evaluating its exposure to social engineering and breakdowns in security systems.
- Following Security Protocols: Establishing security protocols, policies, and procedures for handling sensitive information. Training Employees: Training employees in security protocols relevant to their position.
- Periodic Testing: Developing a framework is important, but it is just as important that the employees are tested to make sure that they are absorbing the information. Running tests to see how employees react to controlled social engineering experiments can help adjust training and discussions in the right direction.