Introduction
In my time as a cyber security consultant, I’ve seen many cases of social engineering attacks that exploit human psychology rather than the use of technical prowess. Social engineering is a form of cyberattack that involves manipulating people into revealing sensitive information or performing malicious actions that benefit the attacker. In this blog, we’re going to cover some of the more common types of social engineering – phishing, baiting, pretexting, quid pro quo, and tailgating. I will share with you what social engineering is, my experiences with it, and how you can protect yourself from this common threat.
How does Social Engineering work?
Here’s the thing. Social engineering attacks rely solely on the predictability of human responses in specific situations, so social engineers learn how to create and manipulate the optimal conditions for their target to behave predictably. Social engineering is based on the principle that people are the weakest link in any security system. Hackers use various techniques to persuade, deceive, or coerce people into doing what they want. They exploit human emotions, such as curiosity, greed, fear, or sympathy, to influence their victims. They also take advantage of social norms, such as trust, authority, or reciprocity, to gain access or information. Social engineering can be used for different purposes, such as stealing data, money, or identities, installing malware, or compromising networks.
What are some examples of social engineering attacks?
There are many types of social engineering attacks that hackers can use to trick their targets. Here are some of the most common ones:
- Phishing: By far the most common cyber attack, this is a type of email scam that tries to lure you into clicking on a malicious link or attachment, or providing your personal or financial information. The email may appear to come from a legitimate source, such as a bank, a company, or a government agency, and may even use urgent or threatening language to create a sense of urgency or fear. For example, I’ve seen emails claiming that your account has been compromised, that you have won a mega prize, or that you urgently need to verify your identity, all too often.
- Vishing: Vishing, commonly known as “voice phishing”, is a social engineering attack that uses telephone communications to dupe individuals into revealing private details. Rather than physical media, vishing exploits persuasive narratives or urgent situations over the phone, coaxing the victim to share particulars such as bank details or security PINs. With the advent of AI, fraudsters can now mimic voices and automate calls, making them sound even more genuine. The caller might masquerade as a bank representative, IT support, or even a government official, giving seemingly credible reasons for the call. Imagine receiving a ring labelled “Bank Warning,” “Tax Rebate,” or “Account Confirmation.” Sounds authentic, doesn’t it?
- Baiting: This is a type of social engineering attack that uses physical media, such as USB drives, CDs, or DVDs, to entice the victim into inserting them into their computer. The media may contain malware that can infect the system or steal data. The media may be left in public places, such as car parks, coffee shops, or offices, and may have labels that suggest they contain valuable or interesting information. For example, the media may be labelled as “confidential”, “payroll”, or “photos”. Tempting, right?
- Pretexting: This is a type of attack that involves creating a fake identity or scenario to obtain information or access from the victim. The attacker may pretend to be someone else, such as a co-worker, a customer, a vendor, or an authority figure, and may use social engineering techniques to build trust and rapport with the victim. During a physical security testing operation, I once encountered an attacker who had spent months cultivating a relationship with a company’s security personnel. Using the pretexting method, he posed as a routine maintenance contractor and gained unrestricted access to the company’s secure areas. The attacker often asks for sensitive information, such as passwords, pin numbers, other bank details, or personal data. For example, and probably most commonly, the attacker calls you claiming to be from the IT department then asks for your login credentials to fix a security problem. Pretty devious, I know!
- Quid pro quo: Before I moved into cyber security, a good few years ago now, I received an email from a software company that offered me a free update for their product. The email said that all I had to do was to install a program from their website and enter the authentication code that they provided. I thought it was great value for money, so I downloaded the program and ran it. However, instead of updating my software, the program installed malware on my computer that allowed the hacker to remotely control it. I quickly realised too late that quid pro quo is a ‘thing’, and an all too common social engineering technique. And the moral of the story here? You guessed it – If it seems too good to be true, it probably is.
- Tailgating: This is a type of attack that involves gaining physical access to a restricted area by following someone who has legitimate access. The attacker may act as if they belong there or may ask for help from someone who has access. The attacker may then use the opportunity to steal information, plant devices, or compromise systems. For example, the attacker may pretend to be an employee who forgot their badge and ask someone to hold the door for them. I personally enjoy bypassing the reception of secure buildings wearing a hard hat and high visibility jacket. After all, they say you can walk into any place if you are carrying a ladder. Have a think about that for a moment…
How social engineering connects with physical security
As I’m sure you understand, physical security is the protection of people, assets, and data from unauthorised physical access or harm. The connection between social engineering and physical security is that both are essential components of an organisation’s overall security posture. Weak physical security can enable a social engineer to gain access to a restricted area, steal information, plant devices, or compromise systems. Strong physical security can deter or prevent a social engineer from even entering or bothering to try and infiltrate an organisation in the first place. Therefore, it is important for organisations to implement both physical and cyber security measures to protect themselves from social engineering attacks.
Some best practice physical security measures that can help prevent social engineering are:
- Locking doors and windows, using alarms, cameras, and guards.
- Implementing access control systems, such as badges, biometrics, or codes.
- Enforcing policies and procedures, such as visitor management, escorting, and reporting.
- Educating employees and staff about the risks and signs of social engineering.
- Conducting regular audits and tests to assess the effectiveness of physical security.
By combining physical security with cyber security, you can create a layered defence that can reduce the likelihood and impact of social engineering attacks. However, it’s worth remembering that an experienced social engineer can bypass the most robust physical security measures through manipulation or deception, so stay alert!
Case Study: Social Engineering in Physical Security Testing
In one of my assignments, a client sought to test their physical security. As part of this, our team used social engineering tactics to gain access to their office building and achieve two objectives: to steal a laptop from HR, and to plant a device that could access the network of any other department.
My colleague posed as a delivery driver, complete with a uniform and a package. He was able to gain access to multiple secure areas by tailgating behind employees, exploiting their assumption that he was authorised due to his disguise and the legitimacy lent by the package. He also used a hidden camera in the package to record the layout of the building and the security systems. He located the department he was targeting and swapped their laptop with his own, which contained malware that could remotely access their data.
I posed as a maintenance worker, carrying a toolbox that contained a device that could connect to the network of the main employee floor. I used a fake badge and document to convince a security guard to let me in. Then, I pretended to fix an issue with the air conditioning system and hid the device behind a cabinet. The device could then scan the network for vulnerabilities and send us back a list to exploit.
Both of us successfully completed our objectives using social engineering techniques. We showed how easy it was to bypass physical security by exploiting human psychology and social norms. We also provided valuable feedback and recommendations to the client on how to improve their physical security and prevent future attacks. Mission accomplished!
Recognising Social Engineering Attacks
The first step to protecting against social engineering attacks is awareness. Employees should understand that anyone, regardless of how trustworthy they seem, could potentially be an attacker. This awareness is particularly important for protecting physical security, where face-to-face interactions offer ample opportunities for social engineering. If you aren’t exactly sure what cyber awareness is, take a look at this post. (What is cyber awareness training?)
However, awareness alone is not enough. Employees should also be able to recognise and avoid social engineering attacks. Here are some if the ‘tell tale’ signs that can help you identify and prevent social engineering attacks:
- The message or request is unsolicited, unexpected, or urgent. If you receive an email, a phone call, or a visit from someone you don’t know or trust, asking you to do something quickly or urgently, be suspicious. It could be a phishing, baiting, or quid pro quo attempt to make you act without thinking.
- The message or request is too good to be true. If you receive an offer that sounds too good to be true, such as a free gift, a prize, or a reward, be wary. It could be a baiting or quid pro quo attempt to lure you into clicking on a malicious link, downloading a file, or providing information.
- The message or request asks for personal or sensitive information. If you receive a message or a call from someone claiming to be from a legitimate organisation, such as your bank, your company, or your government, asking you to verify your identity, your account details, or your security codes, be cautious. It could be a phishing or pretexting attempt to steal your information or access your accounts.
- The message or request does not match the sender’s identity or the context. If you receive a message or a call from someone who does not sound like who they claim to be, or who does not match the situation, be alert. It could be a pretexting attempt to impersonate someone else, such as a co-worker, a customer, a vendor, or an authority figure.
- The message or request does not follow the normal procedures or policies. If you receive a message or a call from someone who asks you to do something that goes against the normal rules or guidelines of your organisation, be careful. It could be a pretexting attempt to bypass the security measures or controls.
By being aware of these signs and clues, you can recognise social engineering attacks and protect yourself from falling victim to them. Remember to always verify the source and the content of any message or request before responding or complying. If you are unsure or suspicious, do not hesitate to contact the legitimate organisation or person directly and confirm their identity and intention.
Training Staff Against Social Engineering
One of the best ways to prevent social engineering attacks is to train your staff to recognise and resist them. Your employees should be aware of the common types and techniques of social engineering, such as phishing, baiting, pretexting, quid pro quo, and tailgating. They should also know how to verify the identity and legitimacy of anyone who contacts them or requests access to secure areas or information. For example, they should ask for credentials, call back the official number, or check with a supervisor before complying with any request. The role of ongoing staff training in thwarting social engineering cannot be overstated. At Sencode, we offer a comprehensive learning module on social engineering that covers all these topics and more. I also provide awareness training that can help you and your staff understand the risks and signs of social engineering and how to respond appropriately. If you are interested in learning more or booking a free consultation, please contact us.
Social Engineering Penetration Testing
Another effective way to assess your organisation’s vulnerability to social engineering attacks is to conduct social engineering tests. These are simulated attacks that use social engineering techniques to try to breach your physical or information security under controlled conditions. By doing this, you can identify and address any weaknesses or gaps in your security measures and policies.
As a physical security tester, I have conducted many social engineering tests for various organisations. I have used different pretexts and methods to gain access to restricted areas, equipment, or data. I have also provided detailed reports and recommendations on how to improve the security posture and awareness of the organisations. I can help you design and execute social engineering tests that are tailored to your specific needs and goals.
Conclusion
Social engineering is a serious threat that can compromise your organisation’s physical and digital assets. By understanding how it works and how to prevent it, you can protect yourself and your organisation from malicious actors. You can also turn your employees from the weakest link in your security chain into the first line of defence. Not all heroes wear capes!
I hope this blog has helped you gain some insight into social engineering and its implications. If you have any questions or feedback, please leave a comment below or contact me directly. I would love to hear from you and help you secure your organisation from social engineering attacks.
Frequently Asked Questions
No, social engineering attacks are not only online. Social engineering is a technique that involves manipulating people into revealing sensitive information or performing actions that benefit the attacker. Social engineering can be done through various channels, such as email, phone, SMS, social media, or even face-to-face interactions.
Social engineering is illegal in most countries and can lead to serious legal consequences for the perpetrators. Depending on the type and severity of the attack, social engineering can be classified as fraud, identity theft, hacking, phishing, or trespassing. These crimes can result in fines, jail sentences, or other penalties.
One type of social engineering that targets senior officials is called whaling. Whaling is a form of phishing that aims to trick high-level executives, such as CEOs, CFOs, or government officials, into revealing sensitive information or performing actions that benefit the attacker.
Whaling attacks are often more sophisticated and personalised than regular phishing attacks, as they use the victim’s name, title, company, or other details to create a convincing and urgent message.For example, a whaling attack may impersonate a trusted partner, a legal authority, or a financial institution and ask the victim to authorise a large payment, disclose confidential data, or download a malicious attachment.
Whaling attacks can cause significant financial losses, reputational damage, or legal issues for the victim and their organisation. Therefore, senior officials should be aware of the signs and risks of whaling and how to prevent it.
Social engineering refers to the practice of manipulating individuals into divulging confidential or personal information for fraudulent purposes. Rather than direct hacking, a social engineering attack targets the human aspect of security, capitalising on psychological manipulation.Techniques can range from building trust or exploiting authority to preying on an individual’s emotions. These attacks can be orchestrated through various mediums, including but not limited to emails, phone calls, text messages, or even direct conversations. Recognising the tactics behind a social engineering attack is paramount for both individuals and organisations, given its centrality in many cyber-related crimes. Being informed and vigilant is the most effective line of defence against these manipulative strategies.