Table of Contents
What is social engineering?
Social engineering is a manipulative technique used by criminals to elicit specific actions in their victims. These actions usually include revealing sensitive data or giving access to protected systems.
Social engineering is seldom a stand-alone operation. It is usually a step in various fraud schemes. This technique is especially efficient in cyberattacks.
Types of social engineering attacks
By target action:
- Data theft
Criminals pretend to be a trustable organizations like a bank. They use the gathered information to obtain immediate gain (e.g., money from a bank account) or use it for other social engineering types.
- Malware infection
Victims are evoked to download malware or go to a website with drive-by-download technology (that downloads the malware without a user’s consent) or connect a piece of removable hardware to the information system. The goals of malware infection might be to access acquisition and data theft.
- Access gain
Criminals manipulate people into giving access to their cloud workspaces. That is how ransomcloud infects Google Drive.
By communication medium:
- Phishing technique is implemented via email.
- Vishing uses the telephone or, in some cases, video conferencing.
- Smishing also uses telephones, but instead of voice communication, it sends text messages (SMS).
- Water holing uses websites that users often visit to spread malware links, for example, social networking websites, forums, popular blogs, or trusted online media.
By the message customization:
- General phishing has a general message that can be applicable to many people (e.g., a letter from a bank or Microsoft).
- Spear phishing is much more customized. It requires personal data of a victim like their title, company name, boss’ name, etc. A good example of spear phishing would be an email from Accounting or HR department or CEO fraud.
How social engineering works
Social engineers use some prominent psychological traits and peculiarities to attain their goals.
Human perception doesn’t perform full force all the time, especially when we are emotionally imbalanced or busy doing some important tasks.
For example, our brain doesn’t read letter-by-letter but rather perceives a word on the whole. This fact makes it easy for criminals to forge senders in an email:
firstname.lastname@example.org vs. email@example.com vs. firstname.lastname@example.org
When overwhelmed with feelings, humans find it hard to apply reasonable thinking. The messages of cybercriminals often aim at powerful emotions to bring down the guard:
- A letter from “boss” demanding information ASAP:
- Sense of urgency
- An email promising a reward:
- Sense of entitlement
- A request from “HR” to fill out the form:
- Social emotions
- Fear of missing out
First, humans make cognitive mistakes all the time. Here are some basic examples that criminals exploit:
- Trust to authorities like government, international organizations, popular web platforms, or the company.
- Trust to people on social media (“Joe is my colleague’s friend so I can trust him”)
- The false sense of security (“It never happened to me or anyone I know; therefore it won’t happen”)
- Reciprocity (“Peter treated me so nicely, I can trust him”)
Second, most people lack knowledge about social engineering and its means.
Even though many people know about social engineering and cybercrime, they often lack the will to follow security requirements. For example, people don’t check the sender of the message or the link in the email.
Detecting social engineering attacks
- Check sender:
- Look for spelling mistakes in the sender’s name (e.g., George vs. Goerge).
- Check the domain name of the sender’s email address (e.g., microsoft.com vs. micirosoft.com).
- Compare “from:” and “reply-to:” sections. Do they contain the same sender addresses?
- Check recipient. Too many recipients in CC signalize that it’s spam and probably a scam.
- Check content for the following red flags:
- Multiple grammar mistakes.
- Impersonal greetings (Dear Client, Madam, etc.).
- A request for PII (personally identifiable information).
- The presence of attachments you weren’t expecting.
- The links with suspicious addresses.
- The emotional tone of an email.
How to protect Office 365 from phishing?
How to prevent social engineering attacks and handle the consequences
- Plan and conduct a regular training course for your employees. Alternatively, acquire one from a third-party provider
- Use spam filters to decrease the number of scam emails.
- Apply multi-factor authentication to prevent criminals from accessing your email.
- Create an action plan your employees can use in case of a successful phishing attack.
- Purchase antimalware software that protects your digital ecosystem from the most common types of malware.