The term ‘social engineering‘ sounds manipulative and divisive – and indeed that’s exactly what it is.

But, before we get on to social engineering as a cyber security threat, it’s worth pointing out that the principles behind this form of attack are absolutely nothing new. Maybe the best and most illustrative example involves a wooden horse. Yes, that’s right, apparently the Greeks had social engineering down to a fine art. Another first for our Mediterranean brethren to add to the Olympics, cartography, the alarm clock (really!) and frankly the fundamental principles of most modern democracies. Plenty to brag about in that list, right?

But then add the fact that, after an exhausting, unsuccessful 10-year siege of Troy, the Greek army demonstrated its expertise in social engineering by pretending to quit. They packed up their weapons and sailed off into the sunset, leaving behind an enormous wooden statue of a noble horse – a gift in admiration of the victorious Trojans. Except that it wasn’t. In the middle of the night the force of soldiers, hiding inside the horse, sneaked out and let the rest of the Greek army, who had quietly returned, back in through the gates of Troy – and the rest is history, or legend, whichever you choose to believe.

Social engineering techniques

Social engineers are the cyber incarnation of the classic con-artist or ‘grifter‘. Instead of a rigged deck of cards, slight of hand, a wooden horse,  or other tricks of the trade, social engineering scams are executed using a range of cyber techniques, in order to compromise data security, that include:

Baiting which requires that the victim picks up a malware-infected device, such as a USB flash drive or CD, left by the perpetrator in a place where it would most likely be found. Once installed, the malware allows the attacker access into the victim’s computer or IT network.

Phishing which utilizes chat applications, social media, phone calls, spoofed websites and most often email, all designed to look legitimate and seem like a trusted source. But any interaction with these applications either causes malware, which is often ransomware, to be installed on the victims device or seeks to trick the victim into sharing personal, financial, or business information.

Pretexting which occurs when an attacker creates a false reality convincing the victim to provide access to sensitive data or protected systems. This may be, for instance, to masquerade as a trusted entity such as a member of the company’s IT department.

Quid pro quo which occurs when attackers request private information from someone in exchange for something desirable or some type of reward. For instance, an attacker requests login credentials in exchange for a free gift.

Spear phishing which is a highly targeted type of phishing attack that focuses on a specific individual or organization. This type of attack uses personal information that is specific to the recipient in order gain trust and appear legitimate. By personalizing such attacks, the bad guys have a much higher chance of successfully tricking the victim into divulging sensitive information.

Scareware which involves tricking the victim into thinking their computer is already infected with malware or has inadvertently downloaded illegal content. The attacker then offers the victim a solution that will fix the bogus problem; in reality, the victim is simply tricked into downloading and installing the attacker’s malware.

Confidence trick

A con-man is described as person who swindles or misleads his victims by first gaining their confidence before executing the con. Human nature is such that we naturally want to trust other people, often even when we know something ‘isn’t quite right’. Social Engineering exploits this behavior and enables the perpetrators to manipulate the victims’ trust for personal gain. Historically, financial reward has been the motivating factor for the con-man and so it is with modern social engineering scammers.

Defense strategies

Social engineering is an increasingly serious threat for organizations and individuals alike, so what are the best methods for defending against this insidious form of cyber attack?

Due to rapid advancement in the sophistication of social engineering attacks, technology solutions, security policies, and operational procedures alone can no longer fully protect your organization.

Education is the first and most important step in preventing you from falling victim to a social engineering attack. Companies can mitigate the risk by developing an active security culture that evolves as the threat landscape changes. Having an employee base that is able to recognize and avoid common social engineering tactics is ultimately the best defense against these schemes. If your people are aware of the threat and understand what forms social engineering attacks are likely to take, they will be less likely to become victims.

We would also recommend that organizations carry out regular penetration tests that mimic social engineering attacks. This will help administrators identify where the vulnerabilities are in the organization, what training is required and which staff members are most in need of it.

About Welford Management & Consulting

Welford is a multi faceted technology consultancy providing advice, support and solutions for companies in a wide range of industries. We develop and execute strategies for our clients in three practice areas: Security & Compliance, Business Strategy & Support and Sales & Marketing  Automation. Our expertise comes from a team of individuals who focus on one area of our practice disciplines so that we can bring the necessary skills and experience to the business challenge or opportunity that you’re currently facing.

In the Security & Compliance practice we help assess your current level of risk related to the sensitive customer information that you may hold within your organization. This may be payment card information, personal health information or data on European citizens that fall under the requirements of the General Data Protection Regulation (GDPR) which becomes law on May 25th, 2018. We develop and execute strategies to address your data security requirements and support the implementation of the technologies and processes that help reduce the likelihood of you suffering a damaging and expensive data breach.