It’s part of human nature to trust people who belong in our inner circle. Our brains are hardwired to pick up signals and patterns in our environment that tell us it’s safe, and even beneficial, for us to trust others. But what if that seemingly naïve perception of the world is exploited?
In a world that thrives on data, the threat of manipulation is real. Data thieves and fraudsters are eager to gain access to the most intimate details of our lives by tapping into our tendency to trust.
This form of deception occurs through social engineering – or the science of manipulating people into performing, or falling into the trap of, a fraudulent activity.
For instance, an email that passes itself off as a legitimate business correspondence might use a company’s official logo or use the name of a real colleague to trick the recipient into responding, clicking on a link, or downloading a malicious file.
READ MORE: Beware the malicious email attachment
The potency of a socially engineered attack is not so much in the use of technology alone but in the exploitation of our human nature.
Socially engineered attacks have been used to dupe people into giving up login credentials and other personally identifiable information so that hackers and fraudsters can break into the database and steal corporate and personal information.
Despite the dangers of these security breaches, a recent study by GetApp showed only 27% of organizations train their staff on how to recognize socially engineered attacks.
“Nearly 75% of businesses could be leaving their employees to fend for themselves against masters of manipulation,” researchers from GetApp suggest. “Companies must train employees on how to recognize social engineering techniques that are designed to exploit human nature for access to sensitive company data.”
What makes socially engineered cyberattacks so effective?
Social engineering tactics target a specific individual, group or company, and use psychological techniques to get actors to divulge details or cooperate in an attack unwittingly.
Social engineers, according to GetApp researchers, do their homework first before launching attacks such as ‘spear phishing’ or business email compromise.
“This includes conducting background research using social media, corporate websites, Google maps, and public records,” they said. “Armed with this knowledge, scammers are able to conduct their schemes inconspicuously, put employees at ease, and even build a rapport with their targets.”
What makes social engineering attacks sophisticated is how they exploit not only the flaws in a security system but also human nature. These include the following elements:
- The inclination to help others
- The avoidance of conflict
- The willingness to follow direction
- Belief in the sincerity of others (as seen in cases of pretexting or the act of fabricating a scenario or identity)
Common types of manipulation through social engineering|
How do cybercriminals use social engineering techniques to attack? Security specialists at Infosec identified the most common types of manipulation:
1. Phishing and spear phishing
Attackers use email or direct messaging to get recipients to click on a link, download a malicious file or log in their credentials into a fake portal which only aims to steal their info. Phishing messages often convey a sense of urgency to spur recipients into action.
In the case of spear phishing, attackers study their target more closely in an effort to collect specific information about them, such as the target’s place of work, the names of their co-workers or family members, and even their affiliations in the community.
Fraudster use these unique details about a person’s professional and personal life to create highly targeted messages designed to convince the recipient that the sender is a legitimate contact. This level of detail makes it more difficult for recipients to detect an attack.
2. Whaling attack
Like spear phishing, a whaling attack closely examines details about the target’s identity, both online and in the real world. Only this time, the victim is typically a well-known figure such as a CEO or HR head – in other words, a ‘big fish’ in the organization or community.
3. Watering hole
A watering hole attack, in contrast, manipulates the websites that victims are most likely to visit. Attackers study the online behavior of their target then find a way to infiltrate the website with a malicious code. Once the target accesses the site, trojan software – malicious software that masquerades as legitimate – will automatically download into the target’s computer without their knowledge. From there, attackers gain entry into the target’s files and even spy on them.
Pretexting is no different from the tactics employed by traditional con artists. It occurs when an attacker creates a fake identity or scenario to gain the victim’s trust and eventually lure them into their trap. The victim ends up believing the attacker and cooperating with them unknowingly in infiltrating a company’s security system. For example, an attacker might pretend to be a third-party consultant who works closely with the management but who only aims to exploit the team.
In baiting, attackers use the power of persuasion to get victims to play along. They will offer special deals and promos, such as a free software upgrade, to convince targets into divulging user data. Once the process is completed, the attacker installs malware into the victim’s computer to begin accessing files and stealing data.