OFFICIAL PUBLICATION OF THE VIRGINIA ASSOCIATION OF COMMUNITY BANKS

Pub. 11 2022 Issue 2

Social Engineering: Attacking the Human Element

Finally, after weeks of addressing each vulnerability in your network, you are relaxing with a sense of relief. Then suddenly, you are bombarded with reports that users are being locked out from important files and systems due to a ransomware attack. Unfortunately, you realize you overlooked the most important vulnerability — the human element.

It’s no secret that humans are easily exploitable, becoming a fan favorite for malicious actors to access corporate systems. Let’s dig deeper into social engineering and review the steps to prevent a successful attack.

What is Social Engineering?

Social engineering is an attack based on deception to trick users or administrators at the target site into revealing confidential or sensitive information1. Often, the attack involves impersonating C-level executives, members of the IT department, or companies like Microsoft to obtain information such as passwords or sensitive details for a more complex attack. The mediums of these attacks are phone calls, emails, or texts.

How do hackers prepare for these attacks?

These attacks do not happen overnight. Many social engineering attacks have been prepared for weeks or even months, crafted for each victim following the Social Engineering attack cycle. The attack cycle comprises four steps: Information Gathering, Establishing a Relationship, Exploitation, and Execution.

  1. Information Gathering is the most important step in a social engineering attack. The more information the perpetrators have, the better and easier their attack will be. Information gathering could be from social media posts, finding the target victim’s interests, and discovering who the target’s supervisor is to create a phishing attack.
  2. Establishing a Relationship: This step evolves around contacting the target and using the information gathered to support their fake identity. Attackers can use social media, email, phone calls, or texts to contact the target.
  3. Exploitation: This step signals the attacker has a relationship with the intended victim and is ready for the attack. The attacker sends a link that appears to be in the interest of the target or the target’s organization. These links typically ask the recipient to enter credentials or other personal information.
  4. Execution: Well done! The hacker made it in before anyone was even aware of it, cleaning up their mess and leaving no trace behind.

The different types of Social Engineering attacks

Social engineering is an umbrella term for the many ways hackers attempt to manipulate vulnerable targets. In 2021, phishing attacks accounted for 90% of all data breaches2. With the constant development of new attack modes, one of the best ways to protect oneself and the employees of an organization is by identifying the different types of attacks. Below are three common methods of attack that can be used:

  • Phishing: This is the most popular mode of attack businesses see today. Phishing is a social engineering technique where the attacker sends a fraudulent email claiming to be from a trusted source. For example, an attacker can send an email that appears to come from the chief financial officer at one’s bank. In this email, the attacker could be asking someone to send them wiring information or to visit a linked site that will ask the recipient to provide information such as a social security number, full name, and address.
  • Tailgating: This type of social engineering tactic is a physical attack. This attack allows the perpetrator to access a restricted location by closely following an authorized user into a secured area without being noticed.
  • Baiting: This mode of attack offers something enticing to the victim to lure them into the social engineering trap. The attacker will often include gift cards to trick the user into completing a survey form where credentials must be provided. After, a form of malware is then downloaded onto the user’s device or server.

How to protect against social engineering attacks

The best way to protect against social engineering attacks is to provide end-user training to employees. While the attacks manipulate human interactions using curiosity and fear, having employees informed of these types of attacks will help protect the organization. Below are helpful prevention tips to protect organizations against such attacks:

  • Research any emails that may come from “someone” in or out of your organization.
  • Don’t open any links or attachments that come from an unknown source.
  • Be cautious of any requests marked “urgent” and requesting immediate help.
  • The most important tip is that if an employee has any doubts, they should know who to contact to confirm any suspicious emails.

Jonathan has three years of professional experience in Information Technology. He is a graduate of Texas Tech University, where he received a B.B.A. in Information Technology with concentrations in App Development and Cyber Security. He now configures and maintains the security appliances in our audits, performs vulnerability reporting and social engineering phone calls, and collects data during CoNetrix Security audit projects.