In this video from TrainSignal’s CompTIA Security+ Training, you will get familiar with the basics of social engineering and the most commonly used social engineering techniques. You will also learn how you can best safeguard your organization from these types of attacks.
(Instructional video below provides a walkthrough of the steps contained in this article.)
Social Engineering: Overview
Because social engineers largely build on the gullibility, enthusiasm, and in general, the desire of most individuals to please, it’s very hard to defend against a social engineering attack. In most cases, the victims, i.e. company employees and even executives, don’t even realize that they’ve been duped.
Those who utilize social engineering in attacking a company have similar objectives as that of any other type of fraudster: to gain access to the company’s money, sensitive information, and/or IT resources. Or, they may simply be motivated by curiosity or the desire to sabotage.
A social engineer may therefore be anyone who has something to gain from getting hold of important data – counterfeiters, hackers, competitors,or even an ex-employee who has an axe to grind against the company. For these people, social engineering strategies may yet provide the perfect recipe for them to wreak havoc.
It is thus imperative for company employees to be aware of the various social engineering techniques employed by fraudulent individuals and how they should react accordingly when faced with these types of scenarios.
So let’s get on with the all-important question – just what is social engineering?
What is Social Engineering?
Social engineering is defined as the art of manipulating people into divulging confidential information or performing certain actions that could lead to the disclosure of or access to the sensitive information. Rather than using conventional hacking techniques to break into a system, a social engineer makes use of psychological trickery on legitimate users to obtain the data he needs to gain access to the system.
Social engineering is basically a con game where the attacker resorts to all kinds of strategies to get the person – an authorized employee, for instance – to trust him. Once this person’s defenses are lowered, it’s easy enough for the fraudster to get the information he wants. In doing this, he can use both technical or non-technical methods.
Companies spend huge sums on technical controls such as authentication systems and intrusion prevention systems but the truth is, all this would be for naught if users will bypass these controls and hand over the crucial information to attackers.
If you therefore think about it, security all boils down to trust. Organizations rely on their protection and authenticity systems to keep intruders away, but they often fail to take into account a person’s tendency to easily trust. This is why the human willingness to accept another person at his word is considered by experts as the weakest link in the security chain.
There are many reasons why social engineering works.
On top of the list is fear – fear of authority, of doing something wrong, or of making someone angry. Some give in out of plain laziness or complacency. Then there are those who are motivated by the desire to obtain rewards or money that attackers may promise. Others simply want to be of help especially when being helpful is the nature of their job as with receptionists or help desk employees, and some just easily fall for flattery and distraction.
But the one crucial factor that really makes social engineering work, encompassing all of the other reasons given, is the lack of awareness.
This is why the need for awareness and education can never be overemphasized. An uninformed employee is the most vulnerable to a social engineering attack. Not only do you need to teach about social engineering, you also have to teach them to be less nice.
A company’s awareness and education program should therefore include clear policies and procedures on social engineering. For instance, employees should be aware of the steps that are to be taken in determining whether visitors in the company premises are indeed authorized. Social engineering mitigation need to be written into job descriptions and included in the company’s quarterly goals and objectives.
In addition, companies are also advised to have mandatory training on social engineering and a routine for continued training and reminders. After all, the social engineering strategies currently being utilized may be tweaked from time to time, thus, awareness programs have to be kept fresh and up-to-date.
Social engineering awareness programs should also be part of new hire training, and prominently featured in monthly newsletters and on posters and fliers in the office.
One last tip: make it safe for employees to report if they have been duped. You’d want to know of a social engineering attack sooner rather than later.
Now let’s proceed with the different types of social engineering.
Impersonation can only be pulled off successfully by an attacker with some pretexting. This means creating an invented scenario that carries a sense of urgency to pressure the victim into doing something he will not do or revealing information he will not divulge under normal circumstances.
Impersonation can be done over the phone where the attacker can pretend to be:
- A fellow employee or boss needing immediate information;
- An authority figure (like a fire marshal or building inspector) requesting for entry into the building;
- A survey taker asking about the operating systems or computer software the company is using, and even
- A potential customer purportedly getting to know the company first before doing business with them.
With any of these impersonators, the tone used could either be extremely nice and polite, or very urgent and in desperate need of information.
To counter against these methods, employee training should include a clear definition of what type of information should never be told over the phone. Equally important, a help desk personnel should also require proper identification before accommodating a request for password reset.
Impersonation can also be done in person where the attacker poses as an employee, a maintenance person, or a delivery guy. Employees should be trained to verify if any of these outsiders have in fact been requested for by authorized personnel and are allowed to enter. And even if their identities are properly verified, non-employees should still be escorted when inside the building.
One last note on impersonation: whether on the phone or in person, one of the most successful social engineering techniques is impersonating a technical expert. This is something that both staff members and executives should be warned about.
Tailgating is when a person passes through a security checkpoint without using his own credentials. The attacker enters a restricted area by simply walking behind a person with legitimate access.
You’ve probably seen this happen in apartment buildings where a tenant uses his key or swipe card to gain entry, while someone else considerately holds the door open and follows inside. More often than not, the tenant would be too polite to ask whether that person is a resident too or has a legitimate reason for being there. The two can even exchange smiles or pleasantries, but the truth is, that stranger could be somebody who intends to harm.
The same thing is only too common in the workplace as well. No matter how sophisticated or state-of-the-art your security system is, it is completely useless if someone can just tailgate his way through it.
Now the term piggybacking is one that’s closely related to tailgating, though not used as often. Piggybacking is commonly used to denote entry ‘with consent’ as in the illustration given earlier where the interaction between the resident and stranger is marked with smiles, pleasantries, and/or door-holding. By not saying no outright, the authorized person is giving his implied consent.
In comparison, tailgating in that context would mean a ‘without consent’ scenario such as when the intruder sneaks in with a group of people unnoticed.
For purposes of this discussion however, we would be using the term ‘tailgating’ to refer to a situation where an attacker goes past a card reader or any security checkpoint along with an authorized user, with or without consent.
We’ve already mentioned common tailgating methods like when the attacker confidently follows a person who has just legitimately swiped his way in, and blending in with a large crowd. Other concrete examples of tailgating include:
- Having hands full so that an authorized user will graciously hold the door open earning him (the attacker) a free pass;
- Convincing an authorized user that he is an authorized person as well but forgot or lost his ID.
The risks of tailgating can be mitigated when the company puts in place an ironclad policy to have each and every employee authenticate, i.e. swipe their card, at all times. If someone forgets his card, specific procedures should be followed like reporting to the security office and getting a temporary card for the day.
Conspicuous signs and posters on the door or entrance of the building would serve as constant reminders for employees, keeping them on their toes against potential tailgaters.
Dumpster diving is the act of going through the trash or recycling bin by an unauthorized individual to gain information. Dumpster divers are on the lookout for improperly discarded papers, data, or devices.
Dumpster diving is often used as a precursor to impersonation and other social engineering techniques. This means the data that the attacker gleans from this activity would come in handy on sizing up his would-be victims or creating a scenario that can get people to divulge information.
For example, to impersonate an employee, an attacker would need to know more about the company’s lingo, department structure, phone numbers, and any other useful bits of information. By knowing these details, the attacker would know who to impersonate, use the right words, and ask the right questions. In other words, having the right information would make him sound like an ‘insider’.
Security leaks in the trash may also include: organizational charts, memos, corporate policy manuals, calendars of meetings, important company affairs, and staff vacations, software manuals, hard copies of login names and passwords, discarded hard disks, company letterhead and envelopes, and unused hardware.
To prevent against dumpster diving, organizations should have a proper disposal policy for paper, data, and devices. There are third-party disposal companies available who can readily dispose or recycle trash in a secure manner.
As a side note, be aware that dumpster divers on private property are subject to trespassing laws, although there are no clear cut laws for individuals going through other people’s trash. Still, if an employee does manage to catch a dumspter diver red-handed, it would be best to call the police even if no formal charges can be filed.
To reiterate, social engineering attacks via dumpster diving can be avoided if employees are alert and mindful of people loitering around or digging through trash bins. More importantly, employees should be trained to follow established policies on paper shredding and media/equipment disposal.
Shoulder surfing is gathering unauthorized information by means of direct observation methods. The attacker, often a real or impersonated delivery, cleaning, or maintenance person, observes over the employee’s shoulder when he (employee) is typing in passwords or working with confidential information.
What could even be more potentially dangerous for the company is when the one who engineers the attack is a malicious insider. For this shoulder surfing employee, getting valuable information is easier because he can loiter around and observe as much as he wants. Other employees will likely think nothing of his presence (even when he’s in an area where he isn’t supposed to be) because of the level of trust they have by virtue of his being a co-worker.
Using shoulder surfing, an attacker can obtain the following information: passwords, PIN, credit card numbers, or any other important data.
For a shoulder surfing technique to work, the attacker must have physical access to the targeted employee or area, and ideally for them, unaccompanied physical access.
There are two other related strategies that fall under shoulder surfing – eavesdropping and snooping.
Eavesdropping is listening in on a conversation to get information; it’s pretty much like shoulder surfing with one’s ears. On the other hand, snooping is rifling through files and papers to gain information. In searching for tidbits of information, a snooper would likely check under your keyboard first or look through other places where users normally “hide” their passwords.
The chances of an attacker shoulder surfing and eavesdropping can be significantly reduced if employees are trained to be aware of their surroundings at all times. And to prevent snooping, employees should be required to have a clean desk at all times. Further, guests should always be accompanied when inside company property.
The term phishing is generally used to describe a method of acquiring personal information by posing as a trustworthy person like an IT administrator, or a trustworthy company such as online payment processor, credit card company, or online banking institution.
The phishing technique is usually done using a generic email sent out to thousands of email addresses. If you happen to be one of the recipients, a phishing email will require you to respond by performing any of the following actions:
- Directly replying to the sender with your personal information;
- Clicking on a link that will take you to a fake website where you are supposed to enter your personal information; or
- Calling the “customer service” representative on the phone to whom you will give your personal information.
Fraudsters are able to pull off a phishing attack if they can convince the email recipients/users that they are indeed a legitimate entity. In practically all cases, the fake website where the user is taken to, looks and feels like the real thing. Using logos and color schemes that come as close as possible to the real site, the attackers not only make it appear like the emails come from the company, they also manage to take advantage of the trust that consumers have of these reputable companies.
True, you may be wary of receiving some random email asking for your Social Security Number from a company that you don’t do business with. However, you will be more likely to respond if the communication were to come from your bank informing you of an important concern regarding your account.
Like most other social engineering tactics, a phishing attack creates a scenario of urgency and fear to trick victims into divulging information. Phishers even take it a step further by actually talking about security risks to add even more pressure to the user to act immediately.
Spam filters will come in handy for warding off phishing schemes. But a user’s best practice is still to refrain from giving any personal information such as Social Security Number, Driver’s License, account numbers, and other pertinent data to just any email sender.
At the very least, users should first verify if the email isn’t a scam before following any instructions. Users should also be trained to not click on links given in any unverified email. The bottom line really is, no personal information should be asked or given through email.
When in doubt, doing a Google search helps. Most phishing scams are likely to have been around for some time already and some victims would have reported of these attacks.
There are also sub-types to the phishing strategy. These are Vishing, Spear Phishing, and Whaling.
Vishing is actually phishing using VoIP (Voice over IP) This method takes advantage of the public’s trust in the telephone service. VoIP hackers manipuate the caller ID system to make it appear that the call comes from somewhere it actually didn’t. This makes it very difficult to trace a vishing call.
A common vishing tactic used by fraudsters is leaving a recorded message purportedly from a credit card company, informing the user of a problem with his card. The message often ends with the urgent request that the user call a given “customer service” number immediately to have the issue settled. When the user makes the return call, he is then asked of his credit card number. Of course, this means that the user has just given his card number not to a bank representative, but to a clever social engineer and most likely, an identity thief.
Users should be trained to always call the number printed on the credit card should a problem arise, instead of calling the number provided in a recorded message. In doing this, they would be able to verify from legitimate help desk personnel whether the problem is real or the call was simply a scam.
Spear fishing is a phishing attack that uses specific information about the targeted victim – the victim’s name, the people he knows, the bank he maintains an account with, and so on. While the attacker would have to expend more time and effort before he can put this plan into action, these are also the types of schemes that are most successful. The information used for spear phishing could have been obtained from dumpster diving or shoulder surfing.
Whaling is the type of phishing method that targets senior executives of an organization, high-profile victims, or people with access to especially sensitive information. After all, isn’t it better to get hold of the system admin’s or CIO’s passwords than those of the staff in the office cubicles? Fact is, both small and big fish are found in the cyber crime sea.
Hoaxes are chain mails or posts on social media sites that are intended to misinform the public. Users need to keep in mind that companies – even the biggest and most established ones at that – are not going to give out gift certificates or checks for forwarding emails.
Hoaxes are notable for their implausible threats such as illness and death if the email is not forwarded, or far-fetched promises such as saving sick children, if it is. Ironically, most email hoaxes use big, bright-red font that say “This is not a joke,” but they clearly are.
While hoaxes are generally harmless, they are more than a simple annoyance. Hoax emails can prove to be a complete waste of time and resources if users and employees fall for them. Think of the loss in productivity when you forward the email to all your other contacts, the space it can take up in your email database and backup systems, and the paper used when you have these printed out.
As soon as users receive hoax emails about computer viruses or read about these on Facebook and other social media platforms, they are bound to get concerned and report this to the IT staff. If they feel it necessary, users can notify IT department over and over again.
To prevent such a scenario, employees should be kept abreast of current hoaxes so that they don’t have to spend valuable time and energy forwarding emails and calling up IT. Using spam filters can also help in keeping hoaxes out. Or better yet, employees should be instructed to never forward any non work-related email to other users.
If spam emails do manage to get through however, it’s important that users know how to check if an email is a hoax. They can visit the Snopes website, or avail of the services of various malware vendors to get updates on the latest hoaxes in circulation. In fact, companies should make it a point to have links to hoax checkers right on their corporate internet.
Reverse Social Engineering
Reverse social engineering is called such because this time, it is the victim that actually approaches the attacker and offers some personal information.
Of course, this usually doesn’t happen without some well-planned scheming from the attacker. The set-up may start with the attacker making himself interesting or available to the potential victim. By sending an email, participating in forums, or giving out business cards, the attacker establishes himself as an expert in a certain field, and therefore, in a position to help the victim at some point in the future.
For example, the hacker can pose as a network administrator or IT expert. If something goes wrong with the network – a situation that the attacker may have engineered himself, guess who the victim is likely to call? The person he thinks is ‘best’ for the job of course. Eager to get on with his work, the victim/user/employee will willingly go ahead and give the hacker a.k.a. ‘expert’ the pertinent information that may be needed to fix the problem: login ID, password, user name, SSN, employee ID, and so on.
In effect therefore, reverse social engineering is almost like an impersonation scheme, only in this case, the hacker simply sets up the scenario that makes the victim approach or call for him and give the much sought-after information without any prodding. Most reverse attacks are started with the use of other social engineering methods.
A reverse social engineering attack is usually done by an insider or a person pretending to be one, so organizations should see to it that users are trained to verify the identity of people who offer help, especially when the expertise is in the tech- or IT-related field. For all they know, it could be a reverse social engineering hacker in action.
As a final reminder, allow me reiterate that employee awareness and education are the keys to mitigating the risks of social engineering. Whether it’s the receptionist, the system administrator, or the company CEO, everyone needs to be alert and be aware that personal and confidential information should be kept just that at all times.