What Is a Social Engineering Attack?
A social engineering attack is a cyberattack that relies on the manipulation of human behavior. Social engineering attacks do not rely on technological capabilities, although they are often the first stage of a more sophisticated cyberattack.
Social engineering attacks are of great concern to cybersecurity professionals because, no matter how strong the security stack is and how well-honed the policies are, a user who has been fooled by this type of attack can give their legitimate credentials to a malicious actor and never even realize it. Once inside, the malicious actor can use those stolen credentials to masquerade as the legitimate user, thereby gaining the ability to move laterally, learn which defenses are in place, install backdoors, conduct identity theft and — of course — steal data.
2021 CrowdStrike Global Threat Report
Download the 2021 Global Threat Report to uncover trends in attackers’ ever-evolving tactics, techniques, and procedures that our teams observed this past year.Download Now
Why Do Social Engineering Attacks Work?
Social engineering attacks work because humans can be compelled to act by powerful motivations, such as money, love, and fear. Adversaries play on these characteristics by offering false opportunities to fulfill those desires. The least sophisticated social engineering attacks are a numbers game: offer enough people the chance to acquire a few million dollars and a few will always respond. However, these attacks can often be quite sophisticated, and even a highly suspicious person can be fooled.
A malicious actor may spend a great deal of time — months or even years — learning about a victim by observing their social media, researching them on private databases, and even making physical visits to the victim’s environs. In one case CrowdStrike worked on, the attacker rented office space near the victim in order to learn more about the victim’s activities.
With enough information, the malicious actor can craft an attack that is likely to succeed. No one should consider themselves impervious to a social engineering attack: if the malicious actor has arranged the right set of circumstances, gathered the right information, and created the right supporting documents, they can fool anyone.
How Does a Social Engineering Attack Work?
A social engineering attack may be conducted by email, social media, phone, or in person. However, no matter the channel through which the attack is conducted, the methods are consistent. The attacker will pose as an individual with a legitimate need for information such as an IT worker who needs a person to “verify their login credentials,” or a new employee who urgently needs an access token but doesn’t know the proper procedure to acquire one.
Or threat actors may pretend to be an authority figure, such as a law enforcement professional who requires sensitive information in the course of an investigation, or a company executive who urgently needs a large sum of money transferred to a third party in order to meet a payment deadline.
Social engineering attacks typically follow these simple steps:
- Research: The attacker identifies victims and chooses a method of attack
- Engage: The attacker makes contact and begins the process of establishing trust
- Attack: The attack commences and the attacker collects the payload
- The Getaway: The attacker covers their tracks and concludes the attack
What are Some Types of Social Engineering Attacks?
A Phishing attack is the most well-known social engineering tactic. A phishing attack uses an email, website, web ad, web chat, SMS or video to inspire its victims to act. Phishing attacks may appear to be from a bank, delivery service or government agency, or they may be more specific and appear to be from a department within the victim’s company, such as HR, IT or finance.
Phishing attack emails include a call to action. They may ask the victim to click a URL to a spoofed website or malicious link that contains malware.
Awareness of phishing attacks is high, with even unsophisticated users knowing they exist. Yet they continue to work because people are distracted and busy or because they can be crafted so well that no one would be likely to question their authenticity.
A Spear phishing attack is a variation of phishing scam in which the attacker targets a demographic, such as employees of a certain company or finance directors in a certain industry.
Baiting attacks may lure the target with a desirable offer, such as free music, games or ringtones, hoping that the password the target uses to log in and get the free digital goods is one they’ve reused from more important sites. Even if the password is a one-off, the attacker can sell it on the dark web as part of a package with thousands of others.
In the corporate environment, a baiting attack is more likely to consist of a flash drive left in an obvious location, such as a breakroom or lobby. When the person who finds the drive plugs it into the corporate network to see who it belongs to, the drive downloads malware into the environment.
Quid Pro Quo
A quid pro quo attack is a social engineering scam similar to a baiting attack, but instead of taking a scattershot approach, it targets an individual with an offer to pay for a service. For example, the threat actor may pretend to be an academic researcher who will pay for access to the corporate environment.
Tailgating (aka Piggybacking or Drafting)
Tailgating is when a person gains access to a physical facility by asking the person entering ahead of them to hold the door, or when the bad actor “borrows” someone’s laptop for a few minutes, which they use to install malware.
How to Defend Against Social Engineering Attacks?
The best way to prevent social engineering threats is to take both a human and technological approach to your defense strategy.
What can Humans do?
Security awareness is the best way to prevent being victimized. It’s important to be cognizant of common social engineering tactics in order to spot the signs of targeting. Make sure your company has a process in place to allow employees to engage IT security personnel if they have any reason to believe they might be the victims of a social engineering attack.
As a part of security awareness programs, organizations should continue to remind their employees of the following these common practices:
- DON’T CLICK ON LINKS SENT BY PEOPLE YOU DON’T KNOW. Hover over them first; trust but verify!
- Avoid opening attachments within emails from senders you do not recognize.
- Be wary of emails or phone calls requesting account information or requesting that you verify your account.
- Do not provide your username, password, date of birth, social security number, financial data or other personal information in response to an email or robocall.
- Always independently verify any requested information originating from a legitimate source.
- Always verify the web address of legitimate websites and manually type them into your browser.
- Check for misspellings or improper domains within a link (for example, an address that should end in a .gov ends in .com instead).
- Before transferring money or information, verify by voice or video call.
- Be alert to counterfeit items, such as sanitizing products and personal protective equipment, or people selling products that claim to prevent, treat, diagnose or cure COVID-19.
What can technology do?
Beyond the human element, every organization should employ a cybersecurity solution that leverages the following capabilities:
- Sensor Coverage. You can’t stop what you don’t see. Organizations should deploy capabilities that provide their defenders with full visibility across their environment, to avoid blind spots that can become a safe haven for adversaries.
- Technical Intelligence. Leverage technical intelligence, such as indicators of compromise (IOCs), and consume them into a security information and event manager (SIEM) for data enrichment purposes. This allows for added intelligence when conducting event correlation, potentially highlighting events on the network that may have otherwise gone undetected. Implementing high-fidelity IOCs across multiple security technologies increases much-needed situational awareness.
- Threat Intelligence. Consuming narrative threat intelligence reports is a sure-fire method for painting a vivid picture of threat actor behavior, the tools they leverage and the tradecraft they employ. Threat intelligence assists with threat actor profiling, campaign tracking and malware family tracking. These days, it is more important to understand the context of an attack rather than just knowing an attack itself happened, and this is where threat intelligence plays a vital role.
- Threat Hunting. Understanding technology will only get organizations so far is more important now than ever before. Security technologies cannot guarantee 100% protection on their own, and understanding technology is not infallible is the first step in coming to grips with the need for 24/7, managed, human-based threat hunting.
Another best practice to prevent social engineering is to implement zero trust architecture, which grants limits a user’s access to all but specific systems to perform specific tasks, and only for a limited amount of time. When that time is up, access is rescinded. This approach limits the damage a malicious actor can do even if they are using stolen credentials to penetrate the system.