What is Social Engineering? (2019)
Social engineering is a method of gaining access to systems, data, or buildings through the exploitation of human psychology. Instead of using technical techniques or breaking in, social engineering involves non-technical schemes that attackers employ.
For instance, an attacker may call a target or an employee and disguise as an IT support person instead of finding a software vulnerability in the target's company.
The attacker will then trick the target into giving his/her password. The primary objective of social engineers is to gain the trust of as many targets as possible in a certain company.
Types of Social Engineers
There are many forms of social engineering. It is either friendly or malicious and can build up and tear down a target. It is important to have knowledge of the different types of social engineers to determine how one can deal with them.
Hackers are considered the most popular and prominent type of social engineers. Even if software vendors develop hardened and more difficult to break software systems, hackers are able to hit on them.
Network and software attack variables, including hacking, are fast becoming a part of social engineering skills. More often than not, this type of social engineers use a combination of personal and hardware skills and use hacking in either minor or major breaches across the globe.
Skilled penetration testers or pentesters are quite similar to hackers as they use hacking skills to penetrate a company's or target's security system. Pentesters are those who have malicious black hat skills; however, they do not use the information they have obtained to harm a target or for personal interest.
Identity theft refers to the utilizing information of an individual's name, address, bank account numbers, social security number, and birth date without the knowledge of the owner.
This is a crime that ranges from wearing a uniform to impersonating an individual to more complicated attacks. Identity thieves carry out a number of social engineering skills. Today, identity thieves have become more creative and unique in the ploys they carry out.
Spies are those who use the skills of social engineering as a substantial part of their lives. They usually employ the principles of social engineering in their ploys. Spies are considered science experts as they are taught various methods of tricking or fooling their targets into believing something that they are not.
Furthermore, spies from all over the world are taught and trained in the skills of social engineering so that they can build credibility and successfully inquire about their targets.
More often than not, members of organizations who become dissatisfied or disgruntled likewise become rebellious toward their employers. Furthermore, most employers are unable to determine the dissatisfaction of their employees as the latter naturally hides their concerns to protect their jobs.
As such, the relationship between employers and employees is one-sided. Regrettably, employees who have become tremendously disgruntled with their employers or the organization find it easier to execute malicious acts such as theft, vandalism, security breach, and other offenses.
There are some signals that employers can use when it comes to discerning whether a member of their staff becomes disgruntled and inclined to carry out social engineering ploys.
Disgruntled employees are well-informed and aware that those who frequently call in sick, file leave of absence a lot, and go home on a half-day among others are likely to be the usual suspects of wrongdoings in organizations.
Hence, disgruntled employees are inclined to initiating extra work, task, or duty, working for long hours, or simply attempting to catch the attention of the higher-ups in the organization. This type of behavior is referred to as the protective behavior pattern.
If employees become upset over minor or major things that threaten to ruin their fraud or scam, they are indeed disgruntled and likely to lead into social engineering ploys.
They may also say negative statements regarding the organization or management so that co-workers would sympathize with them once they are caught committing their misdeeds.
For instance, disgruntled employees may say that the top management is corrupt, unfair, or unappreciative and try to encourage other employees.
Once the disgruntled employees are caught, they would simply say that their misdeed is nothing compared to the inequity of the top management towards its employees.
Disgruntled employees are likely to demonstrate the antisocial loner personality. While this person may or may not be inherent, disgruntled employees tend to become loners as they think, plan, and execute their crimes. Again, these employees would often blame all their misdeeds to the organization or top management.
This personality is developed when an employee constantly complains about the workplace, co-employees, or the top management. Eventually, this would lead them into thinking that they are alone, hence, becomes antisocial. They become impersonal and cold towards their colleagues.
Disgruntled employees are likely to change their lifestyle inappropriately. They may have a sudden increase in their assets, travel a lot, purchase luxurious items, and even open offshore bank accounts, which do not add up to their actual salary.
In this case, employers should take note of how these employees can afford such a lifestyle. Furthermore, disgruntled employees who carry out social engineering ploys are primarily motivated by ego and money.
Recruiters are required to master the aspects and skills of social engineering. They need to become experts in the skill of elicitation along with the various psychological social engineering principles.
As such, they are proficient in understanding and discerning what motivates their targets. More often than not, recruiters attack both the job poster and the job seeker.
Scam artists, also known as con artists, take on greed as well as other principles that may attract their target's desires and beliefs to make money.
Scam artists have the ability to discern the signals, which make their targets good prey. They are adept in establishing situations that are irresistible and full of “opportunities” for their targets.
Governments are often overlooked as social engineers; yet, they are proficient in controlling the people they govern and the messages they convey. Most governments make use of authority, social proof, and scarcity to ensure that they are able to control their targets.
On the other hand, this social engineering skill is not always considered negative given that some of the messages relayed are beneficial for the targets. In addition, governments make use of social engineering elements to make the message more convincing, appealing and accepted.
Salespeople are similar to recruiters because they are also experts in a number of people skills. According to most sales gurus, an effective salesperson does not control people but make use of their skills to determine the needs of their clients and find out if they would be able to fill those needs.
The art of sales involves various social engineering skills, including elicitation, information gathering, psychological principles, and influence among others.
Psychologists, Doctors, and Lawyers
Most people might be surprised to know that people in these career fields belong to the types of social engineers. This group carries out similar techniques used by the other types of social engineers.
For instance, this group uses elicitation, psychological principles, interrogation, and proper interview tactics to obtain as well as manipulate their clients or targets in the direction they want to lead.
Therefore, people can find an aspect of social engineering in various kinds of field, whether or not they may appear as well-educated professionals such as doctors and lawyers.
This goes to show that social engineering is also a science, involving equations that exist to allow a person to apply social engineering skills that result in their objectives.
One equation may be translated as: pretext + attachment to greed + manipulation = target victimized.
Goals of Social Engineers
The main goal of most social engineers is to possess a target's personal information, which can lead them to the identity or financial theft or get them ready for a more intensive attack.
More often than not, social engineers find ways to install malware into a company's system in order to gain access to computer accounts, personal data, and other sensitive information.
In some cases, social engineers look for ways that translate to competitive advantage.
Some of the most common items that are valuable to social engineers include passwords, keys, account numbers, access cards, identity badges, any personal information, details of computer systems, phone lists, information about non-public URLs, servers, intranet, servers, and names of targets with access privileges among others.
Social Engineering Ploys
Unfortunately, there is a great number of exploits associated with social engineering.
Attackers may trick their targets into visiting a fake Web page, leaving a door open for them, downloading a document that includes malicious code, or even inserting a USB in the computer so that they could gain access to the targets' corporate network. Some of the typical ploys related to social engineering include:
This ploy involves a social engineer gaining the trust of their target and prompts to click on attachments or links, which contain malware. This malware usually includes a threat that is detrimental to a corporate system.
Once the social engineer gains access to the corporate system and finds its weakness through the malware, they may begin to exploit. For instance, the social engineer may start an online conversation with targets and impel them to divulge useful and sensitive information.
Impersonal or Social Network Squatting
This ploy involves a social engineer tweeting their target and the target's friends or other contacts using the name of someone whom that target knows.
The social engineer then asks the target for a favor, such as providing data from work or sending a spreadsheet. It is important to take note that social engineers can manipulate or spoof anything seen on a computer system.
Posing as an Insider
This ploy involves a social engineer posing as an IT help desk contractor or worker in order to obtain information such as passwords from targets.
In a study for vulnerability assessments that involved employees from a certain company, 90% of the workforce trusted the accomplices who posed as co-employees. As such, the accomplices were able to obtain personal information and other sensitive information about the company.
Social Engineering – Basic Psychological Tactics
Social engineering involves basic psychological tactics that attackers employ for gaining the trust of their targets as well as getting what they want. It is necessary that you know the social engineering underlying principles so that it could be easier to recognize when you are being targeted by an attacker.
A social engineer exudes control and confidence
Naturally, people who are into carrying out something misleading or deceptive act confidently and in control. For instance, a social engineer may try to pose as an individual from a service company or even forge a badge just to gain access in a secure building.
The social engineer simply needs to act as if they belong there. Thus, as a social engineer conveys control and confidence, they are able to put others in the building at ease.
Take the case of the security people in concerts.
The security people do not look for badges when they allow people to enter a venue. They look for unusual postures. For instance, security people can determine whether a fan is sneaking back to have a glimpse of the star. They also know the people who are working for the event.
A social engineer may also strike up a conversation in order to gain the upper hand. Consequently, when they are able to ask questions to the target, they are able to control the conversation.
More often than not, social engineers start a conversation with a question, which can put the target immediately on the defense. Thus, the target feels a social pressure to provide an appropriate or correct response.
In the event that someone conveys control and confidence both offline and online, the key is not to become too comfortable. For instance, companies should advise employees to be keen when it comes to allowing outsiders to enter the building.
Guests and even service providers should be checked thoroughly for credentials regardless if their faces may be familiar.
A social engineer offer favors or free gifts
One of the human impulses that social engineers use is reciprocation. More often than not, when people are given gifts or favors, they feel the need to give in return whether or not they like the person giving something to them.
A social engineer may offer to hold the door for an individual who belongs to a company or offers cookies to a receptionist to gain access to the building.
Most social engineers know that the time delay between offering a gift and asking for a favor is crucial.
This is because the target might take the gift as a bribe when the social engineer immediately asks for a favor. The target is likely to act uncomfortably when they perceive the gift as a bribe.
As such, a social engineer is inclined to giving a gift, say, to a guard or receptionist of a building in the morning and come back in the afternoon.
The social engineer may claim a mix-up, such as pretending that there was a confusion with an item or that an item was left in one of the rooms of the building after a meeting. The guard or receptionist is likely to let the social engineer enter the building as an act of reciprocation for the latter's gift.
To prevent something like this from happening, employees should be skeptical, specifically when someone is trying to offer them a gift. In most cases, social engineers spend weeks in order to lay the foundation to establish a reciprocal relationship with their targets, leading them to access to secure or sensitive areas.
A social engineer makes use of humor
In general, people enjoy the company of other individuals with a good sense of humor. This fact does not escape the knowledge of most social engineers. They know that they can use humor to gain information, get out of trouble, or win over a gatekeeper.
For instance, a social engineer may simply convey an upbeat impression to a security guard questioning them. Social engineers usually give their targets the impression that they are not worried about the questioning.
In addition, social engineers may try to strike up a conversation in order to obtain information from their target. For instance, a social engineer may pose as an IT person and fake a call, asking for the target's password.
The social engineer may use humor during the call as the target is likely to volunteer sensitive information when the conversation is comfortable and fun.
A social engineer always states a reason
A recent study was conducted involving 2 groups of participants. The first group was waiting in line to use a library's copy machine. The second group was tasked to cut the line so they can use the machine first. The study found out that people are inclined to concede to individuals when they hear the word “because.”
In the said study, the second group cut in line to use a copy machine saying the following: “Excuse me, may I use the copy machine because I have five pages and I am in a hurry?” This statement made 94% of the first group concede, allowing the individual to skip the line.
Consequently, the magic word in the study was “because.” Social engineers know this. As they try to blend with the people in a specific building and march around as if they own the place, other people would think that they truly belong there.
In the same way, a social engineer who uses the word “because” is likely to convey to the target that they have a legitimate reason. Most people are likely to cooperate when they are given a perception of a reason, regardless if such reason is sensible or not.
Given that social engineers can work in any type of environment, people should take the time to know what is going on around them and what is being said to them.
More often than not, people who have a hectic day are likely to give up information right away just to end the day and rest. Social engineers scout for targets who may seem stressed out as they know these people are likely to lose their awareness as well as the presence of mind.
In the context of social engineering, elicitation is used to draw targets out through a set of questions that stimulate them, leading them to the behavior that the social engineers want.
In social engineering, the attackers fashion their words and questions as well as enhance their skill to a higher level. Social engineers who are adept at eliciting information can make their target want to answer every question or request that they ask for.
Most governments warn and educate their employees about elicitation is given that this psychological variable is used by spies across the globe.
For instance, the National Security Agency of the United States government has defined elicitation in its training materials as “the subtle extraction of information during an apparently normal and innocent conversation.”
Given that elicitation is low risk and extremely difficult to detect, it works well with other aspects of social engineering. More often than not, targets never know where the information leak about them comes from. Regardless if there is suspicion, targets usually pass it off as just a question that they should or should not answer.
There are several reasons why elicitation works well with social engineering.
Most people want to be polite even to strangers.
When people are praised, they are likely to talk and divulge more information about themselves.
Professionals desire to exude intelligence and superiority in their fields.
Most people respond as pleasantly as possible to people who appear to have a concern about them.
Most people do not lie just because they want to lie.
These are significant factors that social engineers consider in the targets they are dealing with. Social engineers know that these factors are usually inherent in every individual, making elicitation work well with their ploys. Thus, they are able to get people to talk about any information about them.
More often than not, social engineers employ light and simple conversation to get the most relevant information out of their targets. However, prior to doing so, they ensure that they are clear with their goals in order to obtain the optimal results from elicitation.
On the other hand, social engineers do not utilize elicitation just for obtaining information. They use it to make their pretext more credible and gain access to the information they want.
The Goals of Elicitation
Based on the definition of elicitation presented above, social engineers are provided with a clear path of what their goals are. Social engineers want their target to act regardless of the action is as simple as replying to their questions or as elaborate as accessing a specific restricted area.
In order to get their target to act in accordance to their intention, social engineers are inclined to asking several questions or simply keep a conversation, which would stimulate their target to the path that they are leading.
The key to effective elicitation is information. The more social engineers are able to gather information, the more successful their ploy would be. Given that elicitation is low risk, it does not pose a threat to targets.
For instance, people have numerous conversations with others at coffee shops, stores, or elsewhere regardless if they are significant or meaningless. Thus, the entire concept of keeping a conversation is immersed in elicitation, utilizing it in an inauspicious manner. This is why keeping a conversation is significant in elicitation.
Irrespective of the method used, the goal of elicitation is to gain access to information and use it to stimulate targets to a path in which social engineers lead them. This is why people should be able to discern between a “normal” conversation and elicitation as it can be difficult to differentiate.
In addition, social engineers are masters when it comes to the art of conversation. They have become proficient in the three main steps of conversing with their targets.
The first step is being natural. Social engineers can create and keep a conversation by being natural in the way they speak and act while dealing with their targets. For instance, they are able to have a conversation with their target about something they are experts with.
As such, they are able to stand comfortably and convey their knowledge without spilling out a hint of malice to their target. Social engineers exude naturalness and confidence. Not only have they mastered the way they speak, but also the nonverbal factors of a conversation.
The second step is education. Social engineers are equipped with knowledge about what they are talking about to their targets. They avoid pretending more than they can be believed that they are.
This means that if they want to obtain information, say, from a marketing company and their target is an advanced marketer, their elicitation approach should involve something about what interests the target.
Social engineers research, practice, and prepare before choosing to converse with their target. They come in with adequate knowledge so that they can speak about a specific topic intelligently.
The third and final step is not being greedy. This step may be contradicting the motives of social engineers. However, the objective in creating and keeping a conversation is to obtain information, get answers, and be provided with the key to the target's arena.
As such, when conversing with their targets, social engineers avoid being greedy with information. Instead, they apply the concept of reciprocation, making the conversation a give and take process rather than a one-way street.
They also allow their targets to dominate the conversation. Even if the conversation leads them to obtain less information social engineers are patient enough not to be greedy by going deeper and raising a red flag on the part of their targets.
These steps to a successful conversation are also keys to a successful elicitation. It can change the way social engineers converse with their targets.
Key Elements of a Successful Elicitation
Social engineers apply the principle of elicitation firstly by lacking the fear to communicate with their targets and being in circumstances that are not regarded as normal.
As part of training its agents, the United States Department of Homeland Security (DHS) has developed an internal pamphlet on elicitation. It is a brochure containing some significant pointers on how to identify the difference between a normal conversation and elicitation. It also contains measures on how their agents can avoid elicitation.
In one of the scenarios in the pamphlet, the attacker tells the target, “Your job must be important... that is why others think very highly of you.” The target then replies, “Thank you, but my job is not that important.
Social engineers tend to strike at their target's ego without overdoing it. They usually do it with utmost sincerity without stalking their targets. Social engineers do not say things that might lead to calling the security upon them.
Social engineers use ego appeals as subtly as possible. They instill flattery in their conversations without making their approach overly done or obvious.
This tactic of the attacker is expressing mutual interest, which is considered an important elicitation aspect. This is a tactic that is more powerful and effective than appealing to the target's ego.
This is because when there is mutual interest, the relationship is extended beyond the initial attempt to converse.
In this scenario, the social engineer was able to make the target agree to further contact by acknowledging the offer of the attacker and expressing interest in the plans discussed for the company's system in the future. This alone can lead to a huge system breach.
In this scenario, the social engineer already has full control of the target. This means that the social engineer has control over the next steps as well as what, when, and how much information is released.
Naturally, once the social engineer establishes a long-term engagement, they would be able to build rapport and trust with the target and make the latter feel a sense of obligation.
Another scenario in the DHS pamphlet presented the creation of a deliberately false statement. While this tactic may be inclined to backfiring, it is just as a powerful tool as any other social engineering tactic.
For instance, the attacker says, “Everyone is aware that ABC company yielded the highest selling software for this particular type of widget across the globe.” The target then replies, “That is not true, actually. Our company began selling the same product in 1996 and our sales records have not been beaten since then.”
The social engineer's statement is a form of elicitation wherein they can make the target respond with real facts. More often than not, people are likely to correct wrong information or statement once they hear them. It is as if they are being challenged to prove otherwise.
It is inherent in people to appear knowledgeable, inform others, and be unwilling to tolerate misstatements. Most social engineers know this and use it to bring out real facts from their targets.
The DHS pamphlet also has a scenario wherein the attacker volunteers information. Once a social engineer is able to offer information into a conversation with the target, the latter becomes compelled to provide equally valuable data. People are likely to share similar views, information, or news.
Social engineers use this fact to set the mood or tone of the conversation while instilling a sense of obligation to their target.
Another manipulation tool that is discussed in the DHS pamphlet is assumed knowledge. When people assume that someone is knowledgeable about a particular topic or situation, it is alright to discuss it with them.
Social engineers are able to exploit this human trait deliberately by appearing to be knowledgeable on a topic, then using elicitation to establish a conversation.
Social engineers are good at producing information, which is as if they own such information and continue to build around it to keep a conversation.
Elicitation and Intelligent Questions
The goal of social engineering with elicitation is to obtain small and apparently invaluable information and later build a clear picture of the answers they want to get from their targets.
Asking intelligent questions to their target provides social engineers to have a clear path of their goals. There are various types of questions they use in order to obtain answers that lead them to a successful attack.
An open-ended question is a type of question, which is not answerable by a simple yes or no. For instance, “It's a little hot today, huh?” leads to a “Yes.” However, asking “What can you say about the weather today?” leads to a real response of more than a yes or a no.
Social engineers know when to use open-ended questions by studying and analyzing prominent reporters. Naturally, good reporters use open-ended questions so that they can continue to elicit responses from their interviewee.
In the context of social engineering, open-ended questions using “how” and “why” are more powerful. This is because it compels the target to expand on his or her response. Furthermore, open-ended questions also compel targets to reveal other details that social engineers may find valuable.
In some cases, asking open-ended questions lead to some resistance. As such, social engineers use the pyramid approach where they begin with narrow questions and follow them up with broader ones. This technique is evident when asking teenagers.
Another type of intelligent questions that social engineers use is a closed-ended question. While it may be the complete opposite of open-ended questions, it is likewise efficient in leading targets where the social engineer wants them to be.
More often than not, the goal of closed-ended questions is to obtained detailed information instead of leading the target to the social engineer's goal. For instance, in an open-ended question, the social engineer might ask, “What relationship do you have with your manager?”
In a closed-ended question, on the other hand, the social engineer asks, “Is your relationship with your manager good?” This type of questioning is obtaining direct yet detailed responses from the target.
A leading question is usually answered with a simple yes or no; however, it is equipped with more information, which makes the answer more informative as well. Social engineers use leading questions to state facts, making the target either agree or disagree.
Assumptive questions are also intelligent questions where social engineers already assume that the target possesses valuable information. Through asking the assumptive question, the target responds in an affirmative or disconcerting way.
More often than not, social engineers use assumptive questions when they have an idea of the facts, which they can utilize in the question. This means that social engineers inject as many real facts as possible to the assumptive question rather than including bogus information, which may turn off their target.
Pretexting is referred to as the act of making a manufactured scenario that causes a target to either do an action or divulge information. Pretexting goes beyond the concept of lying.
There are situations wherein it can create an entirely new identity and use such identity to control the information received. In the context of social engineering, pretexting may involve posing as people in a certain role or job, which the attackers have never done themselves.
On the other hand, pretexting is not as easy as it may seem even for social engineers. For instance, social engineers need to develop as many pretexts as they can over their career. While pretext may be different from one situation to another, their common factor is research.
Time and again it has been mentioned in this blog that having good information gathering methods can either make or break the social engineer's ploy and even an excellent pretext.
Take, for example, a social engineer posing as a tech support representative. This act is futile if the social engineer does not utilize outside support.
As much as it is used in social engineering, there are other fields that make use of pretexting, including public speaking, sales, neurolinguistic programming (NLP) experts, so-called fortune tellers, therapists, doctors, and lawyers among others. All of them make use of pretexing in various forms.
However, they also have to create a scenario in which clients or targets would be comfortable in divulging information that they would not normally share.
The only difference between social engineering and other fields that use pretexting is the intention or goal. This is to say that social engineers should live the persona until they achieve success in their ploys.
The quality of the pretext goes hand in hand with the quality of information social engineers are able to gather about their targets. This means that when a social engineer gathers more relevant and valuable information, the easier it would be to develop a pretext for a particular target.
Take for example a social engineer posing as a tech support person. The pretext for this type of impersonation would fail if the social engineer goes to a company with either an internal or outsourced support. Social engineers find it as easy to employ their pretexts as one would converse naturally with a friend.
Principles of Pretexting
Just like any other skill, pretexing also involves principles that correspond to carrying out a task. Consequently, social engineers know these principles by heart, which is why they are exceptionally good at the skill.
The principles of pretexting substantiate the significance of pretexting. These include the following:
the more research conducted, the better the chances of success; the involvement of personal interests increases success;
the practice of expressions or dialects; using the phone as a significant part of a social engineering ploy;
the simpler pretexts are developed, the better the chances of success;
pretexts should be spontaneous;
and providing a follow through or logical conclusion for the target.
The more research conducted, the better the chances of success Although this principle may be self-explanatory, it is best to provide more details about it.
Simply put, this principle associates the success level of a social engineering ploy to the depth and level of research that social engineers conduct.
Information gathering is the most important factor to consider in a successful social engineering gig. This is to say that a social engineer holding more information about the target has better chances of success in developing an excellent pretext.
Social engineers refer to this principle in every action they take, specifically when developing pretexts. They are aware that even small details can make a difference in pretexting. In addition, they also know that any information gathered is relevant and useful.
There are ways that social engineers use when gathering information and as they do so, they also look for aspects, stories, and items associated with their targets. In some cases, they also look into the personal nature of their targets.
Most social engineers use emotional or personal attachments to allow them to get closer to their targets.
For instance, finding out that every year, the CEO of a company donates a substantial amount of money to a cancer research center for children would allow the social engineer to inject a fundraising for such cause in his or her pretexts.
It may seem heartless doing this, however, most social engineers would do anything just to achieve their goals. Furthermore, malicious social engineers make use of pretexts, which are sustained by emotions without hesitation or second thoughts.
These scammers targeted the computers of people and devised the accounts of legitimate fundraisers so that they can get the donations for themselves. These websites were embedded with malicious code that enabled the social engineers to hack the computers of hundreds if not, thousands of people.
While these experts are doing their thing in their respective fields, social engineers take advantage of the increased attention given by people to search engines. Thus, they launch malicious websites, which feed upon a specific SEO.
As people are drawn to these websites, the social engineers are able to gather information or infect the computers of people with viruses.
Social engineers would then have better chances to research and gather information, making their chances of success in pretexting highly achievable. Sadly, there are people like malicious social engineers who take advantage of others' misfortune.
The involvement of personal interests increases success
Social engineers are likely to increase their chances of success in pretexting when they use their own personal interests. This may seem a simple tactic, but it can definitely convince targets that social engineers are credible.
Trust and rapport are immediately ruined if a social engineer claims to be someone who is knowledgeable about a specific topic and then comes short of information.
For instance, if a social engineer posing as a tech support person has never seen a server room, yet continues to play the part can lead to ultimate failure. This is why most social engineers only include activities and topics in their pretexts that they are interested in.
This provides them enough room to talk and display their intelligence and confidence to their targets. When social engineers exude with confidence, it is easier for them to convince their target that they are what they say.
In addition, there are certain pretexts that need more knowledge than others in order to be convincing; which is why research is a recurring thing for social engineers. When a pretext is uncomplicated, social engineers simply read a blog or search on a few websites.
Regardless of how knowledge is obtained, social engineers usually research topics that they are personally interested in. Once they have chosen an interest, story, service, or aspect that they have adequate knowledge in, they determine if that angle is feasible.
When social engineers develop a pretext that lacks confidence, it creates dissonance, especially if the pretext necessitates that the social engineers should be automatically confident.
Skilled social engineers are able to change dissonant beliefs to make them consistent. This is one of their powerful yet tricky skills.
For instance, a social engineer's appearance may not fit what the target has envisioned from the pretext; however, the social engineer can adjust with the beliefs of the target by his or her actions, attitudes, and knowledge of the pretext.
The practice of expressions or dialects.
Most actors all over the world have dialect coaches who assist them in have the perfect target accent. Given that not all social engineers can afford dialect coaches, they simply learn from various publications that include valuable tips on the basics of putting an accent to their speech and expressions.
These publications include native examples of the accent that social engineers want to learn. There are books that come with audiotapes in which social engineers listen to. They also speak along with audiotapes and practice sounding like the person speaking.
Once social engineers become confident in their accent, they record themselves to assess if they are convincing enough and correct any errors.
More often than not, social engineers create a scenario with a partner so they can practice their new accent. They also try it on other people to check if their accent is believable.
Pretexts should be spontaneous
Creating a spontaneous pretext is comparable to using an outline over using a script. When a social engineer makes use of outlines, it provides him or her spontaneity and more freedom to edit as necessary. On the other hand, using a script makes a social engineer sound unnatural, even robotic.
Spontaneity in pretexts is also associated with using a storyline that the social engineer is personally interested in. Coming into the target without knowledge about the pretext can compromise the credibility of the social engineer.
For instance, if the target asks something or makes a statement, requiring the social engineer to think, the latter is likely to pause and start thinking deeply if he or she cannot reply with an intelligent answer.
Naturally, people think prior to speaking; however, social engineers know that it is not about being able to answer in just a second. It is having a reason or answer for not having the answer to the target's inquiry or statement.
Social engineers follow a certain guideline when it comes to the spontaneity of their pretexts. These include not thinking about how they feel; not taking themselves too seriously; discerning what is relevant; and seeking to gain experience.
When creating pretexts, social engineers are inclined to overthink and add emotion to their storyline. However, this can lead to anxiety, fear, or nervousness and ultimately, failure of the pretext.
Some may not experience fear, but over-excitement. This likewise causes a social engineer to make numerous mistakes and again, lead to the failure of the pretext. As such, social engineers make sure that they do not think about how they feel while creating their pretexts.
Social engineers also avoid taking themselves too seriously. While their jobs are serious as it deals with security, social engineers are still able to laugh at their mistakes. This allows them to handle the bumps that may come in their way instead of feeling nervous or cramming up.
This does not entail taking security as a laughing matter. However, social engineers know that if they become pressured or think of potential failure as irreversible, the create fear within themselves. Thus, they know that minor failures are normal and that they have the capability to reverse them.
Social engineers also know how to discern what is relevant. For instance, social engineers usually plan ahead. If they miss out on one important detail, they have the ability to discern the relevant information or material around them.
This may include the target's microexpressions, body language, or words were spoken. Social engineers take in the information and employ it to their attack.
In addition, social engineers know that generally, people are able to identify if someone is not paying attention to what they are saying. Targets are often turned off if they feel that they are not being listened to.
People like others who listen to even the insignificant statements they utter. As such, social engineers listen carefully and consistently to what their target is saying. They pay attention while picking up relevant details that may help in the success of their attack.
Finally, social engineers always seek to gain experience through practice. This is because they know that practice can either make or break their pretext. As mentioned in the previous sections, social engineers who work alone practice their acts with friends and families.
Some even try their tactics with strangers without causing any harm. Social engineers strike up conversations with other people to practice their spontaneity and improve as necessary until they become comfortable.
[Note: You can free download the complete Office 365 and Office 2019 com setup Guide.]
Providing a follow through or logical conclusion for the target
In the context of social engineering, the attackers do not merely leave their target alone. Social engineers either lead the target to take action or simply provide a conclusion.
Regardless of the situation, social engineers give their target a follow-through so that he or she may fill the expected gaps or provide a conclusion for the target.
A great example would be the social engineer posing for a tech support person. If the social engineer simply walks out without saying a word to the target after exploiting the database, the social engineer leaves the target wondering what transpired.
The target would possibly call another tech support company and ask what he or she needs to do. At any rate, social engineers do not simply walk away from their targets. Again, they either follow-through or provide a conclusion for their targets.
Influence and Persuasion
Apart from the four basic psychological tactics mentioned previously, there are other psychological techniques involved in social engineering. These include influence and persuasion.
Social engineering psychology, just like psychology in general, has a set of rules that produce a result when followed. It is both calculated and scientific. Persuasion and influence are psychological cognitive factors, which are backed up by science. While they are psychological results of perception, they also involve beliefs and emotions.
Prior to learning how social engineers utilize the art of influence and persuasion, it is proper to introduce you to some of the art's key elements as well as its five fundamentals that lead to obtaining success in influencing a target.
Five Fundamentals of Influence and Persuasion
The five fundamentals that are significant in a successful ploy to influence a target include the following: set clear goals, build rapport, be observant of surroundings, be flexible, and get in touch with yourself.
The ultimate objective of social engineering is to be able to influence targets to carry out actions whether or not such actions would be in their best interest. Furthermore, social engineering not only influences targets to take action.
The type of influence that social engineering uses is powerful that it makes targets “want” to take actions.
To understand how social engineering can have such a powerful influence on their targets, go on to the next section.
Set Clear Goals
One of the most important aspects of the art of influence and persuasion is knowing what result you want to achieve out of your actions. In social engineering, attackers approach a target with a vivid knowledge of their goals as well as the indicators that they would achieve what they want.
Once social engineers have set clear goals, they would be able to determine that path that they need to take to carry out their ploy. Having goals that are clearly defined could result in either the success or failure of the influence tactic. In addition, it can also make the next step easier to determine, master, and execute.
In order to develop and establish rapport, you need to get the attention of the other individual you are targeting. In addition, you should be able to affect his unconscious mind.
Social engineers have advanced skills in building rapport as it changes their entire methodology. They are aware that once they establish a rapport with their targets, everything will flow smoothly with their dealings.
When it comes to being observant, it entails awareness of yourself as well as your sensory acuity or surroundings. When you are observant, you have the ability to take note of the signs in the individual that you are targeting, which will indicate whether or not you are moving towards the right path.
If you want to master the art of influence and persuasion, you need to be a master in observing and listening.
Social engineers avoid thinking about their next stage of their ploy when approaching the target. This is because they can miss out on what is truly going on between them and their target. Internal dialogues can stop potential conversations, which is why social engineers avoid them.
One of the keys to a successful persuasion tactic is being flexible. In order to understand the concept of flexibility, think of it as being tasked to bend something like a steel rod or a branch of a sturdy tree.
Social engineers are flexible enough to adjust their objectives and tactics as necessary. While it may contradict the concept of planning, being flexible entails the ability to adapt when things are not going as planned.
Inflexible social engineers may be viewed as insane and unreasonable individuals in the eyes of their targets; thus, they would not be able to achieve their goals.
Be in Touch with Yourself
In everything you do, your emotions take control. This is also true for all individuals you are dealing with. It is necessary to discern your emotions and be in touch with yourself so that you can determine the foundation for a successful influence and persuasion tactic.
For instance, if you have a smoking friend and you truly hate the smell of smoke, such hatred can affect your approach when trying to persuade her to quit the habit.
Your hatred towards smoking can cause you to express, act, say, or do something that will stop your chance to persuade your friend. This is why it is important to be in touch with yourself and your emotions so as not to compromise your approach.
Social engineers are always in control of themselves and their emotions. This is because being in touch with themselves help them in establishing a clear path toward persuading their targets.
The five fundamentals of influence and persuasion are significant in understanding the art. The goal of persuasion is to establish an environment in which a target would want to perform what social engineers are requesting them to do. These five fundamentals are of enormous help in establishing such an environment.
How Social Engineers Use the Fundamentals of Influence and Persuasion
In order to carry out their ploys successfully, social engineers should practice the art of influence and persuasion until it becomes habitual.
They need not influence each and every individual they come in contact with; however, once they are able to turn the skill of persuasion on and off, it becomes a social engineer's powerful attribute.
There are various aspects of influence and persuasion that individuals could use, but eight techniques stand out as they are utilized frequently by politicians, media, government, scammers, con men, and social engineers.
Techniques of Influence and Persuasion
The inherent expectation of people to be treated the way they treat others is referred to as reciprocity. For instance, if you open a door for someone, you expect him or her to say thank you while making sure you keep the door open as he or she comes in. It is important to know the rule of reciprocity given that returned favor is usually done unconsciously.
Social engineers are always looking for even small opportunities in which they will obtain valuable information. More often than not, they obtain information by making their target feel indebted to them.
In addition, social engineers are extremely aware of what goes on around them as well as the little things that they can to make their targets act out of reciprocation.
They act as natural as they can so that their targets would not sense anything unusual about them. Thus, reciprocity is an effective tactic of influence and persuasion when carried out naturally.
Obligation refers to a state of being wherein an individual is adhered to do something due to a sort of legal, social, or moral responsibility, contract, duty, or promise.
In social engineering, the obligation is much like reciprocation, only in a broader sense. For instance, simply holding an outer door for a target is a form of obligation in the context of social engineering. In turn, the target will be obligated to hold the inner door for the social engineer.
More often than not, social engineers use obligation as an attack factor, specifically when they are targeting individuals from customer service departments. They also use obligation for smart complimenting.
For instance, a social engineer compliments the target and follows it up with a request for something.
This is a technique, which can go wrong easily when the social engineer is inexperienced and misjudges the signals of the inner sense of the target. However, for advanced social engineers, obligation allows them to obtain event the tiniest bit of pertinent information as they carry out their ploys.
In the context of social engineering, the concession is used to assist in touching a target's reciprocation instinct. In general, people may seem to have an inherent capacity that compels them to do something for others as others have done for them.
Social engineers use concession in their ploys based on the principle of “scratching the back of their targets as long as the latter scratches theirs.” Furthermore, social engineers follow some basic principles when applying concession to their attacks.
These include labeling their concessions, demanding and defining reciprocity, making contingent concessions, and creating concessions in installment basis. When it comes to labeling, social engineers make their targets aware of what and when they are conceding.
This technique makes it harder for the targets to dismiss the need to reciprocate. Social engineers usually use the statements “I will meet you halfway” or “I will give you this one” to show that they are conceding.
When it comes to demanding and defining reciprocity, social engineers start with a foundation of reciprocity in order to increase their chances of obtaining something in return from their targets.
For instance, attackers may start through nonverbal communication with their targets to show their flexibility. While these may be little things, they can eventually lead to great results in terms of building a sense of reciprocation on the part of the targets.
When it comes to making contingent concessions, social engineers usually give in to something that their targets need or want without demanding something in return.
Concessions such as this are “risk-free” and especially effective when social engineers need to let their targets know that they are ready to concede. It is a way to avoid making the targets feel that there is something the social engineers need from them.
Finally, when it comes to creating concessions on an installment basis, social engineers give in a little during their first attempt and another over time so that their targets would continue to reciprocate.
Given that reciprocity is inherent in people, they are usually obligated to give in when someone makes a concession, say, in a bargaining agreement or negotiation process.
It is important to know that social engineers, as well as negotiators and salespeople, use concessions almost instinctively. These people are able to use concessions by taking over the situation and resisting the manipulations that their targets place upon them.
In most cases, people find items and even opportunities more appealing if they are hard to obtain, rare, or scarce. People are likely to be attracted to messages in radio, television, and newspapers ads such as “3-Day Sale,” “Limited Time Only,” “Going Out of Business Forever,” and “Last
In the context of social engineering, scarcity is used to establish a sense of urgency when it comes to decision-making on the part of the target.
Such urgency often allows social engineers to manipulate the decision-making as well as control the information they give to the target. Social engineers usually use a combination of the principles of scarcity and authority.
Take for example a social engineer posing as an IT technician targeting an assistant of a chief executive officer (CEO).
The social engineer would claim that the CEO called him prior to leaving for the long weekend to fix an email problem. In addition, the social engineer tells the assistant that the CEO claimed of being sick and tired of the crashes and wanted the problem fixed by Monday.
In this case, the social engineer creates a sense of urgency on the part of the target given that the CEO is unavailable. Furthermore, the scarce item is time given that the problem should be dealt with before the CEO returns for work. Thus, scarcity establishes a desire, which leads a target to make a decision at once.
When people view someone as an authority, they tend to be more willing to abide by recommendations or directions given by that individual. For instance, children are instructed to obey their parents, teachers, nannies, and counselors among others because these people have authority over them.
Furthermore, children are also taught that questioning or disobeying authority is disrespectful and that they will be rewarded for their obedience. These principles are carried over into adulthood. This is why people respect and avoid questioning orders and rules by authority figures.
Regrettably, this is the same principle that often leads many women and children into the hands of molesters and abusers. While the cause of molestation and abuse is not solely based on this principle, individuals who victimize children know that the latter are taught about authority.
In the same way, social engineers make use of the principle of authority to carry out their ploys by manipulating their targets to take action, leading to a breach.
Commitment and Consistency
As much as people want to be consistent in their behavior, they also value the consistency of others. In general, people want congruency and consistency in words, deeds, and attitudes both of themselves and others.
The need for reprocessing information and making complex decisions are reduced by having consistency.
Social engineers make use of consistency and commitment as powerful tools for carrying out their ploys. Once they establish a form of communication with their targets, they commit themselves entirely until they accomplish their goals.
When social engineers sense that their targets are using gut feelings in making a decision, they work doubly hard using commitment and consistency. This is to discard any uncertainty that their targets might sense in them.
In general, when people like an individual, it is because that individual likes them, too. In the context of social engineering, liking is an extremely useful tool.
One of the important attributes that social engineers should have is being likable. In addition, as social engineers need to gain the trust of their targets, they appear to be interested in people in a genuine manner.
For instance, in pretexting, social engineers become the individual that they are pretexting more than just playing out a belief or an idea. This makes it easier for them to be likable as their targets would conceive that they are genuinely interested in liking, assisting, or helping the targets.
Social Proof or Consensus
Social proof or consensus is referred to as a psychological state wherein people are ineffective in discerning the proper mode of behavior in social situations. When people are talking or acting in a certain way, it is safe to assume that their behavior is appropriate.
Generally, social influence can result in conformity of large groups of people regardless of the choices are correct or misguided.
For instance, people who are in an unfamiliar situation, especially if they do not have a reference on how to act in the situation, tend to look for the behavior of others whom they know are already familiar and better informed of the situation.
Furthermore, they mirror the behavior of those people with the assumption that it is the appropriate way to act.
In the context of social engineering, social proof is yet another powerful tool. Social engineers use social proof to provoke the compliance of their targets with a request by informing them that other individuals also took the same behavior or action.
More often than not, social engineers refer to role models or prominent individuals in order to get their targets to do what they want.
Social engineers use social proof, especially when there are uncertainty and similarity in a specific situation. For instance, social engineers know when the targets are unsure due to an evasive situation because the targets tend to observe how others behave and assume such behavior as appropriate.
Social engineers also know when the targets tend to mirror or follow the behavior of others in a specific situation. These conditions make it easier for social engineers to use social proof. They will appear to be more convincing when they tell their targets that many people before them have done the same action.
The influence tactics discussed above are just some of the powerful tools that social engineers use to carry out their ploys. These tactics provide social engineers the ability to stimulate and motivate people to act according to their objective. Thus, social engineers become in control of any situation.
In social engineering, the art of influence and persuasion is a process wherein social engineers get their targets into wanting to think, do, believe, and react in the manner they want them to.
Pickup Lines of Social Engineers
As mentioned in the previous of this blog, some of the most common places for social engineering ploys include corporate offices, social networking sites, and just about anywhere on the Web.
Social engineers are able to infiltrate corporate systems, hijack accounts, steal identities, and make money by employing different tactics, including the formulation of good pick up lines.
Pickup lines are used in social engineering to encourage communication between social engineers and their targets. Some of the most effective pickup lines used in social engineering will be discussed in the following section as well as how they work.
Pickup Lines on Social Networks
I'm here in New York traveling alone and I lost my wallet. Can you wire some money?
This pickup line works when a social engineer pretends to be a Facebook “friend” or a contact in other social networks. He or she sends a message to the target pretending to be in a foreign city and has no money due to a lost wallet, robbery, or another unfortunate event. The social engineer then asks the target to wire money.
In this type of pickup line, people should be extra careful because most social engineers are able to hack accounts and pose as one of a target's contacts or friends. Thus, people cannot be guaranteed that the identities of those they are in contact with, specifically in social networks are genuine.
Check out this link!
This pickup line works when a social engineer sends a message or an email and encourages the target to click a link, which leads to a bogus site. The social engineer usually poses as a friend so that the target would likely read the message.
Once the target clicks on the link, the bogus website, which may appear legitimate, asks the target for personal information such as account number or password.
For instance, there is a Twitter spam campaign that circulated. It has gone with a pickup line, “Have you seen this video of you?” A number of people with Twitter accounts fell for this line and led them to a fake Twitter website that required their passwords.
Someone has a secret infatuation on you! Find out who! Download this application.
This pickup line works, specifically in the numerous applications that users can download in facebook and other social networking sites. This is because not all applications available on Facebook are safe.
Social engineers administer and control applications that install adware for launching pop-up ads. They also have applications in which personal information of targets is exposed to third parties.
Pickup Lines in the Office
This is Jack from technical services. I have been asked to check on your computer due to an infection.
This pickup line works when a social engineer poses as a technical support person, calling a target from a certain business or company. The social engineer tells the target that the computer is infected and offers to fix it.
Then, the social engineer ratchets the technical difficulty intentionally as he or she plays on the fear and vulnerability of the target.
As the target becomes more nervous, the social engineer takes advantage by letting the target reveal the password as “required” to finish the fix.
Hello, I am the rep from (name of company), and I am here to see (name of target).
This pickup line works when a social engineer poses as a client, service technician, or sales representative among others, making him/her a legitimate visitor.
The social engineer will then use his/her knowledge about the company he/she is representing. Some social engineers even wear a shirt bearing the logo of the company.
This tactic is effective in gaining the confidence or trust of the receptionist. Social engineers spend days, weeks, and even months to obtain adequate information about their targets. They take time in knowing who to ask for as well as how to dress and act when already inside the company.
Excuse me, can you hold the door for me? I left my access/key card in the car and I am late for a meeting.
This pickup line works when a social engineer waits outside the entryway of a company, usually the entry point of a smoking area or the front door. The social engineer then poses as one of the employees.
More often than not, targets willingly hold the door open for social engineers in disguise. Thus, the attackers are able to access the building without being asked for their identities.
Furthermore, social engineers get better when it comes to using high-end photography, specifically for printing genuine-looking badges. As such, even when asked for credentials, social engineers simply present their self-made, fake badges.
Pickup Lines for Phishing
You recently won on eBay and you have not paid for the item yet.
Please click here to pay.
This pickup line works when a social engineer sends a target an email that may seem to originate from prominent companies and organizations like eBay. The message tells the target that he or she won a bid and have not yet paid for the item.
Social engineers know that targets who are into websites such as eBay give importance to their ratings and not being able to pay for a won item would result in a negative impact.
As such, they are likely to click the link while the social engineer obtains the personal information of the target.
You have been let go. Click here for your severance pay.
This pickup line works when a social engineer takes advantage of increased digitization and economic uncertainty. The social engineer sends an email to the target containing a malicious link, which may appear as legitimate.
The link may be supported by another pickup line such as “This year, we are sending out W-2 forms electronically. Click here.”
Targeted Social Engineering Attacks Using Pickup Lines
The tactics of social engineering are increasingly specific as attackers are inclined to targeting individual people for a larger payoff. There are more lucrative pickup lines that social engineers use to gain personal information about their targets and make more money.
Donate for the hurricane victims and recovery efforts!
This pickup line usually starts circulating shortly after a tsunami, major earthquake, or another disaster. Fake websites that social engineers manage target people who are deeply concerned about their loved ones in the disaster area.
The website usually claims to have rescue efforts and other specialized resources to help in finding victims and their recovery. In order to solicit charitable donations, the website collects the names as well as contact information of those who are willing to donate.
The social engineer then calls the victim who naturally has heightened emotions to obtain their account or credit card number.
Thus, the social engineer would be equipped to commit identity theft with all the information obtained such as the target's name, address, account or credit card number, and a relative's name among others.
Some social engineers even conduct a secondary attack by posing as a bank representative who requests for the Social Security number of the victim for the purpose of verifying the legitimacy of the donation.
This is Microsoft support; we want to help you.
This pickup line works when a social engineer poses as a Microsoft tech support individual. The social engineer claims to be notifying all licensed Windows users who are experiencing an abnormal number of errors caused by a software bug. The target is instructed to access the event log, which is usually alarming for inexperienced users.
More often than not, Windows event logs are able to record numerous yet small errors. The target is likely to do whatever is instructed of him by the social engineer, prompting to go to remote access services, such as The #1 Choice in Remote Desktop Access and Support | TeamViewer.
This service provides the social engineer control over the target's PC. Then, the social engineer installs malware, which will provide him/her continuous access to the target's PC.
This is one of the most common phishing lures used in social engineering. Attackers continuously observe the trends on Twitter in order to carry out their ploys. For instance, social engineers hijack legitimate hashtags to embed malicious links.
Once the targets tweeted using the hashtags, the malware redirects them to a phishing site with the intent of launching more malware or stealing the targets' account information in Twitter.
More often than not, social engineers look for targets on Twitter by learning about their interests. Then, the attackers send tweets that appear legitimate to entice targets to click the links that lead to phishing sites.
Get more Twitter followers here!
This pickup line works when a social engineer sends a tweet, which promises targets an increase in their followers once they click a link. The link then leads the targets to a web service, which asks for their credentials in Twitter.
For those who are knowledgeable, there is not a legitimate third party that would request for Twitter credentials.
Subject: About your job application.
This pickup line works when a social engineer targets businesses and headhunters by embedding malware in their email responses to numerous job postings.
Based on a warning released by the FBI, over $150,000 was stolen from a prominent business due to unauthorized wire transfer. The social engineer responds to a job posting on a specific employment website.
Once the malware is installed, the social engineer obtains the target's credentials, specifically for online banking in order to carry out financial transactions within the company.
The social engineer redirects the wire transfers to his/her own accounts through making changes in the account settings. As this tactic became rampant, most companies and organizations use online forms for job seekers instead of accepting their cover letters and resumes in email attachments.
Social Engineering Scams on Social Networks – Then and Now
Google and Its Chinese Hackers
At the beginning of 2010, Google made the headlines and revealed that Chinese hackers were able to breach a part of its system. Google claimed that some of its services were breached and that the perpetrators wanted to obtain access to Chinese human rights activists through their Gmail accounts.
Apart from Google, these social engineers also targeted other prominent companies, including Symantec, Adobe Systems, and Yahoo.
The success of the social engineers was due to spending weeks and even months of scouting and targeting Google employees in order to obtain information. They began by using the information of employees found in social networks and other places.
Once they got the necessary information, the social engineers sent messages to the employees that appeared legitimate and coming from a friend or contact. Thinking that the message truly came from their friends, the employees clicked on the links embedded with malware, resulting in the installation of spyware on their computers.
This attack on Google was planned and carried out for a considerable period. The social engineers took their time in gathering information and winning the confidence of the employees so that they could interact and elicit information.
Given that most companies make use of social networks as a part of the marketing strategy, social engineers find it easier to gather information about their targets.
Apart from conveying their marketing tactics through social media, companies also expose their company structure, making the information needed by social engineers readily available.
Information Exposure on Wikileaks
Again, in 2010, highly classified government information was exposed on Wikileaks with the successful ploy of social engineers.
Bradley Manning, a U.S. Army soldier who was then assigned to a support battalion in Iraq, was accused of providing classified information to the founder of Wikileaks, Julian Assange.
Following the exposure of highly classified information on Wikileaks, other social engineers took advantage and sent out messages with a pickup line, “Do you want to read the file on Wikileaks? Click here.”
The victims did not mind if the pdf took time to load as they were expecting a huge document. However, they also did not know that it was not the document that took time to load, but the malware, which the social engineers embedded.
Social Engineering Prevention
As foolish as it may sound, some companies and organizations think that they are resistant to the threat of social engineering. On the contrary, no organization is immune to social engineering, not even the White House or any other prominent system.
For instance, a contest was held at a security conference wherein the participants were asked to obtain information from target companies, which could be utilized for a hypothetical attack.
Out of the 140 phone calls that were made to employees of the target companies, almost all the employees divulged information except for five, who refused to give out anything.
In addition, 90% of the employees clicked on a URL, which was sent to them by the participants. These employees did not even bother knowing the person who sent it. This security conference concluded on how wide and dangerous the scope of social engineering is for all systems and organizations.
In this light, it is best to know some effective ways to prevent social engineering or merely minimize the risk in organizations.
Learn to Discern Social Engineering Attacks
Before any organization can prevent and mitigate social engineering, the first step is to learn how to determine whether or not an attack is a part of a social engineering ploy. Organizations do not need to know how to create the perfect con or plot a malicious attack.
The key is to understand what transpires the moment a malicious PDF link is clicked as well as the signs to look for when identifying if an individual is into something deceptive. Organizations need to understand the threat of social engineering and how such threat applies to them.
The key to preventing and mitigating social engineering is to know more about how attacks are conducted. This way, it would be easier to determine the most appropriate solutions for an organization. Some of the factors that an organization should be aware of including the expressions, body language, and phrases used in a social engineering attempt.
Once an organization obtains adequate knowledge about social engineering attacks, the next step is to raise staff awareness along with establishing a security-minded culture.
Raising Staff Awareness
One of the most effective ways to combat social engineering attacks is raising staff awareness. In any type of organization, having a security-minded culture is essential as long as it becomes a standard that each member operates. Furthermore, concepts should be reinforced consistently.
There are various ways for organizations to build a security-minded culture as well as raise staff awareness on the destruction that social engineering brings.
Higher-ups of organizations should ensure that their people get interested in security. They should be armed with techniques for securing not only company information, but personal information as well.
Organizations can provide their staff with security seminars to obtain tips on what needs to be locked up or shredded at home, how to secure home-based wireless networks, and how to manage personal passwords among others.
Higher-ups of organizations should initiate on making the message visible to their staff. For instance, posters can be put up at coffee rooms, smoking areas, fax machines, and even shred bins. The posters should be eye-catching so the staff would not miss out on it.
In addition, the posters should be visible enough so that any employer who walks by can read and understand them clearly.
The message should be changed at least once a month so that the staff has something new to learn about security. If an organization does not have an internal graphic artist, it can use security awareness vendors to avail ready-made posters.
Higher-ups of organizations should allow their security department to provide treats for the staff simply for doing their part. For instance, a security department can give employees donuts or cupcakes as a gesture of thanking them for doing their part in securing the organization.
Higher-ups of organizations should conduct random desk checks after office hours. Those who have no sensitive material left on their desks will receive a reward. This reward can be as simple as a leaving a pack of gum or a piece of chocolate with a note, “Thank you for leaving your desk clean” or “Thank you for doing your part.”
Organizations with a monthly newsletter may include a security article, providing vital information on the latest incidents that transpire in the same industry they are in.
This newsletter may be supported with a monthly email to all the members of the organization with a catchy message about a relevant topic, such as “Emergency preparedness,” “PDA safety,” or simply a reminder of what number to call for suspicious or malicious events.
It is also best for organizations to provide their staff with a security page in the intranet, which includes the list of security policies, links, and important contact information among others.
Higher-ups of organizations should conduct regular training programs that include interactive contests, exercises, giveaways, or games about security. The training program need not be time-consuming. The important thing is that the comprehension of the staff about security is tested.
Higher-ups of organizations should be able to walk the walk. This means that the leaders of organizations should be able to exhibit their interest in keeping the company secured.
The staff can make or break the security program of an organization. As such, every member of the organization should be engaged in the security process through suggestions and feedback.
Stop. Think. Connect.
In line with President Barack Obama's mandate, the Cyberspace Policy Review, many organizations have conceptualized a campaign with the message, “Stop, Think, Connect”, which aims to encourage people to think first before engaging in a potentially dangerous or destructive activity online.
This message is proposed to be understood as well as carried out as easily as other widely-known slogans, such as “Stop, Look, and Listen” or “Click it or Ticket.” Meanwhile, President Obama's mandate called for the establishment of a national awareness campaign that focused on cybersecurity.
The message is simple, actionable, and applicable to anyone who connects to the Internet through various devices, including personal computers, laptops, gaming consoles, and the most common of all, smartphones.
Securing the End User
Although technology continues to change and evolve, its end user remains the same. According to Winn Schwartau, who is the founder of the Security Awareness Company, the person at the keyboard has always been the weakest link when it comes to security.
Schwartau claimed that along with the changes in technology, social engineering has added new forms and players although its fundamental techniques are still the same.
Thus, the end users should never divulge personal information to anyone and take note that if someone asks for their credentials, that individual is not trustworthy.
A substantial part of any awareness training is the inclusion of specific instructions to not divulge personal information to anyone or any department. Organizations should teach their departments not to ask for personal information from other departments.
If an organization plans to launch a new system, the key is to create new credentials. Anyone who comes up asking for the existing credentials is up to something malicious.
As mentioned, when someone asks for credentials, he or she could not be trusted. In the same way, a legitimate financial institution would never ask its client for credentials via email.
Keep Software Updated – All the Time
More often than not, businesses are obliged to give out information to both their clients and staff. For instance, a business should be able to provide its phone numbers, web addresses, and emails.
Some businesses are required to send as well as receive PDF files from suppliers, vendors, and clients. While it is discussed in this blog that releasing information can be the loss of privacy and security, oftentimes, it cannot be helped.
However, there is an effective way to prevent social engineering attacks from invading an organization's security – keep software updated all the time.
For instance, there are still companies and businesses that still use Adobe Acrobat 8 and Internet Explorer 6 when there are already new versions of these programs. Those using outdated software programs and systems are more vulnerable to social engineering attacks than those with updated versions.
When social engineers find out that a certain company still makes use of these two outdated applications, they would certainly plan their attacks even if the company has firewalls, IDs, and antivirus systems.
Therefore, it is important for all types of organizations to update their software regularly. More often than not, the newest software versions have already fixed their security holes. In addition, organizations should never use a software system that has a negative track record as it will surely be vulnerable to malicious attacks.
Developing scripts that help employees be prepared, especially when the situation requires critical thinking is one of the most beneficial ways to prevent and mitigate social engineering attacks.
The scripts referred to here are not the same as what Hollywood actors use during their film shoot. The scripts for countering social engineering ploys are merely outlines that can support employees in various scenarios.
For instance, how should an employee reply to someone claiming to work for the CEO and demands for their password? What should an employee do when someone who does not have an appointment but dresses and acts the role of a vendor, demands access to a secured part of the building?
These are scenarios wherein scripts can be of enormous help. Scripts can assist employees in identifying the proper answer, response, or reaction in certain situations. Scripts also make employees feel at ease.
An example of a script for a specific scenario is provided in the following section.
Scenario: Someone calls and claims to be from the office of the CEO and demands an employee to hand over internal data or information:
1) Ask the employee ID number and name of the person without answering any questions until you are given this information;
2) After obtaining the identification details, ask for the project ID number associated with the project that the person is claiming to manage or be a part of;
3) If you have obtained the information of steps 1 and 2 successfully, comply. If not, ask the person for his or her manager's requesting authorization and send it via email. Terminate the call.
In this scenario and script, an employee would know what to say, how to react, and what to do while being conscious of the company's security.
Social engineering involves a wide range of malicious activities, which are executed in various ways such as pretexting, phishing, quid pro quo, baiting, and tailgating among others.
Pretexting is a form of social engineering in which attackers create a fabricated situation or good pretext, which they use to steal one's personal information. More often than not, attackers who use pretexting are mistaken as scammers who usually pretend that they need personal information for confirming their target's identity.
Attackers who have advanced skills in social engineering using pretexting try to persuade their targets to do certain actions in order to gain access to an organization and exploit its structural flaws.
For instance, an attacker may take the form of an external IT services auditor to try and manipulate the physical security staff of an organization so that he/she can gain access to the building.
Social engineering attacks via pretexting depend on the creation of a delusive sense of trust with the target. The attacker is required to create a credible story, leaving little or no room for doubt on his/her target; thus, the attacker can gain information that is both sensitive and non- sensitive.
There was a case wherein a group of attackers took the form of modeling agency representatives and invented fabricated stories as well as interview questions. The attackers targeted women whom they manipulated to sending nude photos of themselves.
Phishing is considered the most common type of social engineering, which attackers use today.
Phishing scams have distinct characteristics such as obtaining personal information, including names, social security numbers, and addresses of targets; incorporating fear, a sense of urgency, and threats to manipulate targets to act fast; and using embed links or link shorteners to redirect targets to suspicious websites through URLs that may appear authorized or legit.
Although some phishing emails are crafted poorly, that is, the messages include grammatical errors and misspelled words, they can still direct targets to fake websites. Phishing emails are intended to steal the login credentials and other personal information of targets.
Quid pro quo is another form of social engineering. It involves a promise from the attackers that the target will receive a benefit in exchange for a particular piece of information. The benefit that attackers promise their targets is in the form of services instead of goods.
More often than not, attackers who use quid pro quo ploys pose as fraudsters who act as people for IT services. The attackers usually make as many spam calls as possible to direct numbers from an organization and offer their targets IT assistance.
Another form of social engineering is baiting, which is similar to phishing and quid pro quo in many ways. Attackers who use baiting employ online schemes that entice their targets to surrender their login credentials to a suspicious website in exchange for a good or an item. More often than not, attackers offer their targets with free movie or music downloads.
However, baiting is not limited to online schemes. Attackers who use this type of social engineering can also exploit the human curiosity through physical media.
Most of the employees picked up and plugged the USBs into their gadgets such as computers, laptops, and tablets out of curiosity. Once they plugged the USBs, a keylogger was activated and the founder was able to access the login credentials of his employees.
Tailgating, also known as “piggybacking,” is a social engineering form that involves attackers who have no proper authentication in an organization. The attackers follow employees to obtain access to a restricted area.
A tailgating attack often involves attackers who pose as delivery drivers waiting at an organization's parking lot. When the attackers see an employee gaining the security's approval, the attackers who usually carry “goods for delivery” ask the employee to hold the door. Thus, they gain access from someone who is authorized to get into the building.
Social engineers often use tailgating in small organizations or companies are given that most large companies require employees to swipe their identification cards.
However, in the case of small to mid-sized companies, attackers can easily converse with employees to show the security a sense of familiarity, getting past the latter as well as the front desk.
A known security consultant used tailgating to access several floors of a building, including one that housed the data room of a financial firm. The consultant was able to access the building's third-floor meeting room wherein he worked for a few days in order to obtain information.
Clearly, social engineering attacks are far-flung and considered as an enormous threat to various organizations. Social engineering can cost targets thousands, if not, millions of dollars annually as it attacks people with access or knowledge to an organization's sensitive information.
Today, most attackers leverage various tactics and social networking schemes in order to obtain professional and personal information of their targets.
The people who are most susceptible to social engineering attackers are the new employees, followed by contractors, human resources, executive assistants, IT personnel, and business leaders.