October is Cyber Security Awareness month, so we’re focussing on a frequently seen threat, social engineering. During my time as a Detective Sergeant leading the Dorset Police Cyber Crime Team, social engineering attacks became one of the most common offences. So, based on my experiences, let’s look at what they are, how they work, and what you can do to guard against them.
What is social engineering and why should I care?
Social engineering involves an attacker using various methods to manipulate a person into doing what the attacker wants them to do. Social engineers leverage key principles to successfully achieve their aim. These principles include:
- Authority – This relies on the fact that most people will take instruction from someone who appears to be in charge
- Intimidation – Scaring or bullying an individual
- Consensus – People will often want to do what others are doing
- Scarcity – Making something appear more desirable because it may be the last one
- Familiarity – The recipient likes the individual or organisation the social engineer is claiming to be
- Trust – The Social engineer builds a relationship with the target
- Urgency – Creating the feeling that action must be taken immediately
Each of these principles will trigger an emotional response in the recipient, this is what the attacker relies on. When we react emotionally, we are not thinking clearly.
Social engineering is the cyber criminal’s go-to tool for achieving their aims. This could be stealing data, money or your identity. The final victim of the attack may not even be the person that is socially engineered, the victim could be their employer or even a loved one.
The impacts of this can be significant, whether it is a big financial loss, reputational damage or even the psychological stress caused. In a worst-case scenario, this could lead to a business closing down or an individual coming to harm.
Want to protect your business but not sure where to start? Check out our free guide to protecting your business on a budget.
How big a problem is social engineering?
The stats don’t lie! Social engineering is a significant problem.
According to the Cyber Security Breaches Survey 2023, phishing (a form of social engineering) is by far the most common type of cyber attack. A staggering 79% of businesses and 83% of charities reported being targeted by phishing attacks in the last 12 months. In fact, the problem is so widespread that the average organisation is targeted by over 700 social engineering attacks each year. And some 98% of cyberattacks involve a form of social engineering.
Nor is the problem confined to the well-heeled. Social engineering attacks are 350% more common for employees of small businesses than at larger enterprises.
What are the most common types of Social Engineering?
As discussed previously, there are many types of social engineering. This includes phishing, pretexting, tailgating, baiting, watering hole attacks and many more. Understanding the many forms of social engineering will help you defend against them.
The most widely recognised form of social engineering is Phishing. Phishing is most commonly launched via email but can be conducted through SMS (Smishing) or a phone call (Vishing).
A phishing email will present itself in your inbox and on the surface appear to be a genuine email. However, the email will be from an attacker and may contain malicious attachments or links. These could be used to take some form of control over your computer or to redirect you to a spoof website in which you input your credentials, allowing the attacker to steal them.
Pretexting is another commonly used social engineering technique. In this attack, the social engineer will use a fictional scenario to justify why they are contacting you. Once contact has been made, the social engineer will try to obtain information from you.
For example, the attacker could pose as the IT help desk, calling you to help with a reported issue with your computer, gaining your trust and offering to connect to your computer to quickly resolve the problem remotely. If successful, the attacker could then exploit this access to your computer.
Tailgating is slightly different. These attacks are aimed at physical, rather than digital, entry into your business. Usually, the social engineer would follow you as you opened and walked through a secure entry, thus allowing them access too.
This scenario is one that we have all faced. You use your keycard to open the office door, as you walk through someone runs up behind you and you feel obliged to hold the door for them. It may be that you see someone approaching the door carrying a heavy box. Although this sounds like something we would never do, our emotions and initial reaction to want to help people who are in a situation that we have all been in prompts us to take action and hold that door open.
Social engineering in the real world: a dating disaster
Having worked in law enforcement for 15 years, I have investigated hundreds of crimes.
One case I investigated was the takeover of a business and subsequent fraudulent transactions over 48 hours. This all started with social engineering.
In this case, a business owner had signed up for a dating website. The business owner began chatting to someone via instant messages on the site, there was nothing unusual about this. The conversation was going well and the pair discussed their likes and dislikes. The conversation moved to star signs and the victim revealed their date and place of birth. Again, this was all within the context of the conversation and appeared quite normal. However, things were not as they seemed.
Romance turns to horror
Unbeknownst to the victim, the social engineer had struck gold. A quick Google search of the victim’s name revealed his business website, including his mobile phone number.
This information was used to contact his mobile phone provider and port his mobile number to the social engineer’s sim card. The victim’s phone was no longer receiving text messages or calls, as they were being sent to a phone that the social engineer controlled.
But it didn’t stop there, using the victim’s personal details and phone number the social engineer proceeded to take control of the business’s website and email address, ultimately taking out a loan in the business owner’s name. Within 48 hours the victim had lost control of his business and owed the bank thousands of pounds. He only realised something was up when he couldn’t use his phone.
Fortunately, he was able to recover his phone number and some of the money was recovered. However, this took weeks to rectify and the time, stress and effort he put into getting back to square one is not to be overlooked.
How to recognise social engineering attacks
We are all very busy, the digital world is always available to us, whether we are sitting at our desks or in the back of a taxi using our phones. The next meeting or deadline is always within touching distance. Because of this, we may not always have our full attention focused on how we respond to the many interactions we have within our day.
Here are three strategies to be used to help recognise social engineering attacks:
1. Trust Your Instincts
If something feels off or too good to be true, it probably is. Trust your gut feelings when you encounter suspicious requests or situations.
2. Be wary of your emotions
Social engineers want to trigger an emotional response to encourage you to make a quick decision. Take a step back and consider whether the situation truly requires immediate action.
3. Verify unusual requests
If you receive unusual requests, such as transferring money, providing access to a building, or sharing sensitive data, independently verify the request through a trusted and known communication channel.
How to protect yourself
The threat will always be there and, as we have seen, it can take many forms. Here are three simple measures that can we put in place both at work and in our personal lives to help counteract the threat.
Whenever possible, enable multi-factor authentication (MFA) on your accounts. Even if an attacker obtains your password, they won’t be able to access your accounts without the second factor.
Don’t share too much on social media
Be cautious about sharing personal information on social media platforms. As we saw in the case study, attackers will use information gleaned to craft convincing social engineering attacks.
Education and training
Regular security awareness training for everyone is vital. Proofpoint found that only 56% of organisations with a security awareness program train their entire workforce. We lock all our doors and windows at night, and we should train everybody to ensure common social engineering tactics are recognised and stopped before they can harm us.
Looking to protect your business on a budget without sacrificing security? Read our guide to find out how.