Over the years, hackers have turned away from trying to break through firewalls in favor of a much broader and accessible attack vector: the human element. Social engineering is the exploitation of human psychology in an attempt to gain access to privileged systems or information. Hackers understand that just one human error is all it takes to breach an entire enterprise system, and have scaled their efforts accordingly.
In this blog, we’ll be defining and providing examples of some of the most common forms of social engineering:
By the end, you should know what each of these social engineering tactics are, what you should be looking out for, and how you can begin to future-proof your organization against these threats.
What is Pretexting?
According to the Verizon 2023 DBIR, 50% of all social engineering attacks are pretexting incidents. Pretexting uses a fabricated scenario, or “pretext”, to manipulate generally well-meaning people into giving away information that they otherwise wouldn’t.
The pretext is almost always contrived as an out-of-the-ordinary, urgent request. The hacker might masquerade as the victim’s boss asking for login credentials while they’re in an important meeting, or as a service provider asking for billing information. Power dynamics are often at play, and the unsuspecting victim may be led to believe that there will be catastrophic consequences if they don’t fulfill the request in a timely manner.
A major distinction between pretexting and other forms of social engineering are its hyper-targeted nature. Hackers do extensive research on their targets and scour the internet for intel that will make their pretext as believable as possible. This might involve faking the email or phone number of their target’s coworkers or learning personal details about their target to make small talk before the request for information.
The hyper-personalized nature of pretexting makes it a particularly effective form of social engineering. Despite its careful manipulation of their psychology, users must be diligent in learning how to spot the warning signs.
What is Phishing?
Phishing is as old as email itself, and with over 3.4 billion phishing emails sent a day, it is a favored social engineering tactic for hackers across the globe.
There’s a lot of overlap between phishing and pretexting, the main commonality being the use of impersonation to elicit sensitive information or a click leading to malware. Although specific subcategories like spear phishing employ the hyper-targeted methods of pretexting, phishing at large is a volume play.
In most cases, identical (or near identical) messages are sent out en masse to different companies. And while these scams may be easier to recognize than more tailored forms of social engineering, the average click rate for a phishing campaign was still 17.8% in 2021.
What is Baiting?
Baiting is the act of enticing an individual with a seemingly legitimate link or download that actually leads to malware. In most cases, hackers are preying on a victim’s greed or curiosity—whether it be a fake promotional deal or just a particularly captivating call-to-action.
Baiting isn’t limited to the digital realm, however. It’s not uncommon for hackers to enter an office building or public space and leave behind a flash drive containing malware. The flash drive may be branded with a company’s logo, or it could appear rather ambiguous. In both cases, the hacker is making a bet on someone being curious enough to plug the drive into their computer.
One of the most infamous examples of baiting since the inception of the Internet Age was the Love Bug of 2000. At the time, email had only been widely used by the public for a few years. So when a simple message, “Kindly check the attached LOVELETTER coming from me,” was sent to hopeful romantics across the globe, it yielded catastrophic results. Users that clicked on the attached .txt file would quickly realize they had opened their computer to a virus that did damage to their local device and would proliferate by sending the same message to all other users in their contacts. This novel combination of phishing and baiting (for the time) is expected to have affected up to 45 million Windows PCs. Our founder, Robert Fly, has some hair-raising stories to share from his time in the trenches fighting this one.
Unfortunately, it seems the Love Bug was a mere introduction to the kinds of malicious activity users would experience for years to come.
What is Scareware?
You’ve probably seen it a thousand times. “Your computer is infected with viruses!” “Warning! Your computer is at risk.” Scareware exploits victims’ lack of technical knowledge and, ironically, their fear of social engineering attacks.
Scareware often shows up in the form of pop ups that may appear as advertisements for legitimate virus protection software. For example, a years-long scareware scam has utilized a logo identical to that of McAfee, a leading virus protection software, to hustle millions of people out of their money.
What makes scareware particularly insidious is that it can even be encountered on trusted sites. In 2018, one of the largest newspapers in the United States hosted an ad that led users to a malware-infected site that slowed down their devices. The users were then bombarded with pop-ups that promised to fix the virus for $50.
The more success scareware perpetrators yield, the more they’ll continue to fund these scams.
How to Combat Social Engineering: Engaging the Human Element
At Elevate Security, a single discovery laid the foundation for all of the work we do to help organizations protect their people against social engineering:
8% of users cause 80% of security incidents.
If it’s just a small minority of people who are the most vulnerable to these attacks, why do we still treat the entire organization the same when it comes to security and prevention?
Hackers realize that if they can just launch enough attacks, a few of them will slip through the cracks. Given that we will never eliminate the hackers, and that no amount of wholesale protection will fill all the gaps, the logical answer is to focus our efforts on the 8% of individuals that need the most protection.
Enter Elevate Engage: our platform for delivering right-touch responses to your most at-risk employees in real-time.
Elevate ingests and analyzes signals and data from across your enterprise to identify the most vulnerable. With deeper insights into your workforce at a 1:1 level, you can then automate specific individualized protections for each person in your organization. Some may need specialized training, real-time feedback, nudges and reminders. Others may need stronger controls on identification, access, data protection, and more. All of this is possible when you have isolated the risk factors and can address and measure them specifically.
Hackers know that social engineering is an effective method for identifying and exploiting the most vulnerable people in any organization. We must be just as diligent in identifying and protecting those individuals.
If you want to continue learning how to future-proof your organization against the cybersecurity threats of today, download the 2023 CISO Survival Guide to Emerging Trends From the Startup Ecosystem (peek Elevate on page 8)!