“If the door is locked, try the window” — that’s the motto, used by more and more cybercriminals, unfortunately, successful. Just replace “the door” with “the system security” and “the window” — with employees. Today we will talk about techniques that hackers use to perform social engineering attacks.
What are the social engineering techniques, and why you should care about it at all?
Perhaps you think that hackers’ attack doesn’t threaten you. What’s more, if you run a business, you’ve probably already done a lot to protect it from cybercriminals. You’ve set strong passwords to your company’s accounts. You’ve taken care of the high-quality source code of the website. You’ve invested in anti-virus software and access cards for your employees. Unfortunately, this is probably still not enough.
Security systems are as strong as their weakest point — no matter is it a weak firewall or John Doe, who clicked the link in an e-mail from the Nigerian prince.
Social engineering techniques are methods of manipulation, used to convince someone to take a specified action. It’s not hard to figure out what actions suit cybercriminals. Giving login and password, allowing access to the building, downloading a virus file — examples can be multiplied. What they all have in common is that the hacker gets exactly what he wants: financial resources or confidential information belonging to the company.
Now you know what are social engineering techniques and why you have to defend your company against them. It’s time to find out more about the methods used by hackers.
Social engineering types of attacks
Strategies that cybercriminals use can be divided into virtual, physical, and mixed (hybrid). We’ll look closer at each group one by one.
Virtual techniques: phishing, fake news and more
One of the most popular social engineering types of attack is phishing. It is a non-personalized, usually mass attack, usually via fake emails or fake websites.
A variation of phishing is spear-phishing. It’s an attack targeted at a specific person. A hacker selects a victim and then plans a strike taking into account their weaknesses.
Let’s start with the combination of spear-phishing and the fake news method. Hacker makes a phone call to a person responsible for Public Relations and asks about a big scandal related to the company. The future victim, of course, doesn’t know about what scandal hacker is talking about, so hacker offers to send a link with the news to her e-mail. The article is, of course, fake, so as the whole website. After just a few seconds, on the page appears a pop-up with the link to the virus. The victim clicks to close it and download the virus straight to the computer. What’s more, if the victim sent the link to other people in the company — which is likely to happen — the virus will soon spread to the whole firm.
There is one more type of phishing — whaling. In the case of whaling, a hacker targets his attack at high-level employees such as CEOs or CTOs. This choice isn’t incidental. People at the top of the office hierarchy, usually have full access to confidential data, interesting for hackers.
It’s worth to mention also about the deepfake, which is fake audio or video record. All a hacker needs to do is to use the software, which enables to create a digital representation of a voice, based on just a minute’s sample. After that, a hacker can use it, for example, to fake the company’s CEO and depute to make an urgent transfer from the company’s account. Deepfake is a relatively new, but a very serious threat.
Pretexting is – as the name suggests – an attempt to obtain sensitive data with a credible pretext. For example, a hacker may call a company as a bank’s consultant who is asking for confirmation before providing sensitive information. A worried employee who wants to find out what’s going on as soon as possible will give the criminal the data without a second thought.
When it comes to hackers, many people imagine a man with a hood, sitting in a dark room, lit only by the brightness of a computer screen. This image, well known from newspapers, doesn’t truly reflect the reality. Hackers also work in the real world — with success.
To conduct an attack, hackers may dress up, for example, as a maintainer who installs printer drivers. He will choose the ideal moment when no one in the office who can confirm whether a professional has been called in. The employee will provide the service technician with a computer to install the drivers and will receive malware as part of the package.
Another method used in social engineering attacks is baiting. The name comes from the word bait. The association with fishing isn’t accidental. Just as a fisherman hangs a worm on a rod to catch a fish, a hacker can drop an infected USB stick in the company.
Tailgating is gaining access to a given place by an unauthorized person. For example, an employee may hold a door for a rushing person. Tailgating usually takes place in large companies, where employees don’t know all their co-workers.
Mixed (hybrid) techniques
The combination of virtual and physical methods is also popular in the world of the cybercriminal.
A few months ago, one of the well-known corporations found out about this. Firstly, the employees of the company received a 30% discount on the new pizzeria that opened up in the neighborhood. They were excited and quickly organized a Pizza Day at the office. The pizzeria delivered 8 pizza boxes and free USB drives with LED lamps — with a virus on it. The employees, of course, suspect nothing and immediately connected gifts to their computers, giving hackers remote access to them.
Fortunately for the company, we were responsible for the attack 🙂
The whole action was a part of the security audit. If you are interested in the topic, you can read more in the article The Pizza Method – a Social Engineering Case Study.
The six principles of persuasion by Cialdini
Regardless of the method they choose, cybercriminals often use 6 rules presented in Robert Cialdini’s best-seller: “Influence: The Psychology of Persuasion”. To give you a better idea of how each of them works, we’ve prepared a table with the summary:
How does it work? When someone does something for us, we often feel obliged to return the favor.
How hackers use it: A hacker can set up a situation where he can help his victim, e.g., collect documents that fell out of her hands after he accidentally hit her (“I’m sorry, I’m so clumsy…”). Then, after gaining the victim’s trust, he will ask for what he wants — for example, entering the building (“I left the card in the office. It’s my first day, my boss can’t know about it…”).
Commitment and consistency
How does it work? People like to think about themselves as consistent in their actions. When we’ve devoted a lot of time and energy to something, it’ll be much easier for us to do even more than when we didn’t.
How hackers use it: An employee who has already done one of the hackers’ favor (e.g., let him enter the office) is likely to comply with another one (e.g., let him use a company computer).
How does it work? When other people act in a certain way, it’s easier for us to believe that it’s right and to take the same actions.
How hackers use it: Do you remember the Pizza Day case? When employees of the unfortunate corporation have gotten infected USB drivers as a gift, it was enough that one of them plug it into a computer — the rest done the same without a second thought.
How does it work? When we like someone, we’re more likely to do what he asked.
How hackers use it: Let’s go back to the example with a hacker pretending to be a new employee, which have forgotten access card and beg others of letting him enter the office (“That’s my very first day, my boss can’t find out this has happened!”). The liking rule says that many people don’t refuse to help a charming dummy.
How does it work? We are more willing to fulfill requests from people who in our opinion have power or authority.
How hackers use it: A cybercriminal may fake an important person in the company (by e-mail/phone) or a respectable one — a firefighter, a police officer (using a costume).
How does it work? We consider things that are rare or hard to achieve as more valuable.
How hackers use it: Everyone, at least once, has been notified that he has just won a smartphone and needs to hurry to get it? That’s a great example of how hackers use the rule of scarcity.
How to protect a company against social engineering attacks?
Of course, the list of social engineering techniques used by hackers isn’t complete. Every year, new methods appear, as well as new viruses. The best strategy of defense against them remains a vigilance and common sense.
To protect yourself and your company against social engineering attacks:
- Don’t do things automatically — get used to reading the link address before clicking it, checking the sender’s e-mail address carefully, comparing data on printed invoices with data from the electronic version, etc.,
- Make sure who you are dealing with — ask maintainers who come to the company to show their ID, don’t open the door to people without an access card, etc.;
- Update your operating system and antivirus software regularly — also require it from employees working on their own devices (remotely);
- Ask yourself “Why?” — before you decide to fulfill a request made by a stranger, think about what is behind it. Is it reasonable? Is there a good reason to comply — and that, precisely, you should do it?
- Make sure you are speaking to whom you think you are — if you have doubts about the interlocutor, subtly put in the conversation a little lie that will quickly surprise the real person. Example? There you go. Imagine that you are answering a call from a contractor’s accounting department with a request to change the account number for transfers. You may ask, for example, if Mary has already returned from her maternity, knowing that no Mary works in the company;
- Don’t be afraid to confirm information — sometimes you need only one phone call to ask about an e-mail request (e.g., change your account number on the invoice), and avoid a tragedy.
Make your employees aware of cybersecurity issues
The fact that you are aware of a threat doesn’t mean that everyone in your company is. Hackers know this well and often target their attacks to employees without even basic knowledge about cybersecurity. No surprise — usually it’s easier to convince a receptionist for giving a stranger a pass data, than a board member to do so.
You want to aim for the situation when every employee of your company is aware of the dangers and knows how to defend himself against them. For a good start, you can drop off this article (e.g., in the internal newsletter).
Run social engineering tests
Words quickly escape from memory. Experiences, especially those connected with strong emotions, stay in humans’ minds much longer. Can there be anything more memorable for an employee than discovering that it’s his fault that hackers managed a successful attack on the company?
How do such tests look like step by step?
- We sign a data confidentiality agreement — We always take care of the security of the information we obtain during the “attack”, but also we want you to feel comfortable;
- We talk about your company — Every business is different. The conversation will help us to better understand the structure of your company, its core resources, and employees — and then fit the test to them;
- We set entry points — We look for gaps in your security system, using generally available sources (information about the company and employees on the Internet), verify attack vectors and their use;
- We develop a strategy — Together we prepare a test scenario, making sure it is as realistic as possible;
- We test — This is the moment we’ve been waiting for from the beginning. Now you will see if your employees are ready to resist the hacker attack. Our specialists carry out an established scenario, such as a burglary at your headquarters or a remote attack using spear-phishing.
- We suggest what’s next — After the test, you receive a report from us, which contains both information about the test itself (what resources we gained access to, what were the entry points) and our recommendations (which areas should be strengthened, how to develop protocols to deal with such situations). We also recommend training with employees so that they know how to deal with threats in the future.
To sum up
There are many social engineering attacks scenarios (and new ones are still coming), but the main way to defend against them stays the same — it’s common sense.
Make sure that you and your employees don’t lose it. As we mentioned before, for a start, you can give them this article to read. If you feel it’s not enough (you’re probably right), consider performing social engineering tests in your company.