Social engineering in Security

The term “social engineering” (also psychotechnics) is now used in a broad context. It primarily refers to the psychological manipulation and abuse of certain techniques in order to trick a person into taking some decisions and actions. Kamil Mazur, Information Security Specialist at ERGO Technology and Services S.A., points out six rules that can protect you from social engineering.

This article focuses on the use of social engineering for various types of cyberattacks. How do attackers use social engineering? How can you protect yourself against this and what should you look out for? These questions are answered below.

Social engineering scams

One of the most well-known hackers who is famous for his use of social engineering is Kevin D. Mitnick, who aptly stated in the title of his book – “I broke people, not passwords.” There is no doubt, therefore, that skillfully used social engineering significantly increases the chances of a successful attack.

Before we move on to discuss various methods of attack, let’s deep dive into the types of technique used. The most popular social engineering scams boil down to:

• Phishing
• Vishing
• Pretexting
• Fake news
   

Phishing is one of the most widely used weapons of cybercriminals. It owes its popularity primarily to the COVID-19 pandemic, which drove our lives online more than anything before. It is enough to point to the spread of remote or hybrid work, online shopping or e-government services.

With this in mind, it can be concluded that the more potential victims there are, the more types of scams there will be. Classic phishing, most often, is not personalized in any way and is simply sent in bulk as an email or a text message. Phishing poses many threats such as credential or identity theft and device infection. Sometimes phishing itself is just a preliminary phase of a larger and more organized attack on a company. Spear-phishing relies on a more advanced technique and usually targets a specific person. The attack is planned in detail and targets the victim’s weaknesses, which makes it even more difficult to prevent. 

Similar mechanisms are used by vishing, which involves all kinds of voice calls, most often telephone calls. In all these cases, social engineering is used to defraud. Often, the criminals follow some well-known fraudulent schemes and scenarios, e.g.: they impersonate a banker or a police officer. Their objective is to exert pressure and force the potential victim to act without thinking. This combination is usually a fast track to bad decision-making –  by the time the victim realizes they have made a mistake (such as transferring their savings to an unknown account) it may be too late to reverse it. 

Another form of social engineering that is typically used to steal data is pretexting. As the name suggests, the attacker uses a pretext or a made-up scenario to gather sensitive data and information. An example would be a phone call from some well-known institution. The person on the other side uses their supposed authority. They pretend to have a “very important” message for us, but before they share it, they want to verify our identity. For the sake of our safety, of course. Practice shows that the opposite is true. In most cases, the victim will be interested in the message, especially if someone is impersonating a trustworthy institution. Unfortunately, the message does not exist, and the attacker will obtain our personal or other sensitive data. These can easily be used for further attacks and scams. 

When discussing social engineering issues, it is worth noting fake news. Keep in mind that false information alone does not necessarily constitute an attack. Nevertheless, it may facilitate the actual attack – phishing, for example. Fake news alone, used on a mass scale, can do a lot of damage and influence the behaviour of the public, which fulfils the premise of ideal social engineering. This is perfectly illustrated by the misinformation related to the current Russian-Ukrainian war. We are observing a spread of fake news, whose main purpose is to cause panic among the public or, in many cases, to draw attention to the fake news services to facilitate the theft of credentials. 

6 rules that can protect you from social engineering

Despite the wide range of cyberattacks that use social engineering, we can effectively defend ourselves against them. All we need to do is to develop a few habits that will certainly help us recognize the aforementioned scams. If you have any suspicions, remember to follows these steps.

1. Stop for a moment – keep a cool head.
   
   Many social engineering methods are based on time-pressured actions. Attackers may convince their victim that the situation is urgent. When decisions are made in haste the outcomes are not considered. Do not get carried away if someone pressures you in this way, for example if they ask you to bypass certain procedures – it is highly probable you are dealing with a cybercriminal.
2. Beware of things that are too good to be true.
   
   Have you just received information about a major lottery win, but you do not recall participating in it? Think twice before you disclose any data. Everyone would like to win something, but even if you actually do, it is a good idea to verify all the information before you claim your prize. Similar scams can be executed in hundreds of ways, often involving classic phishing emails. The most common examples include news of a generous inheritance from a distant relative from abroad or investment advice through which you will actually lose money.
3. Pay attention to links and attachments.
   
   We all know this; links were created to be clicked on. However, you should always doublecheck to see if they will get you to where you want to be. Hover your mouse over the link before you click to see if there is a suspicious site hiding behind it. The same goes for attachments – open them only if you are sure of the sender. If you receive an email with an attachment from an unknown address, treat it with extreme caution – open it only if you need to and you are sure it is addressed to you for a specific purpose.
4. Should you have any doubts, report your suspicions to the appropriate security department.
   
   Not all of us will be experts in social engineering, and even highly experienced professionals fall victim to online scams. Sometimes, you just cannot be sure. Therefore, you should report your suspicions to the relevant security department. There is nothing to be ashamed of; remember that by taking an action you can also protect others from attempted attacks.
5. Use external media wisely, do not install third-party software on your device.
   
   A drive or flash drive was found near your office? Curiosity tells you to verify its contents, but safety measures suggest the opposite! Often, such media scatters are deliberate – they may contain a disk encryption script or simply destroy your device. Never connect them to your computer. Remember that there is plenty of malware on the Internet, so if you need additional programs, ask your company for approval.
6. Do not be afraid to ask and verify the information you receive with alternative sources.
   
   Every day, we make many business and personal contacts using the phone and the Internet. In fact, we cannot see who is on the other side trying to get in touch with us. If anything has raised your suspicions, call the person or institution that can confirm that you are talking to the right person. 
    

Summary

The list of scams and social engineering techniques presented above is certainly not exhaustive. Remember that attacks can be carried out in hundreds of ways, and more of them are being created every day. Social engineering is, has been, and will continue to be an effective weapon in the hands of cybercriminals. Much depends on the technical skills of the attacker, but for sure the skillful use of psychological tricks, the art of manipulation and the proper selection of a potential attack victim are equally important. Of course, we must not panic and be suspicious of everyone around us, but there is no doubt that knowledge of basic social engineering methods is a necessity in today’s work environment as well as in private life. 

Text: Kamil Mazur, Information Security Specialist at ERGO Technology and Services S.A.

Learn More

When data is breached by cybercriminals: https://next.ergo.com/en/Cybersecurity/2021/Data-cybercriminals-cybersecurity-phishing-spear-phishing-tailgating-piggybacking.html

Multifactor authentication is not a panacea: https://next.ergo.com/en/Cybersecurity/2021/Multifactor-authentication-MFA