Social engineering takes advantage of the weakest link in our security chain — our human workforce — to gain access to corporate networks. Attackers use increasingly sophisticated trickery and emotional manipulation to cause employees, even senior staff, to surrender sensitive information. Learn about the stages of a social engineering attack, what are the top social engineering threats according to the InfoSec Institute, and best practices to defend against them.
In this article you will learn about:
- Social engineering attack stages
- Top 5 social engineering techniques
- Some other common techniques
- How to prevent social engineering attacks
What is social engineering? Stages of an attack
Social engineering is an attempt by attackers to fool or manipulate humans into giving up access, credentials, banking details, or other sensitive information.
Social engineering occurs in three stages:
- Research—the attacker performs reconnaissance on the target to gather information like organizational structure, roles, behaviors, and things that target individuals may respond to. Attackers can collect data via company websites, social media profiles and even in-person visits.
- Planning—using the information they gathered, the attacker selects their mode of attack and designs the strategy and specific messages they will use to exploit the target individuals’ weaknesses.
- Execution—the attacker carries out the attack usually by sending messages by email or another online channel. In some forms of social engineering, attackers actively interact with their victims; in others, the kill chain is automated, typically activated by the user clicking on a link to visit a malicious website or execute malicious code.
Top 5 social engineering techniques
According to the InfoSec Institute, the following five techniques are among the most commonly used social engineering attacks.
In a phishing attack, an attacker uses a message sent by email, social media, instant messaging clients or SMS to obtain sensitive information from a victim or trick them into clicking a link to a malicious website.
Phishing messages get a victim’s attention and call to action by arousing curiosity, asking for help, or pulling other emotional triggers. They often use logos, images or text styles to spoof an organization’s identity, making it seem that the message originates from a work colleague, the victim’s bank, or other official channel. Most phishing messages use a sense of urgency, causing the victim to believe there will be negative consequences if they don’t surrender sensitive information quickly.
2. Watering hole
A watering hole attack involves launching or downloading malicious code from a legitimate website, which is commonly visited by the targets of the attack. For example, attackers might compromise a financial industry news site, knowing that individuals who work in finance and thus represent an attractive target, are likely to visit this site. The compromised site typically installs a backdoor trojan that allows the attacker to compromise and remotely control the victim’s device.
Watering hole attacks are usually performed by skilled attackers who have discovered a zero-day exploit. They might wait for months before performing the actual attack to preserve the value of the exploit they discovered. In some cases, watering hole attacks are launched directly against vulnerable software used by the target audience, rather than a website they visit.
3. Whaling attack
Whaling, also known as spear phishing, is a type of phishing attack that targets specific individuals with privileged access to systems or access to highly valuable sensitive information. For example, a whaling attack may be conducted against senior executives, wealthy individuals, or network administrators.
A whaling attack is more sophisticated than a regular phishing attack. Attackers conduct meticulous research to craft a message that will cause specific targets to respond and perform the desired action. Whaling emails often pretend to be a critical business email sent by a colleague, employee or manager of the target, requiring urgent intervention from the victim.
In a pretexting attack, attackers create a fake identity and use it to manipulate their victims into providing private information. For example, attackers may pretend to be an external IT service provider, and request user’s account details and passwords to assist them with a problem. Or they might pretend to be the victim’s financial institution, asking them for confirmation of their bank account number or bank website credentials.
5. Baiting and quid pro quo attacks
In a baiting attack, attackers provide something that victims believe to be useful. This may be a supposed software update which in fact is a malicious file, an infected USB token with a label indicating it contains valuable information and other methods.
A quid pro quo attack is similar to baiting, but instead of promising something that will provide value to the victim, the attackers promise to perform an action that will benefit them, but requires an action from the victim in exchange. For example, an attacker may call random extensions at a company, pretending to be calling back on a technical support inquiry. When they identify an individual who actually has a support issue, they pretend to help them, but instruct them to perform actions that will compromise their machine.
Other social engineering attacks
The following are additional variants of social engineering that can endanger your systems and sensitive data:
- Vishing—voice phishing is similar to phishing but is performed by calling victims over the phone.
- Scareware—displays notices on a user’s device that trick them into thinking they have a malware infection and need to install software (the attacker’s malware) to clean their system.
- Diversion theft—diverts a messenger or delivery person to the wrong location, and takes their place to pick up a sensitive package.
- Honey trap—an attacker pretends to be an attractive person and fakes an online relationship, in order to get sensitive information from their victim.
- Tailgating—an attacker walks into a secure facility by following someone with authorized access, asking them to “just hold the door” for them so they can also enter.
Social engineering prevention
The following measures can help preempt and prevent social engineering attacks against your organization.
Security awareness training
Security awareness education should be an ongoing activity at any company. Staff members may simply not be aware of the dangers of social engineering, or if they are, they may forget the details over time. Conducting, and continuously refreshing, security awareness among employees is the first line of defense against social engineering.
Antivirus and endpoint security tools
The basic measure is installing antivirus and other endpoint security measures on user devices. Modern endpoint protection tools can identify and block obvious phishing messages, or any message that links to malicious websites or IPs listed in threat intelligence databases. They can also intercept and block malicious processes as they are executed on a user’s device.
There are countless creative ways of penetrating an organization’s defenses with social engineering. By using an ethical hacker to conduct penetration testing, you allow an individual with a hacker’s skillset to identify and try to exploit weaknesses in your organization. When a penetration test succeeds in compromising sensitive systems, it can help you discover employees or systems you need to focus on protecting, or methods of social engineering you may be especially susceptible to.
SIEM and UEBA
Social engineering attacks will inevitably happen, so you should ensure your organization has the means to rapidly collect data about security incidents, identify what is going on, and notify security staff so they can take action.
For example, the Exabeam Security Management Platform is a next-generation security event and information management (SIEM) system powered by user event and behavior analytics (UEBA). Exabeam collects security events and logs from across your organization, and uses UEBA to identify normal behavior, and alert you when suspicious activity occurs. Whether it is a user clicking through to an unusual web destination, or a malicious process executing on a user’s device, UEBA can help you identify social engineering attacks as they happen, and rapidly react with automated incident response playbooks to prevent damage.
- Information Security: Goals, Types and Applications
- The 8 Elements of an Information Security Policy
- What is MITRE ATT&CK: An Explainer
- MITRE Publishes Domain Generation Algorithm T1483 in the ATT&CK Framework