Social Engineering

Social engineering is about hacking people. By manipulating emotions like fear, trust, or urgency, attackers trick individuals into revealing sensitive information or granting unauthorised access. Whether through phishing emails, fake customer support calls, or even in-person deception, social engineering thrives on (ab)using human psychology.

Social engineering is the art of manipulating people into performing actions or revealing confidential information, often without realising they’re being deceived. Unlike traditional cyberattacks that rely on exploiting technical vulnerabilities, social engineering targets the human element: our emotions, assumptions, and habits. These attacks exploit natural psychological tendencies like trust, fear, urgency, and curiosity. By crafting believable scenarios, such as impersonating authority figures, feigning emergencies, or offering enticing rewards, attackers can trick individuals into bypassing normal security protocols. Whether the contact comes through email, phone calls, social media, or even in person, the attacker’s goal is the same: to use psychological pressure to make the target act without thinking critically. Understanding these emotional levers and recognising the manipulation techniques behind them is key to defending against social engineering.

Social engineering is like a con artist's game, but played in the digital world. Below we'll go into the various “costumes” these digital con artists wear to fool their targets.

Phishing Attacks

Phishing is a deceitful tactic employed by scammers who pretend to be trustworthy entities, aiming to deceive individuals into disclosing their personal and valuable information. There are primarily two types of phishing: spam phishing, which consists of broad, generic attacks targeting many users, and spear phishing and whaling, which are more targeted. Unlike spam phishing, spear phishing is customized for specific individuals or groups, while whaling takes it a step further by focusing on high-profile targets like CEOs or celebrities with highly appealing bait. Moreover, phishing can take on various forms, including:

Vishing (Voice Phishing): Phone-based scams inducing urgency or fear.

Smishing: Deceptive text messages that appear urgent or official, often imitating trusted institutions, with malicious links.

Angler phishing: Scammers posing as customer service agents on social media to extract personal information under the guise of assistance.

Search engine phishing: Fake websites promoted via manipulated search results.

URL phishing: Deceptive links mislead users into navigating to fraudulent websites.

In-session phishing: Users may encounter fake pop-ups resembling login prompts, tricking them into sharing credentials with malicious actors.

Baiting attacks

Baiting traps victims by exploiting their curiosity or offering enticing rewards to extract personal information or deploy malware. For instance, malicious USB drives might be left in public spaces, tempting users to connect them. Similarly, email attachments or links promoting free software or gifts often deliver malware upon interaction. Social media vouchers or coupons may also lead to malicious downloads, while fake job offers can lure victims into downloading malware-infected files.

Physical breach attacks

These attacks involve direct physical actions to gain unauthorized access to facilities or systems. Common tactics include:

Impersonation: The attacker pretends to be a legitimate employee or contractor to gain entry.

Tailgating: Following an authorized person into a restricted area without proper credentials.

Dumpster diving: Searching through trash to find confidential information that has been improperly discarded.

Shoulder surfing: Observing someone as they enter sensitive information, such as passwords or PINs.

Quid pro quo attacks

In these scenarios, attackers promise a benefit or service in exchange for information or access. For instance, an attacker might pose as IT support, offering assistance in exchange for login credentials.

Scareware attacks

Fake warnings of malware infections are designed to instill fear and panic, prompting victims to make hasty decisions. These warnings often appear as pop-ups or emails and trick users into installing harmful software disguised as antivirus solutions.

Watering hole attacks

Watering hole attacks target trusted and legitimate websites frequented by specific groups, making them harder to detect and more dangerous. Attackers carefully plan these attacks, identifying websites favored by their targets and compromising them to distribute malware to unsuspecting users.

Unusual methods of social engineering

In addition to the more prevalent types of social engineering, there are also lesser known but equally deceptive methods that cybercriminals use to manipulate their targets.

Fax-based phishing: Sending fraudulent requests via fax to elicit sensitive information.

Traditional mail malware distribution: Mailing physical media, like infected CDs or USB drives, to targets, enticing them to use the compromised items.

Phone number spoofing: Manipulating caller ID to make a call appear as if it's coming from a trusted source, increasing the likelihood of the victim divulging information.

Education and awareness
Regular training sessions can help individuals recognise and appropriately respond to social engineering attempts. Simulated attacks, such as phishing exercises, can reinforce this training and improve vigilance.
Vigilant communication
Establish protocols to verify unexpected requests, especially those involving sensitive information or urgent actions. Encourage the use of secure communication channels and confirm identities before proceeding with requests.
Robust security policies
Implement strict access controls, ensuring employees only have access to information necessary for their roles. Regularly review and update data classification and handling procedures to maintain security standards.
Technology solutions
Utilise advanced email filtering systems to detect and block phishing attempts. Enforce multi-factor authentication (MFA) to add an extra layer of security, making unauthorised access more difficult.
Physical security measures
Develop and enforce policies regarding visitor access to facilities. Implement procedures for the secure disposal of sensitive information, both in digital and physical formats, to prevent unauthorised retrieval.
Regular security audits
Conducting periodic security assessments, including vulnerability evaluations and penetration testing, helps identify and mitigate potential weaknesses in both digital and physical security.
Foster a security-conscious culture
Encourage employees to report suspicious activities without fear of reprimand. Maintain open communication channels for discussing potential threats and continuously update staff on emerging social engineering tactics.

Looking for comprehensive cybersecurity solutions tailored to your organisation's needs? Explore our Managed Detection and Response (MDR) services. Our SOC provides scalability, cost-effectiveness, and access to specialised expertise. Our MDR services help organisations detect, analyse, and respond to cyber threats in real time, leveraging advanced threat intelligence and proactive monitoring to identify and mitigate risks like ransomware and cyber espionage. We also assist in navigating cybersecurity regulations such as NIS2, providing visibility into security telemetry and log retention. With an “assume breach” mindset, we help organisations strengthen their security posture and reduce the impact of potential threats.

Social Engineering

What is social engineering and why does it work?

Types of social engineering attacks