"Social engineering is the psychological manipulation of people into performing actions or divulging confidential information."

We are only human. It is not always easy to recognize the ill intentions of others, and perhaps you have entrusted information to the wrong person once or twice in the past. In a cybersecurity setting, however, it is this human error that is all too often exploited by a particularly nasty breed of bad actor. Social engineers would seek to manipulate you, perhaps by fraud or blackmail, in order to cause you to compromise your business' or your own data. It could be someone you have known for years. Attacks born of this method can be crippling, and they are difficult to defend against except by recognizing when someone is looking to abuse you. To help build that recognition, we will take a detailed look at social engineering. By the end of this article you will have the tools needed to defend yourself against these attacks.

Types of Social Engineering Attacks

• Phishing: This could be an email, a text or even a phone call claiming to be from some trustworthy source, but actually is made to deceive you into revealing some sensitive information. All phishing methods aim to exploit some pre-existing trust between you and another person or business.
• Pretexting: When somebody fabricates a situation which causes you to say or do something that compromises your security. Treat these requests with caution, because even one as simple as "I forgot my keys, can you let me in the building?" can lead you to expose your systems.
• Baiting: Could you be bribed, or otherwise find a reward persuasive? Some social engineers might seek to entice you by offering exactly that. Consider the infamous "419" scam, but as before it could even be someone you know.
• Tailgating: We often consider cybersecurity as a wholly digital environment, but remember that physical servers, devices and mainframes also need safeguarding. Tailgating is where someone, a hacker, spy or otherwise, will literally follow you into restricted areas to gain access to your hardware.
• Impersonation: Again leveraging your trust in others, social engineers could pretend to be someone else to get you to reveal information to them. The methods by which they can impersonate individuals are only getting more sophisticated, with the rise of things like ChatGPT and deepfake technology.

Psychological exploits

Social engineering is a sinister form of attack that exploits our human nature, and the way we interact with others. The unfortunate truth of the matter is, if you have access to sensitive data, then you should exercise distrust by default, because trust is a vulnerability that is all too often exploited. You may even have heard of the idea of "zero trust" policies, where actions and personnel must be validated and and authorised at each and every step of a given security protocol. Such policies are designed to leave not even the smallest opening to bad actors, thereby keeping systems much more secure, however even with these policies in place breaches can and will continue to occur.

Besides abusing your trust, social engineers might also look to appeal to your sense of authority, such as by impersonating the government, law enforcement or even your own boss. This is particularly common in phishing attempts, because with authority they are often able to pressure people into performing an action without consideration. Used in combination with other technologies, such as number spoofing or forgery of official documents and emails, this type of fraud can be very difficult to detect and especially if they are able to cause you to panic.

Consider also our susceptibility towards scarcity - perhaps you are offered a discount on something you badly want, but which expires in exactly 15 minutes. Would that push you to make a rash decision to buy it? Similar marketing techniques are used frequently by online retailers, and they have also been co-opted by scammers. Besides causing people to make reckless financial choices, it could also lead you to unwittingly expose your data.

Perhaps somebody in your company asks you to authorise their access to a secure folder. They tell you that they desperately need the data for a project deadline. They also tell you that they have stuck their neck out for you in the past, and that they would put in a good word for you with their supervisor if you helped them out. They are trying to appeal to your sense of reciprocity, that you should give and get back in return, but this is also easily abused, and their access to that secure folder leads to a catastrophic data breach.

Attacks on Businesses

Social engineering is a generic concept that encompasses most of the common cyberattack vectors. Phishing, for example, is one of the most popular ways for hackers to gain access to systems, and with this access they then have free reign to steal or wipe data, execute ransomware and other malware and so on. The aims of social engineers can vary broadly. They may be in it for profit, for example when employees are tricked into paying fake invoices. Stolen data and breached internal networks (such as those compromised by initial access brokers) can also be auctioned off, or ransomed as aforementioned. Alternatively, their goals can simply be to cause disruption, as exhibited by the ACTINUM group in their attacks against Ukraine's digital infrastructure.

In 2019, a company insured by Euler Hermes Group lost $243,000 to a fraudster who had managed to deep-fake the voice of the company's CEO, and asked for the funds to be wired to a Hungarian bank account from which they then disappeared. The same thing happened again to a different company in early 2020 where a Hong Kong bank manager was tricked into authorizing a $35,000,000 transfer of company funds. In both of these instances, new phishing technologies were used to abuse the trust of their targets.

Recognising Social Engineering Attacks

These attacks can be very difficult to detect and prevent. Since they are generally exploitative of human nature, it is pertinent to be conscious of our own vulnerabilities, but also of the hallmarks of a typical social engineering attack so that you are prepared. Briefly, we will discuss signs that you should be able to recognise in order to keep your data and your company's data safe.

A major red flag is if you are put under pressure, be it from a phone call, text or email, over some action that is demanded. The more pressure that a social engineer can put on you, the less likely you are to fully consider the consequences of their request. If they have threatened you with a time limit, or they appear to be leveraging their authority over you, and if you notice you are feeling nervous, then this could be a potential social engineering attempt.

As discussed, phishing is a particularly common vector of attack. If you are lucky then the phishing attempt might give you some clues, such as in poor spelling, grammar, or a poor likeness to whoever they are trying to impersonate. Is the request uncharacteristic of the person asking it of you? If that is your gut instinct, then it may be worthwhile to double check. Likewise, if their request would cause you to blatantly bypass some security protocol then that should register as a major red flag.

A social engineer would look to place you in a situation where your usual defences will not work. They look for ways to bypass firewalls and security procedures, so another sign might be that they have directed you towards any external links, attachments, email addresses, downloads, WiFi connections, remote access requests, IOT devices or QR codes. These could all represent ways for them to execute some malicious code on your devices. The number of ways that your device can be compromised are already vast, and unfortunately they are still growing.

Preventing Social Engineering Attacks

Recognising the signs of social engineering attempts is fundamental to your ability to prevent them. But the cybersecurity landscape is constantly changing, so in order to continue to detect these signs you must also keep up with the new technologies that hackers use. Education is what will empower your awareness, so make sure to stay vigilant to ward off future attacks. On the White Blue Ocean blog we will strive to keep you up to date on the new dangerous technologies that others have fallen victim to so that the same might not happen to you. Should you wish to learn more about deep fake phishing, the dangers of AI or the risks of the metaverse, we aim to have all the information you need.

Beyond education and awareness, there are practical changes that you can make to help safeguard from social engineering attacks. The most obvious is a strong password, however you ought to also consider multi-factor authentication as a means of protecting your accounts even further. As an employer, you can mandate regular password changes, and even further protect your assets by investing in your cybersecurity department.

Additional security measures can also help, such as password protection and encryption of devices and folders, the use of firewalls, and regularly updated antivirus software. Keep your devices all updated generally, as security vulnerabilities are patched very frequently. And continue to exercise good cyber hygiene in order to mitigate the number of vulnerabilities you leave open to the exploitation of bad actors.

The information contained in this article is provided for informational purposes only and does not constitute professional advice and is not guaranteed to be accurate, complete, reliable, current or error-free.