The advent of the internet, along with the concurrent increase in computer processing power, ushered in the digital age for businesses. This technological progress, however, also gave rise to new threats in cyberspace, which presented significant challenges for companies. Consequently, there was a tendency to prioritize the hardening of the information infrastructure, with the “old” threats largely being relegated to the background.
The recent surge in media attention surrounding a few high-profile fraud cases, coupled with the growing prevalence of artificial intelligence, has prompted a renewed focus on social engineering among security managers. Given the billions of dollars in losses inflicted by social engineering annually, this shift in attention is a long-overdue development.
This article is dedicated to the human factor as a central security risk and elucidates the perils of social engineering attacks for companies. It outlines the underlying mechanisms and presents measures for the prevention of such attacks.
Table of contents
What Is Social Engineering?
There is no generally accepted definition of social engineering, often also referred to as “human hacking.” It can be most aptly described as the targeted exploitation of psychological effects and socially influenced behavior to induce individuals to perform self-damaging actions that they are unaware of making.
In a professional context, this often means disclosing confidential information to criminals. A typical objective of social engineering attacks is to gain unauthorized access to sensitive areas, both virtually and physically. However, in contrast to a conventional burglar, the criminal social engineer does not resort to direct force to overcome security measures. Instead, they employ manipulation, deception, and subterfuge to gain access or install malware.
What are the practical implications of this? Consider the following scenario: You are working at the reception desk of an emergency hospital and are conducting an important telephone call. Meanwhile, two individuals clad in white coats and carrying stethoscopes enter the premises, engaged in conversation. Would one interrupt their discussion to inquire about their credentials? Probably not, either because you are occupied, or you have reservations about disrupting the medical professionals. Once they have gained access to the supposedly secure area, it is relatively simple for the covert intruders to obtain sensitive patient data or to manipulate equipment.
Emerging AI Threats: Social Engineering in the Digital World
Social engineering, or the deliberate manipulation of human behavior for personal gain, has been a phenomenon present throughout the entirety of human history. In the contemporary era, social engineering is employed not only by state institutions but also by criminal organizations. These perpetrators attempt to gain access to sensitive company data in increasingly sophisticated ways. They employ a range of techniques, including technical ones, to obtain the desired information or corporate assets. Recently, artificial intelligence has facilitated particularly insidious possibilities for malicious social engineering attacks. For instance, an individual’s voice can be reproduced with remarkable accuracy on a computer, leading employees to follow the instructions of the attackers over the phone without question and transfer substantial sums of money to third-party accounts without hesitation.
Social Engineering Types and Methods
Social engineering can be carried out in person or via communication tools such as the internet or telephone. The methods employed are not only diverse but often difficult to discern. They range from the exploitation of simple human weaknesses to sophisticated manipulation techniques with technical support.
The following is a concise overview of the most prevalent social engineering methods. In actuality, these methods are not typically employed in isolation; rather, a combination of techniques is utilized to develop a social engineering attack with a high probability of success.
Phishing
In the context of phishing, fraudsters typically attempt to establish contact with the victim via email, purporting to represent a legitimate business partner. They frequently assume the identity of a representative of a well-known and reputable company. One common technique is to use a slightly modified email domain that closely resembles the original. For instance, a message might be sent from “HumanResources@0nline.com” instead of “HumanResources@Online.com.” The slight difference between the letter “O” and the number “0” can be easily overlooked, depending on the font and in the midst of everyday activities. A link to a fictitious website is then included in the email, which resembles the original and requests that the victim enter personal data, such as usernames or passwords.
Spear Phishing
Spear phishing is also a social engineering method that differs from conventional phishing in that the attack is directed against a specific individual. It is not uncommon for useful information about a person to be readily available on the internet. For instance, if it is evident from an individual’s social media activity that they are contemplating a career change, they are more likely to respond to an email from the HR department of a seemingly legitimate company. Given that the individual is awaiting such communication, they are more susceptible to falling prey to the scheme. Spear phishing is particularly effective because it capitalizes on the victim’s existing expectations while also leveraging their curiosity and hope as driving forces.
Whaling
Whaling attacks are deliberately aimed at high-ranking company executives. In most cases, detailed information about the target person is collected in advance to increase the chances of success. Although whaling requires a great deal of preparation, if it is successful, it promises more valuable data and results in greater damage for the company.
Vishing
Vishing, also known as “voice phishing,” employs the same techniques as phishing. However, the fraudulent contact is made via telephone instead of via email. The creativity of these schemes is limited only by the imagination of the perpetrators. The caller may claim to be from the police and demand confidential information, using a country-specific emergency number that has been spoofed. An alternative scenario is that a plumbing company is calling to send a repairman to gain entry to the building. Finally, the previously mentioned call in which the caller pretends to be a supervisor is also a possibility. In many cases, the urgency of the situation causes the victim not to question the call, or the caller’s authority leads them to not thoroughly check the facts.
Tailgating
Tailgating is defined as the act of following an authorized individual through a secured door, such as one protected by a badged access control system. This is done in a discreet manner so that the authorized person is unaware of the malicious social engineer attempting to gain access. When large groups return from lunch together, only the first person will typically use the access badge. It would be socially inappropriate for the first person to close the door behind them, thereby forcing the others to use their badge as well. As the group passes through, it is easy for the attacker to simply follow along with the group.
Piggybacking
Unlike tailgating, the attacker in piggybacking approaches the authorized person directly and provides a pretext in order to gain access. The latter then deliberately grants them access. Traditionally, people’s willingness to help can be exploited in this manner. For example, one might be happy to hold the door open for the sweaty postman who is carrying a lot of packages. However, it is possible that the individual in question is not a real postman, but rather an industrial spy disguised as such.
It is less likely that tailgating and piggybacking will be an issue in a small business where everyone knows each other. However, in medium-sized and especially large companies, these are proven and popular social engineering techniques. In larger social structures, the individual sense of responsibility tends to decrease and anonymity increases, which makes it more likely that tailgating and piggybacking will work. These are probably the simplest and yet most efficient methods of gaining unauthorized access to a building or sensitive area.
Pretexting
The pretext is the narrative created by the perpetrator to disguise their malicious intent and make the attack appear believable to the victim. One example is the supposed IT technician who requests access to the office because a monitor needs to be replaced. Pretexting can range from a simple untruth to a complex web of falsehoods. The impostor may be wearing a T-shirt from the IT support company and carrying a monitor. It is also possible that the receptionist has already received a fake information email weeks in advance and a “service text message” from a spoofed phone number with the supposed technician’s arrival time on the day in question. The amount of effort invested depends on whether the fraudsters expect valuable data if the attack is successful.
Baiting
Another commonly used method for infiltrating a corporate network is baiting, also known as a “road apple attack.” This involves deceiving employees into inadvertently installing malicious software on their end devices. This can also be done physically, for example by sending USB sticks with supposedly important information from a business partner. With a cover letter bearing the letterhead of a credible business partner, such a delivery is unlikely to arouse suspicion. In this way, malicious social engineers can smuggle malware into a company, with potentially devastating consequences. As soon as employees insert the USB stick into their device, they unwittingly infect the entire company network.
Protecting Against Social Engineering
The first line of defense against social engineering is employee awareness. Employees should be supported by technical and digital measures, such as email sender and caller recognition and flagging, to identify and prevent potential fraud. Organizational measures, such as strengthening operational procedures, are also crucial to mitigate potential vulnerabilities.
Many companies have already implemented various protective measures against social engineering attacks. However, these are not effective in isolation, but only when used in the context of a comprehensive security strategy. To identify remaining vulnerabilities, it is therefore advisable to test the security precautions in their entirety under real-world conditions. Further information can be found in our blog article, “Red Teaming: What Are the Benefits and Who Is It Useful For?”.
Given the importance of this test, we recommend an attack simulation by our Red Team. This will subject your protective measures to a stress test in realistic scenarios. Our experienced and interdisciplinary Red Team is able to act as both friendly hackers in cyberspace and as undercover social engineers on site. We will identify and infiltrate vulnerable interfaces, highlight areas requiring attention, and provide targeted suggestions for measures to help you protect yourself against social engineering attacks.
Conclusion
As attackers encounter greater difficulty in breaching corporate networks through technical means due to heightened cybersecurity awareness, social engineering is re-emerging as a pivotal tactic in malicious attacks. It is clear that human error represents a persistent vulnerability in the defense against risks to information and infrastructure.
Regular attack simulations and awareness campaigns are critical to identifying and eliminating vulnerabilities and keeping employees alert to social engineering attacks. But any policy is only as good as how well it is implemented by employees.
Oneconsult provides comprehensive services to enhance your organization’s resilience against social engineering. Our Red Team identifies security vulnerabilities using a range of techniques, including social engineering, phishing simulations, physical access assessments, and OSINT assessments. These assessments inform the development of targeted security measures tailored to your specific needs. Our security awareness campaigns allow your employees to experience social engineering attacks firsthand, fostering a culture of vigilance and preparedness.
