A sociable character comes naturally to humans, and social engineers use this to manipulate and deceive their victims. Social engineering thrives on people’s tendencies to submit to authority, their curiosity, and their desire to be helpful or kind. Here are tactics used to manipulate you in social engineering.
For social engineers, information is highly critical in launching an attack because, without it, it would be impossible to penetrate your system or that of an organization. And they know too well that if they make you trust them, you will be more comfortable sharing the information with them. Remember that, the more they know about you or an organization, the easier it will be to launch a cyberattack.
1. Low-tech methods used to gather information
A social engineer can gather information about you or your organization by going through your social media accounts. Notably, LinkedIn, Facebook, and Google+ can be rich sources of personal or organizational information that can be exploited to the cyber attackers’ advantage.
A social engineer can look through your trash can and find pieces of useful information that you may have discarded.
Observing your activities
Social engineers can also take their time to observe you; the activities you engage in; the clubs you belong to; where you go shopping, and where you spend time.
Trawling the parking lot
A social engineer can retrieve valuable information from your car or that of your organization. And they often look out for security badges, confidential paperwork, wallets, and smartphones in the vehicles.
Entering your premises
If an attacker manages to gain access to your home or office, they can look through your personal items and collect information that they could use to launch a cyberattack.
A social engineer can invent a scenario that can prompt you to grant them access to your computer willingly. For instance, they can lie that they’re having a problem with their computer or that they have forgotten their ID Badge.
The person may also pose as a ‘friend’ that is stuck somewhere, probably robbed, beaten, and hospitalized. Thus, the social engineer may appeal for your help in the form of money or helpful information. Alternatively, they may exploit your generosity by requesting you to donate to a charitable course like political campaigns or a disaster.
2. High tech methods of gaining information
Social engineers can send you legitimate-looking emails and redirect you to a site where you will be required to enter sensitive and personal information like credit card details. In an organization setting, they may need you to enter details of the login ID used in the organization’s system.
Note that the email will appear to come from a well-known and established company like your bank or a shop you visit from time to time. And it will appear legit with the exact content format, the exact logo, and similar web design. Additionally, the message will convey some sort of urgency in providing particular information. And the information they allegedly need to remedy the damage will be used to launch the cyberattack.
It may also appear to be coming from a ‘friend’ that you know and will contain a link that may awaken your curiosity. Additionally, it could provide a link for you to download some document, pictures, movies, or music. And since you trust your friends, you will probably click, get infected with the malware, and the cyber-attacker will launch similar attacks to your other friends using the same tactic.
They even send random emails to as many people as possible, allegedly coming from companies that millions of people use. The social engineer knows too well that if you do not use the product or service, you will probably ignore the message. Note that the email will offer help with a problem that you probably have and could use some help with. For instance, if you have a problem with your OS, you wouldn’t refuse a free fix from a company that looks exactly like the one that sold you the software. Remember that they will ask to gain remote access to your computer, require you to ‘authenticate yourself’ first, or log you into their system.
This is not an official email message from Microsoft. If you did click on the link and provide your account information, contact the ITS Help Desk at 313-993-1500 so that steps can be taken to secure your account.
Remember that social engineers create a sense of urgency to ensure that their victims act fast without thinking. And before you act on an email coming from a company you use, verify it by going to their official page through a search engine. Similarly, it is safer to search for charitable organizations to give to, on your own, to avoid falling victim to cyber attackers.
Also, note that reputable companies do not contact you to offer you help; instead, they wait for you to request for their assistance. So, be alert and ignore those emails that seem to know the kind of help you need even before you ask for it.
Is your spam filter set high? If not, you can adjust it from the settings option of your email program. But remember that legitimate emails can get trapped in the spam folder by mistake and checking it from time to time might be a good idea. Also, don’t forget to install and update anti-virus and firewalls on your computer.
Types of phishing
- It targets individuals as opposed to the organization and its members at large. The social engineer will take time to research about the victim with the aim of carrying out a more customized attack.
- It targets high-level managers and executives of an organization. Social engineers can easily find information about them from the company’s profiles and financial information.
- This involves using the phone to gather information, rather than email. The victim may be asked to dial a certain number, where they will be asked to provide some information.
- A social engineer can lure you into their sites through alleged free downloads and prizes. However, they will require you to enter some information first, before accessing their free downloads and gifts.
- They can also tell you that you just won a lottery and ask for your bank details for them to wire the ‘winnings’ to your bank account. Thereafter, they will use the information to impersonate you and steal all the money in your account.
Do not trust emails from family, friends, and institutions until you verify that it’s truly from them. It is important to double-check with them in a different communication channel. For instance, you can retrieve your bank’s contacts from their official website and use it to verify the message conveyed, or call your family or friend and ask whether the email you received is from them. Avoid using the contacts provided in the email at all costs.
It’s not a good idea to share information about you or your family with strangers that you just met; otherwise, a target may be put on your back. For example, if a malicious person gets to know that you are a medical professional, they may come to your house with an injury and spy some more, while you attend to them.
2. Establishing Familiarity and Trust
In a quest to successfully launch an attack on an organization’s intellectual property and data, social engineers may embark on a mission to establish trust inappropriately. They may frequent their visit to a club or restaurant that is popular among the executives of the firm or a bar that’s a favorite of many employees.
A social engineer on a mission will greet and chat up employees and managers at the joint until they build familiarity. It is worth noting that alcohol eliminates inhibitions and creates some sort of intimacy among people. Therefore, people may end up disclosing more than they should and may not realize it.
Another technique is to frequently walk in and out of your office building behind a group of people. Over time, the social engineer becomes a familiar face among the employee fraternity. And this makes it easier for unsuspecting members of the organization to trust them with information and with their computers.
Familiarity can also be reinforced in social networking sites like Facebook, Instagram, and LinkedIn. The social engineer may establish their presence by either following or requesting a connection or friendship in these sites. And this, combined with the depth of information usually available in these sites, the social engineer may be set to make a personal cyber-attack.
As trustworthy as they may seem, never use your ID to allow a stranger into a restricted area. Do not buy the familiar stories of requested technical support from the management or lost key cards. Instead, be politely cautious about the identity of legitimate-looking individuals like unexpected utility workers and repairers.
3. Piggybacking and Tailgating
A social engineer on a mission may wait for residents approaching the premises, and follow them in an attempt to gain access using their passcode. Alternatively, he/she may walk into the outdoor smoking area to smoke and walk out with the group of smokers, into the building.
A person planning a cyberattack may also follow an employee entering a restricted area like the server room and pretend to be fumbling for their ID card. And a polite employee will probably hold the door to let the imposter go in.
Another tactic is to show up in a delivery person’s uniform carrying a laden with a package and asking someone to hold the door for them. Thus, he will gain access to the property under another person’s legitimate access.
Companies like Apple headquarters have put up a sign to warn employees to watch out for attackers that may want to tailgate into the premises. More organizations should strive to caution their employees against the impending risk of piggybacking, put up live-monitored security cameras, and use access control with anti-passback systems to monitor strange characters.
4. Using Body Language and Flattery to Gain Trust
Social engineers are highly skilled in reading and communicating via body language. And they use psychological cues and subtle body language that can easily solicit trust in the other person and make a connection. For instance, they may reflect and respond to emotional changes, smile appropriately and intimately, and breathe with the same rhythm as you.
Once you develop an unconscious level of trust in the social engineer, you will automatically respond without thinking and offer any form of assistance. You will quickly help the person connect their computer to the network or hold the door for them by default.
Sometimes, a social engineer can flirt, go on a date, or even get into an intimate relationship with an employee of an organization to gain access to some useful information. And notably, they are very consistent in their engagements that it would be very difficult for the employee to think that the person is only with them to access the company’s systems.
Remember that attraction is a powerful tool that has been used for centuries to unearth secrets from kings, diplomats, spies, and soldiers. And social engineers have mastered the art of using it to make people act irrationally to their advantage.
They also use flattery to lure you into clicking a particular link that contains malware. For instance, if you write articles online, a social engineer could email you saying, “I read and loved your article. I would appreciate if you read this article I wrote”. Many scholars and bloggers get tempted to return their appreciation and kindness and find themselves in scam sites.
5. Using Hostility
Other than using trust, some social engineers can opt to use hostility, and it works in most instances. Notably, the common instinctual reaction to an angry person is to stay out of their way to avoid making them more hostile. So when people see an angry person, they may offer sympathy, direct them, open doors for them, or even allow them access to a restricted area to diffuse their emotions.
At times, the social engineer can share their frustrations with a person and bond over it. During the conversation, you may develop a sense of comradery with the social engineer, which they will use to their advantage. Well, who wouldn’t want to sympathize with someone that just had a bad experience with an insurance company?
6. Getting a Job Interview
Social engineers know too well that they could get good money if they successfully hack an organization with valuable data. Therefore, an ambitious one wouldn’t mind investing their time and energy in getting an interview or a job in the company. And it’s worth noting that an interview alone is enough to supply the social engineer with enough information for them to launch a cyber-attack in your company.
Some interviewers can get comfortable with a promising candidate and find themselves sharing a lot of sensitive information. And social engineers know the right questions to ask to milk information concerning the business processes and the IT system being used. Typically, the interviewer will be impressed with the imposter-interviewee and their wealth of information on the subject.
Once they establish some level of familiarity and comfort, it wouldn’t be difficult to convince a member of the panel to log into the system. And if the social engineer gathers enough information to launch an attack, he/she wouldn’t even need to show up for work as agreed. But if what they gathered during the interview isn’t enough, they can consider getting hired and infiltrating the organization from within. Notably, a determined social engineer will be patient enough to gain trust in the firm, and with time, they may strike using a secretly installed anti-detection software.
7. Pretending to be a Consultant
Normally, once a consultant has signed the non-disclosure agreement, it becomes easier for the management to trust him/her with an enormous amount of sensitive information. Without obtaining and confirming references, careful vetting, and slowly increasing trust levels, organizations risk hiring social engineers that are up to no good. Remember that a cyber-attacker disguised as a consultant can be very patient and stealthy in their activities.
It is quite easy to trust a social engineer because they are usually armed with knowledge on data processing and systems. And if you have little technical expertise, these people can overwhelm you using the right buzzwords and industry jargons. Once they create a perception of a self-assured expert, you may become comfortable and willing to provide in-depth systems information, access, and even passwords.
8. Reverse Social Engineering
In three basic steps, a social engineer can create a problem in the organization’s system and offer to help solve the issue. They begin by launching an opportunistic attack that will alert the IT department that they need to take care of a vulnerability in their system. For instance, they can send an obvious phishing email or launch a DoS attack on your website.
Knowing that you are now concerned about the security of your IT systems, the social engineer will offer security consultancy services to solve this problem. And since they intentionally created the problem, they will possess in-depth knowledge of the issue and demonstrate exceptional expertise in fixing it. But once you accept their assistance, they may steal sensitive or proprietary data, upload key loggers or malware, and execute other malicious activities.
9. Watering Hole Attacks
Here, the attacker technically exploits the code of a trustworthy website that you often visit. And social attackers know too well that you are more likely to click on a suspicious message if it pops up in a website that you trust. Note that the embedded malware will only affect you if you go ahead and click the poisoned link. Therefore, avoid clicking on anything suspicious regardless of where you see it.
10. Leaving a Physical Bait
Another tactic that social engineers use is to leave bait in conspicuous areas of the target company like the parking lot, elevator, or the bathroom. Remember that the bait will look very authentic and may contain labels that can arouse the curiosity of the victim, for example, “employees’ payroll.”
Immediately you insert the flash drive into your home or work computer, it automatically installs a malware that can steal sensitive data from the machine. Notably, the installation of the malware is automatic. Keeping your anti-malware and anti-virus updated at all times, and scanning your computer from time to time is an excellent way of protecting your sensitive data from potential malware.
Social engineers sometimes take advantage of the differential relationship that often exists between the senior executive and the junior staff. They know too well that employees will be eager to provide any time-sensitive information requested by the C-level management. So, the cyber attacker will impersonate a company executive and claim that they need to pay a vendor or need some information to close a particular sales deal. And upon receiving the sensitive data, the social engineer can use it to file tax returns or fraudulent credit applications.
Fake Paypal Email
Another impersonation tactic is to send emails under the name of global brands like PayPal or Amazon. So, they will either notify you of an issue with your account or ask you to click a link to verify your package delivery. And many institutions and businesses have fallen victim for such attacks.
Social engineers also take advantage of the fact that most people easily submit to authority. So they may pose as security officers to be seen as figures of authority, gain trust, and seek access to restricted zones. The best way to avoid falling victim to impersonators is to ask them conversational and non-intrusive questions that won’t come out as insulting to them. But if you notice answers that don’t line up; hesitation; trembling voice; limited eye contact; or fidgeting hands, it’s better to get out of the situation before it’s too late.
IRS Phishing and Malware Scam
Social engineers have perfected scare tactics that can pressure you into disclosing sensitive information or wire huge sums of money to them. They can threaten to shut down a paid service, scare you with possible fraudulent lawsuits, or use personal blackmail. For instance, scammers can pretend to be an IRS agent and claim that you or your company owes back taxes. Thereafter, they will instruct you to wire some money before a specific date; failure to which, they will take legal action against you.
Social engineers can go an extra mile to divert your attention from their scene of interest before conducting an evil act. As one member of the group draws your attention away from your security post, your home, or your vehicle, the others take the opportunity to steal information, plant bait, or install a malware in the system.
Notably, they will lie about someone being in danger or in medical distress; things that can accelerate your heartbeat, raise your adrenaline and hinder you from thinking straight. Always be aware of your surroundings and heighten your sense of personal security to stay safe from such diversion tactics. Also, avoid leaving your valuables and supplies on display because it makes it easier for people to pick them when you are out of sight. And if you can’t make your important things theft-proof yet, consider stashing them in a hidden spot at all times.
Real life examples of tactics used in social engineering
The Russian Spies Hack
In 2016, John Podesta, the campaign honcho for Hillary Clinton, received a phishing email requesting him to reset his password to secure his account. It originated from some Russian spies that disguised the email to appear to be coming from Google. He unknowingly gave away his login details that were used to hack his account.
Ubiquiti Networks BEC attack
In 2015, some scammers impersonated the company executives of Ubiquiti Networks. The victims probably didn’t notice that it was a fraud because the scammers’ email address possessed a URL similar to the one used by the management. Therefore, the imposters managed to direct the employees in the finance department to wire to them millions of dollars from the company’s accounts.
The Vodafone Impersonation
Between the late 2000s and early 2010s, Vodafone was convinced to reset the voicemail PIN for Sienna Miller, an actress. The British tabloids investigators called Vodafone and claimed to be an employee from credit control. And just like that, the investigators could now access the actresses’ voicemail account.
The 2016 US Department of Justice (DOJ) Hack
In 2016, a cyber-attacker managed to impersonate an employee of the U.S. Department of Justice. The person hacked into the email and managed to convince the help desk to give him the intranet’s access token. Notably, he claimed to be a new employee that wasn’t too conversant with how things worked at the DoJ.
The RSA’s breach of 2FA
In 2011, a cyber attacker sent a phishing email to the employees of RSA, impersonating the recruiting party of another company. The hackers managed to install a backdoor Trojan because the junior staff opened the Excel sheet attached to the email. And since the malware compromised the 2FA token technology, the company had to spend another $66 million to reconstruct it from scratch.
Cyber attackers are becoming craftier by the day and taking proactive measures in cybersecurity is critical in protecting both you and your company financial and property losses.