Social engineering, sometimes known as “human hacking,” is a method of manipulating people into giving out sensitive information. It is one of the most deceitful tactics used by hackers as it takes advantage of unwitting human errors.
Tricking employees is one of the easiest ways to reach into the deepest levels of an organization’s data and network. It takes just one human error to bypass the most sophisticated, state-of-the art technical countermeasures against breaches.
Social media deserves special mention for enabling these attacks, making it easy for malicious actors to gather information that helps them fool people.
Numbers Speak Louder Than Words
There are some truly alarming numbers that will help put things into perspective as far as social engineering attacks are concerned:
- The FBI’s Internet Crime Complaint Center (IC3) report from last year says that business email compromise (BEC) attacks constituted 21,489 complaints with adjusted losses of over $2.9 billion.
- 98% of cyber-attacks involve some form of social engineering.
- 79% of financial institutions said cybercriminals have become more sophisticated, leveraging highly targeted social engineering attacks.
- The human element is involved in 3 out of 4 breaches.
- $17,700 is lost every minute due to a phishing attack.
These numbers shine a bright light on the need for employee cybersecurity awareness training, which helps imbed “cyber smart” thinking into a company’s culture. The training helps the organization but also the employee. Hackers are after their personal information, too, as we saw in the recent social security numbers breach.
Modus Operandi
Hackers often lay the plot for a social engineering attack in a very phased and calculated manner.
When attacking organizations, a technique known as “spear phishing” has proved to be the most successful. For a hacker, the size of the organization doesn’t matter. Hackers are looking for return on time spent. So, an organization that gives them the maximum return on time and effort is a good target.
When using spear phishing, hackers zero in on a specific individual at the organization, often someone with some degree of authority. They then begin to gather as much information as possible on that person from the Internet and social media.
With this done, hackers then think about the “pretext” – basically the story that they will spin to dupe unwitting victims. They reach out to these victims to try and gain their confidence, often making them believe that they are interacting with a trusted insider. Once the target is engaged, the attacker tries to gain sensitive information that can be used to gain access to the network to launch further attacks.
Oftentimes, the attacker maintains a foothold in the organization that goes undetected for days or months together before being exposed. In fact, research suggests that:
- Phishing breaches go undetected for 295 days.
- Breaches attributed to third-party software vulnerabilities and malicious insiders go undetected for 284 days.
- Breaches related to social engineering take 270 days to detect.
- Breaches related to cloud misconfigurations go unnoticed for 244 days.
Social Engineering Tactics
Hackers use different types of tactics when performing social engineering attacks. Some of these include:
Phishing
Phishing barely needs any introduction given its widespread use. But for the uninitiated, this is a method used by hackers to trick users into clicking on malicious links that take victims to fake websites that often closely resemble the real ones.
In a recent attack, phishers impersonated the United States Department of Labor with fake invites to bid on federal projects with the motive of stealing Office 365 credentials. The website even displayed an error message when the target attempted to enter credentials the first time, tricking them to enter their credentials twice and thus reducing the possibility of mistyped credentials. Finally, victims were taken to the actual Labor Department site, so as to not arouse any suspicions that something was amiss.
Spear Phishing
As discussed earlier, spear phishing targets a specific individual or organization. This type of attack relies on deep research about the victim. Outreach is crafted specifically to lure the victim into believing that they are communicating with a trusted source. The motive is to gain access to sensitive information such as account details or financial information.
Business Email Compromise (BEC)
Business Email Compromise (BEC) is a type of spear phishing attack in which an attacker researches an organization to identify people with financial access and authority. The hacker impersonates the target in emails that typically request money, such as a wire transfer. The most common BEC attacks involve “spoofed” email accounts where the hacker creates an email that looks similar or identical to one belonging to a company executive or financial official.
Pretexting
Pretexting is a type of attack that can happen over the phone, in person, or online. The idea is to convince the target to believe a made-up story – such as a hacker pretending to be an IT employee or help desk employee investigating a problem. The goal is to gather information from the victim that reveals internal information that can be leveraged to mount attacks.
Baiting
Baiting, as the name suggests, is an attack where the attacker uses bait such as a USB pen drive lying in the lobby area to entice victims into picking it up and using it on their system. Once that happens, malware on the drive installs itself on the system and steals information from it continuously in the background. Baiting doesn’t necessarily need to involve a physical device. It can also be done through online advertisements, enticing the victim with lucrative offers such as free downloads, discounts, and other such freebies.
Scareware
Scareware scares victims with false alarms such as popups or messages saying that their system is infected with malware and asking the victim to install a rogue application to clean it. Once the victim installs the rogue application, they end up installing malware onto their device that then steals sensitive information. Sometimes scareware is used to sell fake software wherein the scammers make money by selling a software program that does pretty much, nothing.
Physical Social Engineering
Physical Social Engineering methods are used by hackers who take things a step further by physically showing up on an organization’s premises themselves to steal sensitive assets. The hacker could pretend to be a visitor at the organization, someone from maintenance, a third-party vendor, or a delivery person. Or they might try something as simple as tailgating - following (piggybacking) behind an authorized employee who just opened a secure door with their ID card.
The main motive here is to steal information on the premises such as unattended drives on the desk, documents in the trash bin or desk, and so on.
Vishing
Vishing, or voice phishing, is a method in which attackers use phone calls to trick victims. Such calls can be from humans, or they could even be recorded calls depending upon the plot. Scammers pose as bank employees, IT support personnel, or an important institution to lure victims into giving out sensitive details that can be used for identity theft, account takeovers, or financial fraud.
Enter Social Engineering Penetration Testing
Cybersecurity training is a major countermeasure to keep employees from making these mistakes. Employees must be up to date on the latest ways hackers can trick them. But different employees need to be trained differently.
That’s where social engineering penetration tests come in very handy.
The idea is to perform the same kinds of social engineering attacks that a real-world hacker would on company employees. Social engineering penetration tests help organizations identify exactly what each employee’s weaknesses are in terms of cybersecurity awareness. Once this is known, the organization can train employees on their specific weaknesses.
For instance, if a certain employee falls too often for phishing links, then phishing-specific training that helps identify malicious links and advises caution against them is ideal.
An employee who unwittingly lets a stranger into a secure area would receive physical security training.
Customizing the training to specifically address an employee’s weak areas ensures they brush up in areas where they are faltering.
Social engineering penetration tests play a vital role in giving organizations a real picture of the cyber awareness of their employees. It also helps showcase to stakeholders and regulators the proactive approach the organization is taking in fending off cyberattacks.
History has shown that organizations with even the best technological capabilities have fallen victim to hacker attackers owing to human weaknesses. Social engineering penetration tests are a great way to test human defenses and fight back.
Remember: The more regularly employees undergo social engineering penetration tests, the more alert they become.
In the end, your organization will be able to implement a strong cybersecurity program that covers a full 360-degree range of technology, people, and processes.
Social Engineering Penetration Testing with ERMProtect
No matter how much an organization improves its technical defenses, employees can fall victim to phishing attacks and other hacker lures. ERMProtect™ arms employees with the tools and security awareness they need to protect themselves and their organizations from cyberattacks. Learn more about ERMProtect's Security Awareness Training here.
For more information about ERMProtect’s social engineering penetration testing services, please email [email protected] or call 305-447-6750.
A Comprehensive Guide to Penetration Testing – Types, Methods, Benefits and Best Practices
GDPR Compliance Checklist: A Guide for U.S. Companies