Social engineering is a commonly used tactic that was used in 33% of data breaches in 2018, according to Verizon’s 2019 Data Breach Investigation Report — here’s what social engineering hacking looks like in real life
My mom used to always joke that if you left my dad alone with a stranger, he could find out that person’s underwear size within a matter of minutes. He’s someone who’s extremely intelligent, fun, engaging, and has always had a knack for making people feel comfortable and open up to. Frankly, if my dad had the desire to carry out social engineering attacks — and was a schmuck that enjoyed ripping people off — he’d make a great social engineer.
Thankfully, that’s not the case, and my dad doesn’t have the technical know-how to craft believable phishing emails or to create malicious websites (after all, this is the same man who argues with Siri on a daily basis). But just because my dad doesn’t have the technical know-how (or interest) to engage in such activities doesn’t mean that there aren’t others who don’t or wouldn’t be willing to do so — namely cybercriminals.
So, what are social engineering attacks and why are they so successful? We’ll take a look at the definition of social engineering, walk you through why social engineering hacking is such an effective method of attack for hackers, and show you a few key social engineering examples.
Let’s hash it out.
What is Social Engineering?
Social engineering is, hands down, one of the most dangerous threats to businesses and individuals alike. In a nutshell, a social engineer is someone who uses social interactions with individuals to either get something from you (such as your password) or get you to do something (like make a wire payment). They may be disarming in their approach and make you feel comfortable, or they may present themselves as someone of authority and convey a sense of urgency.
Either way, social engineering attacks are about getting you to like and trust them, or to make you feel like they’re a person of authority and you must comply with whatever they ask for.
Imperva, a world-renowned cybersecurity organization, describes social engineering as:
[…] a broad range of malicious activities accomplished through human interactions. It uses psychological manipulation to trick users into making security mistakes or giving away sensitive information.”
Or, as the FBI puts it more succinctly, it’s “targeted lies designed to get you to let your guard down.”
Types of Social Engineering Attacks
Social engineering attacks, which Verizon reports were used in 33% of the data breaches in 2018, can occur:
- Via face-to-face interactions,
- Over the phone (vishing, or what’s known as voice phishing),
- Over SMS text message phishing (smishing),
- Using email phishing tactics (such as phishing), or
- By using any combination of these and other avenues.
These types of attacks don’t require a bunch of technical skills or hacking techniques. It’s about “hacking” or exploiting a person rather than technology itself. However, using technology certainly makes pulling off these attacks a lot easier for the cybercriminals who use them.
Frank Abagnale, the world’s most famous con man-turned-security consultant whose life and crimes were the basis of the movie “Catch Me If You Can,” said in an interview with SearchCloudSecurity that while social engineering at its core is still the same, it’s just that criminals are now using different methods of attack.
Some people used to say that I’m the father of social engineering. That’s because when I was 16 years old, I found out everything I needed to know — I knew who to call and I knew the right questions to ask — but I only had the use of a phone. People are still doing the same things today 50 years later, only they’re using the phone, they’re using the mail system, they’re using the internet, email, cloud. There’s all this other stuff, but they’re still just doing social engineering.”
Social Engineering Attacks Is All About Getting to Know You
In the digital world, social engineering attacks involves cybercriminals learning as much information as they can about a company and a target individual (i.e. you). They then use that information to get you to do something you shouldn’t (such as providing sensitive personal information or making a wire transfer).
Essentially, they treat you like a research project and learn about you through a variety of tactics, including:
- Searching for information about you on Google and other search engines: The more they know about you, the easier it is to relate to you and make you trust them. This disarms you and makes you more likely to comply.
- Tracking down your social media pages to learn about you: If a hacker knows what you pin on Pinterest, what you watch on YouTube, what groups you’re a part of on Facebook, or even what photos you like on Instagram, etc., they can craft more believable phishing emails to trick you.
- Seeing who you’re connected to (via LinkedIn and your company website) and learning your organization’s hierarchy: Cybercriminals want to make their jobs as easy as possible. If they know that you’re Sally and you work as an accounts payable employee, and that your company typically works with Org X as a vendor, they might be able to get away with impersonating that organization to get you to make a fraudulent payment.
- Going through your trash: No, I’m not speaking metaphorically here. I meant that literally. Some social engineers have been known to go dumpster diving to gain valuable information about you or your organization. This is an example of why it’s important to properly dispose of personal, proprietary, or otherwise sensitive information.
Breaking Down the Social Engineering Attack Life Cycle
To talk about the lifecycle of a social engineering attack, we’re going to use the terms as identified by Imperva. The social engineering life cycle includes four distinct phases. These types of attacks include one or more of these steps:
- Investigation: This step is all about research and gathering as much information about you and your company as possible.
- Relationship Building: This next phrase is about using social tactics and psychology to manipulate or deceive you. Armed with knowledge about you and your organization, they’ll reach out to develop a connection and to engage with you.
- Play: This next step is when they really put the plan into motion to exploit the interaction. It’s about expanding their influence on you to get you to provide information or to perform an action.
- Exit: This is where they take a moment to get rid of evidence — to wipe away their digital fingerprints, metaphorically speaking — to make their getaway and get the hell out of dodge (ideally, without you even knowing that something’s wrong until after they’re long gone).
How Social Engineering Attacks Occur
As you’ve learned, social engineering involves a malicious actor researching you and your organization to learn about you so they can use that information to dupe you into sharing information or doing something that you shouldn’t.
Social engineering isn’t an impatient man’s game. Unlike traditional phishing attacks, which can involve sending out mass emails to thousands of people with the hope of tracking even just one into clicking on a malicious link, social engineering attacks are more targeted. Cybercriminals can spend a few hours or even days, weeks, or months preparing to make their move.
So, how does one of these attacks occur? Often times, it boils down to finding the right person to target and finding — or creating — the right opportunity.
According to Abagnale in an interview with WIRED:
Every case involving cybercrime that I’ve been involved in, I’ve never found a master criminal sitting somewhere in Russia or Hong Kong or Beijing. It always ends up that somebody at the company did something they weren’t supposed to do. They read an email, went to a website they weren’t supposed to. So they opened the door that allowed the person to get in.
It’s not that these people are that talented but they wait knowing that with a company of 10,000 employees someone is bound to open the door. They just wait for that door to be open.”
Not sure what we mean? Let’s dig a little deeper.
An Example of Social Engineering in Action
Let’s imagine that you’re an accounts payable employee named Tina. You’re sitting at your workstation when, suddenly, you get a call from Drew Stevens, a representative at one of your company’s vendors. He tells you that there’s an issue with the last payment that was made, saying that they never received it.
You feel mortified. While you’re apologizing and quickly try to find the receipt from the last payment, Drew continues talking, reassuring you that it’s fine but that they really do need the payment to be made quickly if your company is to continue using their services. He continues on, saying that it was probably just a hiccup with the paperwork — that their company recently changed banks and sent the updated payment info to all of their customers, yet, somehow, the new bank account info never seemed to make it to you and another customer.
He sighs but laughs, saying it’s just one of those things. Technology, right? Gotta love it.
He’s friendly, confident, charming, and understanding. He reassuringly says that he doesn’t want to make additional work for you because they know you’re probably already so swamped! So, to make it easy, he’s just sent you the new banking info and would really appreciate it if you could go ahead and make the payment ASAP so your organization’s service doesn’t lapse.
You check your email, and there’s a message waiting from Drew, just like he said. In it, there’s an invoice attached. You open it immediately and use the information in the doc to go ahead and make the payment.
Drew thanks you and tells you that he’s received the payment. He smoothly wraps up the conversation, telling you that he’s going to go ahead and sent a receipt for the payment and that he’s glad you both were able to work together to rectify the situation so quickly. You exchange goodbyes and hang up.
A few weeks later, your boss comes in to ask about the payment to this unknown account. You tell him that you were being proactive and wanted to take care of the situation quickly by making the payment.
But the payment was already made, your boss says, and it turns out that the company just suffered a data breach that was tracked back to your workstation.
What you didn’t know is that the invoice you opened from Drew was actually a malicious file. Now, not only have you sent a payment to a fraudulent account, but you’ve also opened up your company’s network and IT systems to a hacker.
See Social Engineering Attacks in Action for Yourself
All of this just sounds too obvious, right? There’s no way that someone could be fooled by something so simple. Unfortunately, that’s not the case. Nearly two in 10 people fall for these attacks all the time.
Want to see some real-life “people hackers” in action? Watch as social engineer David Kennedy tricks a company into providing credit card information. He spoofs his phone number to make it appear as though he’s calling from inside the company.
Here’s another example of how effectively a social engineer can hack people. In this video, social engineer Jessica Clark uses vishing (voice phishing/voice solicitation) to get the Real Future video host Kevin Roose’s cell phone provider to give her Roose’s email address. But she doesn’t stop there:
Here’s an example from the same video of Dan Tentler, a hacker who used social engineering tactics to track down Roose’s SquareSpace blog. Tentler uses this information to craft an effective spear phishing email, which gains him access to the host’s 1Password key chain.
What You Can Do to Prevent Social Engineering
Unsurprisingly, technology has made pulling off social engineering crimes significantly easier for the criminals — but that doesn’t mean that the outlook is hopeless.
In the interview with SearchCloudSecurity that we mentioned earlier, Abagnale recommends the following approach for organizations, businesses, and individuals alike:
So technology has made things a lot easier, and all criminals have done is conform to that. The important thing is this: You can’t develop technology and say, ‘Here’s my foolproof technology, you can’t beat it, goodbye.’ You have to constantly go back and stay on top of it all the time. You can’t just develop it and walk away and be done with it. You have to constantly be aware of things that can happen to it and how people are going to try to beat it.”
In other words, your company needs to:
- Harden your tech defenses with network and IT security best practices
- Secure any servers and databases and ensure your data is encrypted
- Implement cyber security awareness training for your employees
- Encourage your employees to follow cyber security and email security best practices
- Limit access to sensitive data and systems to only those employees whose jobs require it
- Implement secondary verification procedures before wiring any payments or making changes to vendor information
Criminals, in one form or another, are nothing new. The same can be said about social engineering. While it may adapt and change over time in terms of how it’s performed, the same general concept is still the same. This is why it’s so important for organizations to inform their employees about these types of threats, so they can recognize them for what they are and not be taken for a ride.
So, while a social engineer or cybercriminal likely has no interest in discovering your underwear size, they certainly do want to learn whatever they can about you in other areas so they can use that information to put you at ease and get you to do something you shouldn’t.