Social engineering is a term used for a wide variety of activities used by threat actors to manipulate or trick end users into bypassing security controls or providing sensitive information (such as login credentials) —that they then use to obtain unauthorised access to the systems they target.
It’s not a new threat. It’s been around forever. Why? Because it works. Threat actors have found that manipulating humans into providing the access they seek is one of the surest ways of obtaining it. This is because people are vulnerable to exploitation – always have been – always will be.
Human beings using the systems are in fact, far easier for threat actors to exploit than any technical vulnerabilities that may be associated with those systems. While we are all very different, we are social animals programmed by society to be polite and believe what we are told. We help others when they are in need. We open doors for mothers with prams and help the elderly cross busy streets or put their luggage in the overhead compartments. Our parents taught us to do so, and we teach our children the same. It might as well be in our DNA.
This very human attribute makes us vulnerable to exploitation — always has. In designing controls to counter cyber threats to our business systems, social engineering is also a threat worth addressing. It is the defining threat. The threat to your users.
To begin to adequately address this threat, you need to understand the four basic tactics or principles on which all social engineering attacks are based. Yes, I said all.
Threat actors will seek to manipulate end-users into circumventing controls or inadvertently providing sensitive data by establishing and exploiting relationships of either: “Trust”, “Authority”, “Intimidation” or “Scarcity”.
These are known as the four principles of social engineering and all attacks can be attributed to the use of one or more of their attributes. Understanding these attributes and training your staff on how to spot them is the key to thwarting them. Let’s look at them one by one.
The definition of trust is “the firm belief in the reliability, truth, or ability of someone or something”. Trusting someone or something provides a sense of surety, safety and security. But more importantly, when we place our trust in someone or something, we innately expect it to be returned in kind – not misused. Certainly not exploited for advantage. This is of course, exactly why attackers use it. Face value trust is the premise of most social engineering attacks. It’s inherent in phishing and spear phishing attacks.
The definition of authority is “the power or right to give orders, make decisions, and enforce obedience”. Having authority over someone is equal to having control over someone. A person of authority is a person of control and confidence. A “confidence man” or “con man”. We are raised to respect and comply with the authority and not question it. Disregarding authority implies punishment. This is basically like saying “do it because I have authority over you, and I say so or it may result in harm to you”. Therefore, it’s a perfect and powerful tool for manipulating someone. This is why social engineering attacks based on the premise of authority – like whaling – are so successful.
To intimidate means to “make timid, threaten or frighten someone to compel them to behave in a certain way”. This is a simple, straightforward, and effective strategy practiced by bullies in playgrounds across the world. Threat actors employ methods of intimidation to sway users into taking specific actions. Authority is implied but not necessary. It’s like saying “do this or something bad will happen to you”. Nobody wants anything bad to happen to them, so it naturally produces results. This can be accomplished through social engineering attacks based on continual harassment or impersonation like vishing or pretexting.
And finally, there is the social engineering tactic of “scarcity”. When something is in limited supply, there is a natural inclination by people to act quickly to obtain it before it’s no longer available to us. Accelerating their decision processing or bypassing common sense so as not to lose the opportunity. Foolish? Of course. But to imply scarcity is an extremely effective way to manipulate someone into doing something they normally would not do. Just ask the marketing industry who have learned the power of the words “act now while supplies last! Threat actors use this tactic to pressure victims to respond immediately lest they miss an opportunity in attacks like quid pro quo.
If you understand the drivers of social engineering attacks, you can then educate your users on how to be discerning and recognise if these tactics are behind attacks. Need help getting started with testing your staff to gain insight into your awareness programme? Risk Crew offers Social Engineering Testing that simulates real-world attacks and results in a comprehensive report that details security vulnerabilities identified and provides specific actions for remediation, a courtesy workshop and on-call assistance.