Be on Guard Against Social Engineering
Updated: Jan 19, 2020
Cyber security is about more than just protecting computers, servers, networks, personal devices, and private data from being breached. It also involves how familiar users are with the tactics, strategies, and techniques employed by those who exploit the weakest link in the data security chain, PEOPLE.
This exploitation of the minds of end users to gain unauthorized access to restricted resources is known as Social Engineering, and there are several methods that can employed by such an attack.
What are some of these methods? How can we be on guard against them? These questions will be answered in this article.
By the end of this article, you will know how to protect yourself against some of the most common social engineering tactics such as: Pretexting, Baiting and Quid Pro attacks, and Taligating.
Before we delve into the different types of social engineering techniques, let’s talk about something all social engineering tactics share in common, the principles behind by these attacks.
Social Engineering Principles
This section is intended to expound on things to look for to heighten your awareness against all social engineering attacks that involve some measure of human-to-human interaction.
The principles we’ll discuss are: Authority, Intimidation, Social Proof or Consensus, Scarcity, Urgency, and Trust.
Principle of Authority
Usually, in order to acquire some proprietary information an attacker may try to appear to have a certain level authority.
For corporate settings, an attacker may pose as a chief member of a company’s board of directors. In personal settings, an attacker may pretend to be local law enforcement or some other government entity.
Principle of Intimidation
If an attacker wants to scare some information out of somebody they may try to make the victim think that something terrible is going to happen if they don’t comply with the attacker’s wishes.
Principle of Social Proof or Consensus
An attacker may try to sway the mind of a victim using names they are familiar with, saying that such ones provided them information (they are fishing for) in the past and you should be able to do the same.
Principle of Scarcity
An attacker may try to set a time limit on a victim so that they can comply with their wishes by a certain deadline.
Principle of Urgency
When attackers want you to act and not think, they want you to do what they want as quickly as possible so that there’s no time to spot all the red flags.
Principle of Trust
Much like the principle of Social Proof or Consensus, “name dropping” may be involved. The attacker in this case can claim to be a friend or close associate of someone you may know very well and that’s trusted.
Being aware of these principles can help you readily identify whether or not you’re being victimized by a social engineering attacker no matter what type of attack is employed.
Now that we’ve hashed out the principles of social engineering, let’s discuss in detail the common social engineering tactics mentioned in the outset of this article.
Social Engineering Tactics
While this article only touches on a few of the most common social engineering tactics; we’ll discuss in detail not just what the attacks aim to accomplish, but also go over some examples of these attacks.
We’ll also incorporate how some of the principles mentioned before may employed in conjunction with these attacks to help you readily identify these principles at work.
Simply put, pretexting is when an attacker masquerades behind a fake identity and pretends to be someone they’re not in order to ascertain or acquire certain information from an unsuspecting victim.
Example: You receive a call from someone claiming to be new to your IT team. They are helping Justin (someone you know on the IT team), and they need you to download software for them to connect remotely to your computer to perform an update that should only take a few minutes and they’re running behind a strict deadline.
Here’s what can happen if you readily comply…
Once you download the software, the attacker has access to company resources from behind the firewall.
This means that they may be able to now see activity they were once blind to (including incoming and outgoing traffic) not just from your computer, but maybe even across the network!!
Imagine being held responsible for exposing private conversations, transactions, trade secrets, proprietary documentation, and more all because you didn’t take notice of all the social engineering principles being employed against you.
Since we’ve gone over these principles in detail earlier in this article, how many principles can you identify from the pretexting example above?
Let’s break down the example together.
First, “You receive a call from someone claiming to be new to your IT team”. What principle do you notice in this line?
If you guessed Principle of Authority, you are CORRECT. The IT team usually has a measure of authority over what’s done on company computers. The attacker wants you think they have this authority.
Next, “They are helping Justin (someone you know on the IT team)...” Did you notice what principle is being employed here?
If you guessed Principle of Trust, you are again CORRECT. The attacker wants you to think they are a close associate of someone you know and trust on the IT team.
Finally, “..they need you to download software for them to connect remotely to your computer to perform an update that should only take a few minutes and they’re running behind a strict deadline.”.
What principle do you see in regard to this request?
If you guessed Principle of Urgency, you are CORRECT. They’re wanting this done quick and soon.
Did you notice how one social engineering example can deploy many different principles at once?
Now let’s talk about what could have been done in this example to thwart this social engineering attempt.
Since the principle of urgency was used, we can counteract that by creating a pocket of time.
We may do this by saying “ok, let me put you on hold to wrap up what I’m doing”.
Next, since they also employed the principles of Trust and Authority, we now have time to verify them BOTH.
You or a co-worker can now call the IT department and speak with Justin directly. If Justin is not available, verify this caller through another member of IT you know and trust.
If no other member is available, we can explain to this caller that something came up and you can call them back once this “something” is addressed.
Once we’ve had time to verify the caller as legitimate or fraud, we now know what to do next. We either call them back or not based on their authenticity.
Also, if they are found to be fraudulent let your management team know so that a mass communication can be sent across the company to put everyone on high alert against the scammer.
So now that we’ve thwarted that social engineering attempt, lets look at the next two tactics for this article.
Baiting and Quid Pro attacks
Baiting involves offering a disguised good or service to an unsuspecting victim and in reality the good or service is a malicious attempt used to gain unauthorized access to restricted resources.
If you’re thinking “wait, that sounds a lot like the last example….”, you’re absolutely CORRECT!!
The malicious service in the last example was the attackers attempt to establish a “remote connection” to perform a “software update” that would have compromised company resources.
Baiting can also be done by someone leaving an infected USB drive laying around the office in the hopes that someone will use it and unwittingly infect their computer for the attacker to gain access.
We'll see later how an attacker might be able to infiltrate restricted areas to setup such a trap when we talk about tailgating.
Quid Pro is similar to Baiting in that an attacker promises a good or service in exchange for something else.
Let’s see an example of this type of attack at work.
Example: You’re in the market for a new home and are ready to close on a sale. You receive an e-mail from your title company saying that they need a wire transfer of an additional $8,000 within the next 72 hours, or the sale can’t be closed.
If you comply, you may become short a very specific amount of money, with no hope of a refund.
How many social engineering principles did you see at work in this example??
Again, let’s take this example and break it down a bit to find out which ones were used.
First, “...you receive an e-mail from your title company..”. Can you tell what principle is at work here?? If you guessed Principle of Authority, that is the CORRECT answer.
The attacker in this instance is posing as an authority that can ask for such an amount of money if necessary.
Next, “...saying they need a wire transfer of an additional $8,000 within the next 72 hours..”. Which principle is this??
The correct answer is Principle of Scarcity. The victim is given a specific deadline to comply with the attackers request.
Also, the attacker isn’t wanting them to act right away as in the principle of Urgency, that would be way too suspicious to get that amount of money.
Finally, “...or the sale can’t be closed”. This brings us to our next social engineering principle, the Principle of Intimidation.
The attacker wants the victim to comply or else it could mean “bad news” for the victim.
Now that we can recognize the principles at work in this attack, let’s take a look at how we can circumvent this sort of attack.
Unlike in the fist example where we had to create a pocket of time, we have time to check to see if this is a legitimate request because of the window of time given by the attacker.
In this time window, it would be wise to consult the title company and speak with a trusted authority to make sure this wire request is authentic.
Here’s the tricky part. If the attacker planned this sort of attack around a three-day holiday/weekend, there would be no time to check with the Title company before the 72 hour window expired.
So now what?? We’d have to know how to inspect this e-mail to see if it’s really from the title company we know and trust.
For help on inspecting an e-mail to find out if it’s legitimate or fraudulent, see our blog post How to Verify E-mails as Legitimate or Fraudulent
Upon inspecting the e-mail, we’ve discerned that the e-mail is fraudulent and the notice can be safely disregarded and reported to the Title Company for investigation.
This brings us to the last social engineering technique we’ll examine in this article, tailgating.
What is tailgating?? Tailgating put simply is following a person who has authorized access to a restricted area, when the person following does not have such access.
Why would we allow anyone to do THAT?
Well, believe it or not, this can be done very easily.
Let’s say you arrive at work and in order to make it through the door, you have to scan your badge. When you get to the door, there’s someone standing by the door waiting to be let in.
This person explains to you that they’re with the HR department from corporate headquarters out-of-state and they don’t have a key card to get in and that Meagan (one of your co-workers) let them in last time.
If you believe them and let them in, they may have a malicious objective (such as baiting) if they are not who they say they are, and YOU could be held responsible for any damages they cause while there.
So, how would you handle such a situation?
The best thing to do would be to ask them who they are there to see, and then explain that you will have to confirm with that person while they continue to wait OUTSIDE.
Also, did you pick up on the principles being used here?
The Principles of Authority and Social Proof or Consensus are being used here since the person is claiming to have a measure of authority in your company and that one of your co-workers let them in before.
Also, this form of social engineering is a bit different from the rest mentioned in this article, in that involves face-to-face human interaction.
In such a situation, your body language can be read, analyzed, and the attackers approach can be changed based on the weaknesses they pick up.
Still, you don’t have to bend to comply with them. Stand firm by your company’s rules and guidelines for access to restricted areas, even explaining these if necessary.
This is important, because in this example there’s an underlying Principle of Intimidation that could readily be employed if the person claims they can have you reprimanded for not letting them in based on their “Authority”
However, if this person really is from HR, they should respect the fact that you are following the access guidelines set forth by the company.
Well, that sums it up for the different social engineering tactics and the principles they employ for this article.
Remember, this isn’t an exhaustive list of ALL the possible social engineering scenarios. But with the principles in mind, you can now stand guard against the different tactics if they are used against you especially if there’s a measure of human-to-human interaction.
Also, if you’re thinking “How can a social engineering post not mention phishing??”, we mentioned that in our last blog post: How to stay safe online. If you liked this one, feel free to check that one out too if you haven’t already.
As always, thanks for reading our Blog!! Feel free to share the link to this page with anyone you feel may benefit or to your favorite social media platform.