What is Social Engineering?

Social Engineering is a form of security fraud that relies on psychological manipulation techniques to trick people into revealing sensitive information.

This is often carried out online using a variety of social engineering techniques; one of the more commonly referred to social engineering attacks are phishing attacks (including, vishing, smishing, spear phishing and whale phishing).  Unlike most forms of online fraud which exploit software vulnerabilities, social engineering has a human element making these attacks harder to identify than typical technology-based intrusions.

Relying on human error

The reliance on human error makes social engineering attacks particularly dangerous. Humans are social beings and are therefore evolutionarily inclined to want to be accepted by others in their social group. For this reason, many humans have a natural tendency to want to be liked by others, want to be helpful to other members of their social group, and tend to follow the lead of those they perceive to be authoritative figures. Social engineering techniques take advantage of these natural human traits, which is why social engineering works so effectively. 

The Social Engineering Lifecycle

Attackers usually follow a series of steps before an act of social engineering fraud takes place. This is usually referred to as ‘The Social Engineering Lifecycle’ – and consists of the following steps:

• Investigation
• Hook
• Play
• Exit

Investigation

The first step in a social engineering attack is to gather background information on the victim or victims intended for target. Usually this includes the victim(s) place of work, the names of their colleagues, the hierarchy of management within the company and who they report to etc. They will then use this information to select a method of attack – for example, a spear phishing attack.

Hook

The following step involves deceiving the chosen victim(s) and setting the social engineering attack in place. If we continue with the above example of a spear phishing attack, this might involve spoofing the email address of the victim(s) boss, CEO, or member of the HR team asking for sensitive company information, personal credentials, or the transfer of funds with an element of urgency or immediacy. Due to the extensive research carried out in the first step, the attackers can create extremely accurate or legitimate looking emails – and can even make it look as if it has come directly from the impersonated member of staff.

Play

Humans being social by nature comes into play during this phase of the lifecycle. Wanting to remain in the ‘good books’ of the company, the victim(s) are usually quick to respond to this request by an individual perceived to be an authoritative figure in the company. Once the victim(s) comply with the attacker’s request, the attacker will gain access to the sensitive information they were searching for.

Exit

Once the attacker has access to the required information, they usually begin to cover their tracks so they can disappear with the information they need before the company, or the victim(s) realize anything is amiss.

How does social engineering enable bot attacks?

While social engineering techniques are often thought to be more time-consuming than those that exploit software vulnerabilities, the evolution of sophisticated bots is allowing attackers to carry out social engineering attacks much faster. Not only are attackers now easily able to automate phishing attacks by sending hundreds of phishing emails to multiple email addresses much quicker than a human could, but bots are now sophisticated enough to pose as human beings. In addition to this, more bots are being developed to aid with the investigation and reconnaissance phase of the Social Engineering Lifecycle; scraper bots search social media platforms – such as Facebook or LinkedIn – and obtain the personal information from profiles associated with certain organizations. As bots continue to evolve less human time and resources are required to carry out social engineering attacks – for this reason they continue to grow in scalability and popularity.

A short introduction to the more common social engineering techniques

Keep an eye out for the next blog in this series, where we will be delving deeper into the more sophisticated social engineering methods, that incorporate a variety of the above techniques.

The importance of ‘spoofing’ in social engineering

In the context of social engineering, spoofing is the ability to make a communication from an unknown source appear as if it is from a known or trusted one. Spoofing can apply to:

• Emails
• Phone calls
• Text messages
• Websites
• IP addresses

Spoofing is an important aspect of many vishing, smishing or phishing attacks, with spoofed email addresses, phone calls, or text messages often used in advanced social engineering attacks. It does not require a lot of technical knowledge to apply spoofing to these communication methods, and tools to easily spoof phone calls or email addresses can be purchased online. Although spoofed email addresses or phone numbers aren’t essential for social engineering, the most successful social engineering attacks do apply these methods.

Below are examples of social engineering techniques that use a mixture of social engineering tactics, some of which include spoofing.

Advanced social engineering attacks

The crying baby method

The ‘crying baby’ is often carried out as a spear vishing method – meaning that it is highly targeted at pre-selected individuals, sometimes within a company or organisation, and it is carried out as a phone call. The attacker will call the targeted victim and introduce themself – often giving a fake name or impersonating someone from the company they work for. Whilst they make their introduction they play the sound of a crying baby in the background – they will often apologise for the baby making noise, frequently shush or attempt to soothe the baby, and will appear to be in distress.

Just two years ago it would have been uncommon for a colleague to be watching a child while working or while in the office – however the amount of people working remotely has increased significantly since the start of the covid-19 pandemic, and it is no longer unheard of for people to juggle parenting and working simultaneously. If the victim falls for the attacker’s impersonation – which could be likely if they have used the name of someone within the organisation and spoofed their phone number  – the natural human instinct of wanting to help their distressed colleague will be triggered, and the victim is more likely to comply with the attacker’s request. The attacker is then able to request access to sensitive documents, login credentials, or request a transfer of funds.

Companion calls

Companion calls are another method of spear vishing. Usually, the attacker will begin by calling the targeted victim and introducing themselves and where they are calling from, which is often a charity or non-profit organisation. The organisation and name they provide could be fake, but the more advanced social engineering attacks will either impersonate a real individual from a known charity or will ensure they have set up a legitimate looking website or LinkedIn profile for the false information

The initial call made to the victim is done to build rapport rather than asking for money or sensitive information; instead, they might ask the victim to take part in a short survey, for example during the holiday season they might ask “What is on your Christmas wish list this year?”. The call is intended to be non-threatening and is designed to not provoke any suspicion. Any questions asked by the attacker during this call are usually associated with information people would happily share in small talk with strangers.

The second (or “companion”) call usually comes a couple of weeks later. The attacker will introduce their alias again and will mention that they spoke to the victim on a previous call. The victim will usually remember this, and due to the initial rapport building call, they will feel an element of trust or recognition towards the attacker and will view them as an acquaintance rather than a stranger. It is during this call that the attacker will set the trap to acquire the information they are after; they may ask the victim to visit a malicious website where they can then install malware or gather company login credentials or ask the victim to donate money to their fake charity. In this situation the victim is much more likely to comply with the request due to the initial rapport building call.

The birthday coffee method

The birthday coffee method is a simple but effective spear phishing attack. The attacker will start their investigation by quickly gathering the names and birthdays of people within a company or organisation, which is usually openly shared on social media profiles. They will then send out phishing emails to those within the organisation who have had a birthday recently, or those who have a birthday coming up, often spoofed to look like the email has come from the company’s HR or wellbeing team. The phishing emails will contain a message congratulating the victim on their recent birthday and will include a link which invites the victim to click and claim their ‘free birthday coffee’ as a birthday gift from the company. By simply clicking the link the victim may have unintentionally given the attacker access to their computer or have installed malware onto the system. The link could also potentially take the victim to a website spoofed to look like an employee portal where they are asked to provide their login credentials, which will then be harvested by the attacker.

The most sophisticated social engineering attacks are usually a cleverly combined mixture of several types of attack. The above examples of social engineering techniques demonstrate this and highlights the importance of promoting awareness of such threats within your company or organisation. The third and final part of this series will focus on how to prevent social engineering, and how to protect yourself, your employees and your company from social engineering attacks.

What is a social engineering attack?

A social engineering attack happens when an attacker is able to trick victims into revealing sensitive information by posing as a trustworthy individual or company. Common forms of social engineering attacks include phishing and CEO fraud. Identity theft and stealing sensitive information are common motivations for those behind social engineering attacks.

How can you protect yourself from social engineering?

By familiarizing yourself with the signs of a social engineering attack and learning how to react, you can help to protect yourself from becoming a victim of these perpetrators. Common signs that you may be being targeted by social engineering attackers include:

• Receiving suspicious emails or phone calls out of the blue, especially claiming to be from companies who would not generally contact you this way – for example, most banks will never contact you and ask for information over the phone or via email.
• The sender/caller requesting information that a legitimate source would never generally need, such as your Social Security/National Insurance number or passwords of any kind.
• Social engineering attackers offer very little context behind their requests and will often ask for PIN codes, passwords and such without explaining why.
• A company has emailed you offering a prize or a deal that sounds too good to be true.

To protect yourself from social engineering attacks, you should avoid ever clicking links within emails unless you are absolutely sure the source is legitimate, never give out sensitive information or passwords over the phone and always trust your gut. If an interaction over email or via phone feels suspicious, chances are that it is.