No matter how much you spend on complex hardware and software cybersecurity solutions, they can’t account for the source of 90% of successful breaches: your staff.
Cybercriminals utilise dozens of proven psychological techniques to encourage your staff to give them access to your and your organisation’s data and (in many cases) physical premises. We in the cybersecurity profession refer to these techniques as ‘social engineering’.
But what is social engineering, how do social engineering attacks work, and what are the types of social engineering? Join us as we present our essential guide, updated for 2023.
Social engineering is a term that covers a wide variety of attacks that leverage human vulnerability to gain access to sensitive information.
With the risk of being targeted by social engineers growing greater by the day, we must fully understand the different types of social engineering attacks and how best to avoid them.
Whether we like to admit it or not, we’re all creatures of habit.
Modern life is an almost constant blur of mundane tasks and activities. Naturally, we all want to find the easiest and fastest way to accomplish those tasks.
Unfortunately, that often means that we’re lax about security.
Simple things like using the same password across multiple accounts can make your life easier, but it leaves the door wide open to social engineers.
Social engineers find the gaps in our security habits and utilise emotional manipulation techniques to access sensitive information.
Shoulder surfing enables social engineers to see what services you use, your contacts, and most importantly, your passwords. After making a note of these, the shoulder surfer can then try to access your systems remotely or even impersonate you to gain access to confidential information.
Social engineering attacks come in all sorts of shapes and sizes, but the three most common ones to watch out for are:
Social engineering attacks come in all sorts of shapes and sizes, but the five most common ones to watch out for are:
Phishing attacks are a common form of social engineering that involves sending fake emails or texts, often claiming to be from a legitimate company or individual, to trick the recipient into revealing sensitive information such as login credentials or financial information.
To avoid falling victim to a phishing attack, it is important to be cautious of unsolicited communication and verify the sender's identity before clicking on any links or providing personal information. You can also protect yourself by using spam filters and keeping your security software up to date.
A more advanced form of phishing is called spear phishing. This is when a social engineer goes the extra mile to tailor the email to their target after conducting extensive research on, or data-mining, their target. This results in more effective phishing attempts, which are harder to spot.
Baiting is another form of social engineering that involves offering something desirable, such as a free gift or access to ‘exclusive’ content, in order to lure the victim into revealing sensitive information or performing a specific action.
To avoid falling for a baiting scam, it is important to be sceptical of anything that seems too good to be true and to be cautious of offers that require you to provide personal information or take specific actions.
Scareware is a type of social engineering that involves tricking the victim into believing that their computer has a serious problem, such as a virus, and offering a solution for a fee. The "solution" is often unnecessary or ineffective, and the victim is scammed out of their money.
To avoid falling victim to scareware, it is vital to be aware of the signs of this type of scam, such as unexpected pop-up windows or warning messages, and to be cautious of any offer to fix a problem for a fee.
Pretexting is a form of social engineering that involves creating a fake identity or scenario to obtain sensitive information from the victim.
This can involve pretending to be a representative of a legitimate company or government agency to obtain personal information such as a social security number or bank account information.
To avoid falling victim to pretexting, stay cautious of anyone who asks for personal information and to verify the identity of the person before providing any sensitive information.
Impersonation is a type of social engineering involving pretending to be someone else to gain access to restricted areas or information.
This can involve pretending to be a co-worker, a maintenance worker, or someone else with legitimate access to gain entry to a secure area or obtain sensitive information.
Avoiding falling victim to impersonation isn’t easy, but by maintaining an awareness of your surroundings and being cautious of anyone who does not have proper identification or seems out of place you can increase your chances.
It is also a good idea to verify the identity of anyone who claims to be a co-worker or representative of a company before providing any sensitive information or allowing them access to restricted areas.
Yes! The purpose of tailgating (also known as piggybacking) is to gain access to an unauthorised area.
Typically, this is achieved by an unauthorised person following closely behind an authorised individual and getting the authorised individual to give them access.
This might include following someone into a lift requiring a security key, often with some excuse like holding a large delivery or simply forgetting their key.
Social engineers rely on people’s instinct to be helpful, so the next time you open the door to someone you don’t recognise, don’t be afraid to question them.
Shoulder surfing is another physical form of social engineering that criminals use to gather information. When people work on the go, they lull themselves into a false sense of security and don’t realise they could be being watched.
Criminals will look to identify people who work on the go either on their laptop or phone, follow them to a place that they might like to work, like a coffee shop, and get into a position where they can see what’s on the screen.
While social engineering may seem simple, it represents a significant cybersecurity threat to organisations. While companies continue to invest in technological solutions to stay secure, they don’t fix the vulnerabilities social engineers look to exploit - people’s behaviour, habits and emotions.
Suppose a user is tricked into revealing details that can help an attacker through your defences, or tricked into allowing someone unauthorised access. In that case, all the technology in the world would be unable to help you!
In 2018, the hotel company Marriott International reported that its subsidiary Starwood Hotels & Resorts' reservation system had been breached, exposing the personal information of up to 500 million visitors. The hackers had gained access to the system by using social engineering tactics to obtain login credentials from an employee at a third-party vendor.
The attack began in 2014 and went undetected for four years. During that time, the hackers used the access they had gained to the system to collect guests' personal information, including names, mailing addresses, phone numbers, passport numbers, and payment card information. The breach was only discovered in 2018 when Marriott received an alert from an internal security tool.
The attack was a sophisticated example of social engineering, as the hackers had been able to gain the trust of an employee at a vendor and obtain sensitive login credentials through seemingly legitimate means.
Hackers often use social engineering tactics to target employees at companies or organisations that have access to sensitive information, as these employees may have weaker security protocols in place and may be more likely to fall for scams or phishing attacks.
Another example of a social engineering attack in the UK occurred in 2018, when hackers targeted the courier company DHL Supply Chain. The hackers used ‘pretexting’ to obtain login credentials from an employee at the company and used those credentials to access the company's systems. Once inside the system, the hackers were able to steal sensitive customer information, including names, addresses, and payment card details.
The attack was discovered when DHL received reports from customers that they had received spam emails claiming to be from the company. Upon investigation, DHL discovered that the hackers had gained access to its systems and had been able to collect customer information. The company promptly notified affected customers and implemented additional security measures to prevent further breaches.
This attack was a reminder of the importance of strong security protocols and the need to be vigilant against social engineering attacks. It is essential for companies and organisations to educate their employees about the risks of social engineering and to implement strong security measures to protect against these types of attacks.
In 2016, the social media giant LinkedIn announced that it had discovered that a hacker had gained access to the passwords of 117 million of its users.
The hacker had used social engineering tactics to obtain an employee's login credentials at LinkedIn and then used those credentials to access the user data. The data was later sold on the dark web, and many LinkedIn users reported that they had received spam emails or had their accounts compromised as a result of the breach.
The attack was a sophisticated example of social engineering, as the hacker had been able to gain an employee's trust at LinkedIn and obtain sensitive login credentials through seemingly legitimate means.
In this case, the hacker had used a phishing attack to obtain an employee's login credentials and then used those credentials to access the user data.
The attack was discovered when LinkedIn received reports from a number of users that they were receiving spam emails that appeared to be coming from their LinkedIn accounts. Upon investigation, LinkedIn discovered that the hacker had gained access to the passwords of a large number of its users.
The attack was a reminder of the importance of strong security protocols and the need to be vigilant against social engineering attacks. With sufficient cybersecurity awareness training, attacks like this can be prevented.
Defence against social engineers largely depends on awareness and ensuring that you and your workforce know what to be wary of.
Even the very best security technology can be overcome by a clever social engineer, which is why security awareness training is so essential.
Teaching your staff about the dangers of social engineering with engaging, jargon-free training is the most effective way of protecting your organisation.
To help you safeguard against some of these attacks, your staff should: