What is social engineering?
Businesses worldwide are increasingly concerned about social engineering, but what exactly is it, and why the urgency to defend against it? This article delves into the concept of social engineering, exploring its implications and the reasons behind the growing efforts to protect businesses from its deceptive tactics.
Social engineering - also often referred to as human hacking - uses psychological techniques to manipulate humans into specific behaviours or actions.
We often use social engineering techniques in real life without realising it. For example, have you ever told a child that if they behave at the hairdresser, they can have ice cream after? The goal is for the child to behave while getting a haircut, the technique is known as operant conditioning, and if done correctly, the child will choose to behave correctly for a treat after. In short, we used a psychological technique on the child to evoke the desired behaviour. Unfortunately for us, malicious hackers tend not to use ice cream to achieve their goals.
Attackers commonly use social engineering to gain access to restricted information, access to restricted physical areas, or to carry out and perform tasks they usually do not have permission to do (or to get others to do these things). A small-scale example of this was carried out by Derren Brown on a show called Trick or Treat in 2007. Here, Brown visited several shops in New York and paid for all his “purchases” with blank pieces of paper - including a $4500 engagement ring. Due to Brown's skills in human hacking, no one questioned his actions. He returned to each shop later, explaining what he had done and returned the items - to the shock of many shopkeepers who could not believe what they had placed in the cash register.
This is an excellent example of a small-scale social engineering attack; however, as the world becomes more digital and our digital defences improve, it becomes increasingly apparent to attackers that the most significant security risk is often us. Suppose a doctor told us to take some medication. In that case, chances are we will take it without question, similarly to when police tell us to pull over, or an IT professional asks for a username and password to help fix an issue - attackers are very aware of this. The last situation mentioned is often used in many attacks on organisations.
Imagine this scenario. You are monitoring the network for your business and notice suspicious activity. Thanks to your previous pen tests, the attackers cannot penetrate your network, so you feel pretty safe (and probably glad you got that pen test!). Now you have Dave from IT calling, and he is telling you about the suspicious activity and is concerned. He wants to reset parameters on the network to make it safer, which sounds like a good idea, so you give him all the details and knowledge to do so; at this point, we are feeling pretty happy! The network is now super secure, an attack was defended successfully, and no more attacks appear to be happening. Months go by without incident, and all feels well… however, suddenly, shareholders have stock information unreleased yet, and thousands of user credentials have been leaked. Money is being siphoned from the company bank - because that was not Dave from IT who called you a few months ago, that was the attacker.
By their very nature, social engineering attacks often go unnoticed until it is too late. As if a social engineering attack has been conducted well, the victim usually does not know they were the victim, to begin with - this is one of the reasons these types of attacks can be so dangerous and a huge detriment to business. For example, in a similar scenario as the hypothetical one above, in 2020, Twitter lost control of 130 high-profile accounts to human hackers who were able to tweet as people such as Barak Obama and steal $110,000 in bitcoin. In 2019, the CEO of a UK energy company transferred $243,000 into the bank of an attacker who was able to call up and convince him he was his boss.
These scenarios are just one type of social engineering attack often referred to as Vishing or voice fishing - derived from one of the most common types of social engineering attacks, Phishing. Phishing is a social engineering attack conducted on many people over email. However, there are many variations of phishing, such as spear phishing, whaling, vishing (as mentioned before), and angler phishing.
One of the most prevalent examples of companies falling victim to a phishing attack is Google and Facebook; over two years paid out $100 million to a hacker who set up a fake company and started sending the two companies invoices for IT work. For two years, the invoices were paid. The Oversea-Chinese Banking Corporation reported that in 2021 around 470 clients fell victim to a phishing attack, resulting in losses of around $8.5 million.
Unfortunately, these are not the only types of social engineering attacks that have devastating consequences. Often undiscussed but not uncommon are the episodes where human hackers can physically infiltrate a building. In 2016, Austrian company FACC lost around €42 million to hackers posing as CEOs and high-level executives at their branch in Hong Kong.
Looking through world news over the years, it is evident that social engineering attacks are prevalent, so what is being done to help prevent them? Engineering pen tests can also be carried out like a standard pen test. This help identifies any areas of human error amongst a team and highlights areas where extra training or heightened security may be needed. But until that point, all we can do is hope that when Dave from IT calls, it is Dave from IT, and hopefully, he doesn't want anything more complex than to grab an ice cream after work.
