Social engineering is the main method hackers and cybercriminals use. It’s a strategy that appeals to our emotions, whether it’s excitement, fear or anxiety. Social engineering uses:
- Authority
- Intimidation
- Social acceptance
- Shortage
- Time pressure
- Positive evaluation
Via these six methods all pressure us in one way or another to react to the mail, message or phone call.
We often respond quickly to these messages which is something the hackers know. That is why we should be wary of these types of mails, and stop and think about their contents and requests before we act on them.
Phishing is one of the most used methods to get into systems and devices, and below we’ll highlight some examples of types of phishing, but also the consequences of reacting to these requests and attachments in the messages.
Phishing Attacks
Phishing attacks are one of the more “traditional” ways where social engineering is used. Cybercriminals hide behind an impersonation, imitating an authority, colleague or acquaintance of the victim.
Hackers do so to get sensitive information from their victims, which they then can use to access online banks and other valuable data. Cybercriminals often execute phishing attacks via email, where they can attach files and links that the victim is encouraged to click.
An example of a case where the phishing succeeded and had major consequences occurred in 2016, where John Podesta, Hillary Clinton’s campaign manager became a victim of such an attack. This led to the leak of thousands of emails containing sensitive data.
Pretexting
A rather lengthy process the hackers use with social engineering is pretexting. Here, the hacker creates a scenario and persona where they communicate with their target for a longer period of time. Since it’s a lengthy process, the victim slowly lowers their guards and trusts this person they’re communicating with. It can be an authority, an old friend or a customer support employee.
An example of this happened in 2014, where a Verizon (an American wireless network operator) employee communicated with a hacker, posing as a colleague. The hacker called the customer support, claiming that they had trouble with resetting the security PIN of a customer.
The hacker finally got through the process of getting the PIN reset, which thus allowed the hacker to gain access to the customer’s account. This shows how little work it essentially takes the hacker to get unauthorized access - they just have to be convincing and patient.
Baiting
Baiting is, as you might’ve guessed, a method where the hacker lures the victim into the phishing trap with some sort of bait. It can be anything from a free download of something, so tempting people into clicking on a link or article - with clickbait. Clickbait is often seen on news sites and e.g. youtube, where the creator persuades the viewer to click on the video with an eye-catching title and thumbnail.
Another example of baiting, that is more malicious than a youtube video, is if hackers e.g. leaves a USB stick somewhere out in public. They might have disguised the harddrive with a company logo, and a description of what the USB contains. That can be a “salary description” or “Planning model”. This will entice curious bypassers, that will then insert the USB drive into their device. And just like that, the hacker has baited a victim into installing malware onto their device.
Quid pro quo
In the quid pro quo-attacks, the hackers offer something in return for information, That could e.g. that the hacker calls an employee, imitating the IT support. Here they’ll offer some technical support but the employee just has to give them their login credentials - otherwise the IT support can’t help them.
Hackers thus exploit peoples’ trust in others and their willingness to help. It’s an easy way for hackers to get sensitive information and bypass security protocols.
Tailgating
Social engineering doesn’t just happen in the digital world. Tailgating implies that a hacker or criminal tricks the physical security of an organization. Here, they follow authorized employees into restricted areas, simply by following them - either overtly by sneaking around, but they can also pose as e.g. a mailman that needs access to the building, or just walk with them and distract them with a conversation.
An example of tailgating involving a fraudulent delivery driver happened in 2014. A man dressed as a delivery driver tailgated his way into a New Jersey pharmaceutical company, where he stole medications worth of $70,000. This incident shows how easy it can be to tailgate, and how important it is to be cautious of any outsiders.
Watering hole attacks
The watering hole attack is inspired by nature’s predators that wait for their prey to gather at a watering hole - and then they attack.
The principle in the digital world is that a hacker compromises a website that they know their target uses a lot. The hacker targets a specific group of people with this attack. They then wait for one of the people in the targeted group to visit the infected website, and once they have visited the website, they are infected with malware.
An example of the watering hole attack happened in 2015, where a Chinese hacker targeted Forbes.com. The hacker infected the website and exploited a vulnerability they found in the visitor’s browsers. Once the visitor clicked their way to the website, they were infected.
Impersonation attacks
Impersonation attacks are some of the most difficult attacks to recognize and spot. During this attack, the hacker impersonates a person or organization that the victim trusts - this can be a colleague, a supervisor, but it can also be law enforcement or healthcare.
In 2016, the CEO of an Austrian company, FACC (Fischer Advanced Composite Components), fell victim to an impersonation attack. He transferred more than €40 million to a fraud, posing as a top manager.
We may sit and think it’s unbelievable that he would transfer that much money, but hackers can be very deceptive and convincing, and if the CEO didn’t think twice about the manager’s genuinity, then it’s not that unbelievable that he would transfer the money.
In the light of social engineering
Social engineering continues to be a threat to our cybersecurity. It evolves and becomes more tricky to identify and detect. Hackers exploit human psychology and our trust in other people. This emphasizes the need for our vigilance and educating ourselves in the threats that we’re facing every day.
We suggest you stay updated on the newest threats and trends in the cyber landscape. We can learn from past mistakes and we can use that knowledge to improve our cybersecurity and defense.
Social engineering is a tricky and sneaky way of luring us into their traps. We don’t want to be the animals gathered at the watering hole, or lured into phishing with baits. So, let’s stay ahead of the game and secure our files, devices and information so they don’t end up in the wrong hands.
Caroline Preisler
Caroline is a copywriter here at Moxso beside her education. She is doing her Master's in English and specializes in translation and the psychology of language. Both fields deal with communication between people and how to create a common understanding - these elements are incorporated into the copywriting work she does here at Moxso.
View all posts by Caroline Preisler
