Perry Carpenter, chief evangelist and security officer, KnowBe4
Humans have long experienced deception and manipulation since the biblical story of the first couple that fell victim to social engineering by a fabled snake that talked Eve into biting that forbidden fruit. While social engineering tactics have morphed considerably since then, the core concepts of deception and manipulation remain the same. Let’s understand how social engineering works and what it takes to hack someone today.
- Understanding The Target
Every con is designed around a target(s). It’s never about the hackers themselves, what resources they have or what pretext they employ. It’s usually what fits the mark. Attackers will begin a social engineering quest by asking themselves questions such as, who is the target? How do we find them? What are we looking to achieve? What are the resources that might be needed?
- Conducting Background Research
Just as a detective carries out physical surveillance, staking out territory where the target is likely to or frequently visits, most targeted attacks will involve some background research on the victim. Attackers comb diligently through social media profiles where candidates have no shame in sharing personal details, they gather data on social connections and business associates of the target, understand their interests and browsing behavior, access their contact information and eventually dig up exploitable assets using tools such as open source intelligence (OSINT).
- Creating A Pretext
Recall con artist Frank Abagnale (played by a young Leonardo DiCaprio in the film, “Catch Me If You Can”) who convinced Pan Am staff that he was a licensed commercial pilot. But a 2021 book claims his stories were fabricated. Most attackers will fabricate a scenario to scam victims. Such scenarios can be anything ranging from a discount offer, an investment opportunity, an urgent call to action such as an expiry of a service, verification of confidential information like a bank account, an unexpected contact from some support team, etc. Some attackers benefit from general knowledge of human psychology to create convincing scenarios that trick victims into clicking a link or responding to a phishing email or opening a malware-laden file.
- Establishing Trust
Social engineering attacks are impossible to execute without a certain element of trust thrown into the mix. Threat actors will impersonate a contact the target knows, spoof a look-alike domain (e.g., “MICRO5OFT”), create a fraudulent website or fabricate well known logos that appear identical. In highly targeted attacks, threat actors will go to the extent of calling or texting the victim or patiently establishing a long-term relationship (a.k.a. romance scams) in hopes of winning trust and extracting confidential information.
- Exploiting Non-Cyber Routes to Social Engineering
Social engineering isn’t just about exploiting digital touch points such as social media, email, website, or online chat. There can be physical, emotional, and psychological aspects as well. The physical side is an interesting one. If an attacker steals a laptop or gains physical access into the data center or downloads a keylogger onto the victim’s machine, it can make things much easier for them. Emotional and psychological triggers are obviously very common — scammers will frequently leverage emotions such as urgency, greed, fear, lust, etc., to compromise their targets.
How Can Organizations Tackle Social Engineering?
For better or worse, we humans are not machines that can be programmed. We’re complex, distracted creatures with self-possessed free wills. At times we’re just too preoccupied, tired, or careless. Sometimes the smartest person can fall victim to the stupidest hack. So how can organizations mitigate social engineering risks? Here is some practical advice that can help:
- Train Staff Regularly: It is important to train your employees regularly on security do’s and don’ts as well as best practices. Just as muscles atrophy when you stop working out, 90% of employees forget online or classroom training within a month. This is why training must be reinforced regularly so that employees build strength and muscle memory.
- Go Beyond Mundane Training: Instead of subjecting people to presentation slides, simulate phishing scams, run coaching sessions, games and contests that make it interesting, fun and engaging. This should help retain lessons learned while keeping the important job of security habits and behaviors front of mind.
- Leverage Technology: Millions of spams and phishing emails hit organizations every week. It is important to have standard technical safeguards in place (anti-spam, firewalls, multi-factor authentication, threat detection, etc.) to help limit malicious actors from pestering employees endlessly. Ideally, tech must do a lot of the front work to minimize the high volume of online scams people receive.
- Reduce Exposure And Vulnerabilities: Validate all available public sources, underground forums and OSINT sources to check for any sensitive information on either your organization or employees that shouldn’t be made public, including things like building plans, login credentials, open ports and vulnerabilities.
Whatever new technologies are adopted, social engineering will evolve in parallel and find work arounds. Even as these security defenses mature, it will always be easier to hack a human than hack a system. Weaknesses in software code are universal. What matters is for organizations to spread awareness about these associated risks, train users to think like hackers themselves, to pause and consider the legitimacy of online come-ons, offers too good to be true, and extraordinary or suspicious requests.
About the Author
Perry Carpenter is co-author of the recently published, “The Security Culture Playbook: An Executive Guide To Reducing Risk and Developing Your Human Defense Layer.” [2022, Wiley] His second Wiley book publication on the subject. He is chief evangelist and security officer for KnowBe4.