Arrow back

What is Social Engineering?

08 August, 2018

We often hear the question here at Bob’s: What is Social Engineering? It is not always clear how social engineering works or how it can put you or your organisation at risk, which is why we've put together this essential guide to social engineering in cyber security.

What is Social Engineering?

Social Engineering is the human equivalent of hacking a computer. Social engineers are often smart individuals who understand how to manipulate people and talk their way in and out of many different situations. There are a variety of different ways they can attack your organisation.

Methods of Social Engineering

Social engineering methods can range from trawling through social media accounts and using them to deduct what your password could be, to directly calling you to manipulate information out of you or entering your organisation's building under false pretences. For example, a common technique used by them is to pose as employees from organisations and services that you use.

Social Engineering through Duress

As a result of how people naturally react to panic and stress, we are more likely to give up sensitive information under duress. We cannot always logically slow down and digest situations quickly enough to see malicious schemes; social engineers take full advantage of this.

Social Engineering through Charm

Applying pressure to an individual with the right attitude and charm is another common technique that cyber criminals use to get access to sensitive information. Some criminals leverage the white labcoat theory to make themselves look authoritative to coerce information out of someone. The white lab coat theory predicts that people are more likely to trust those who look and act the part with confidence.

Even if you have a state of the art security system in place, employees can be lured into divulging sensitive data. Your human firewall is the greatest weakness in your organisation's cyber security firewall and can fundamentally undermine all your organisation's security systems. We’re here to help you train your human firewall to be your most robust defence against cyber criminals.

How Social Engineers Steal Passwords

Social Media Hacking

A common tactic used by social engineers to gain account access is by obtaining your phone number through the hacking of social media accounts. The hackers use your social media accounts to access your phone number. Alternatively, family members are an easy target too as they can easily be tricked into giving out your contact details.

From there, criminals will try the ‘forgotten password’ route and follow prompts, entering your phone number to receive the authentication text. As they don’t actually have your mobile phone, they’ll need to get to your texts in another way. They will try to ring your phone carrier up and impersonate you with the objective of gaining account authorisation and to have full access to your messages where your authentication code will be located.

Once they have your code, they can make password change requests and gain the authentication code from your phone carrier, resulting in full control over your accounts. So, the social engineer doesn't technically steal your password. Instead, they change it to whatever they want.

Now they have access to your accounts, especially email accounts, the engineer may proceed to send out an email to every single contact that you have. As the email is coming from a trusted friend or colleague, the respondents are more likely to click the link and install malware onto their machine.

Slack Messenger

There has been a recent Cryptocurrency theft trend that has been targeting users in a unique way using their Slack messenger application. Some see purchasing cryptocurrencies as a long-term investment and others see it as a fun hobby to trade and watch the prices fluctuate. However, as with anything that has monetary value, there will be criminals more than willing to take what you have worked so hard for.

One new and surprisingly effective tactic cyber criminals are using to steal cryptocurrency recently reported online through Slack is by getting employees to spill sensitive information via the Slackbot - an internal, default bot application that every Slack server has installed.

If criminals can gain access to admin privileges on Slack, they can modify the automatic message to panic users into submitting their credentials for some form of re-authentication. They will often send messages to users like the following:

@{name of bot} asked me to remind you “ALERT: We have been informed by {DigitalCurrencyName} that there is an error with the Status tokens database. Please visit {malicious but genuine-looking URL} to check your token balance and update your contract. Failure to do so may result in loss of Status tokens. Thank you for your cooperation and understanding.”

This tactic is intended to induce panic and stress to users as it threatens that their current ecoin balance could be removed. When people panic, they don’t necessarily take the time to slow down and digest the information. Users will often act in a rush to fix the problem quickly and unfortunately that could result in cyber criminals getting the access they intended to acquire.

If the message comes from a Slack bot, which most users already trust, the cyber criminals are more likely to get the information they wanted, as most slack users are not aware that an admin can program the bot to say anything.

Even if your organisation does not use Slack, criminals will use this same tactic to attempt to get information out of your employees. However, they might try to gain access to the IT manager's email address and send out emails to employees requesting passwords or other sensitive information.

How to Prevent Social Engineering Attacks

There are a few things that you can do to thwart social engineers' attempts to get information. You can do what is known as ‘Threat Modelling’ by reviewing potential ways that criminals could target the company using social engineering. It is beneficial to make this a group activity, pulling in staff members across the business to identify, categorise and analyse potential threats. If staff are involved in creating a defensive approach to risks, they are more likely to be invested in actioning the strategy.

You can bring various scenarios to light where the organisation could be particularly vulnerable, such as criminals exploiting members of staff who are likely not to realise they are being pressured to give information away.

Attacks by Phone

For example, if you receive a phone call from somebody claiming to be from an organisation and you suspect they are not, you can ask the caller genuine questions about their organisation that put them on the spot. A legitimate caller should know the answers to your questions while an impersonator most likely won’t or will make them up.

Because scammers and social engineers will call you first, if you’re ever suspicious of a fake call it wouldn’t be harmful to preemptively end the call and call back through an official customer service number. This way, you’re guaranteed to be put through to an official agent who doesn’t intend to sell or maliciously use your information.

Attacks by Email

Often socially engineered attacks will come in the form of an initial email because of the lack of security they have. As a general rule of thumb, you should never share personal details such as usernames or passwords through email.

However, sometimes emails do look very real and can convince even the most veteran phishing email spotters. It’s always good practice to directly confirm if an email you received was genuine or not. You’re best off sending an email or ringing the company in question to ensure that the email was sent with authorisation.

Attacks in Person

Some social engineering scams may include a physical attack on your organisation, such as pretending to be a visitor or rummaging through your bins at night. Never let anyone through the doors without confirming that they have an appointment and that they are who they say they are.

If all security checks are cleared, you should never leave them unattended. Something as small as going to the toilet and moving them in your office is more than enough time for them to steal information or insert malicious media into your machine that infects it with a virus - and not much longer to scope your paperwork and take pictures.


Back to resources

Ready to change your cyber security culture

Whether you’re looking for complete culture change, phishing simulations or compliance training, we have a solution that’s tailor-made for your organisation.

Girl with laptop
Boy with laptop
Crown Commercial Service Supplier
HM Treasury
ISO 27001
Cyber Essentials Plus
Global Cyber Alliance