Social Engineering is tricking people into revealing information they usually wouldn’t.
Social Engineering is one of the more common attacks your company faces. A social engineering component often accompanies most other types of attacks and vulnerabilities.
Any act that influences a person to take any action that may or may not be in their best interest .[1]
Social engineering comes through a few different vectors:
aka "Voice Phishing" Vishing is using Social engineering over the telephone system. This method is used as an attack by purporting to be a bank or other organization that the target does business with to directly steal information such as usernames, passwords, and account info. This method is also used to reconnoiter for other information in a multi-stage attack.
Using electronic communications such as email or websites to gather private or secure information. Phishing email scams send links to authentic-looking fraudulent sites, which then gather your personal information (usernames, passwords, accounts, Card PINs). Often phishing attacks use a request to "verify" information and use "loss aversion" principles to ensure compliance. An example of this method would be the request to provide or verify a credit card number to continue using an online service.
Using SMS text messages in a social engineering attack.
Pretending to be another person to gain access; including using another person’s credentials to gain access to a location or system.
following someone with access into a secured location.
Gaining trust from the target by sharing information about the victim. An attacker uses information gained through other avenues: "I have your last statement balance; can you give me your password?"
Using malware-infected disks or thumb drives to gain access to systems.
An organization calling, texting, or emailing you and asking for credentials.
Someone in "distress" asking you to forgo security procedures. "If I don’t get my password reset, we’ll lose this account! You have to help me!"
This can be legitimate; take extra care to verify the identity of the requester.
Urgency conveyed in a non-urgent medium
A common trick is to send an SMS message asking someone to do a task such as send money or buy gift cards. This attacker often claims to be in an important meeting hence the request coming from a text message.
An offer seems "Too good to be true".
Email attachments you are not expecting.
Even if they claim to be from people you know.
A website where the security certificate does not match the domain.
Robert Cialdini wrote a book on the 'key principles of "Influence"[influence: R. Cialdini].
These principles include:
Reciprocity
Commitment
Social Proof
Obeying Authority
Likability
Scarcity
Unity
The psychology of social engineering can be wrapped in this framework.
Reciprocity — aka "Returning the Favor".
Reciprocity is used in a social engineering attack by offering a small gift or concession to a target and asking the target to do something to reciprocate (such as change a password or open a locked door).
Another way to use reciprocity is to ask a considerable favor which the target declines to do. At this point, the attacker asks a smaller favor (their real goal) and the target can feel compelled to reciprocate on the concession of backing off the original favor.
Commitment — aka "I want to sign up later".
When people commit to a future action or goal, they are more likely to follow through with that action.
Creators of web popups use this tactic "I’ll sign up later" instead of "Cancel" or "No Thanks".
Social Proof — aka "Everyone is doing it".
People will conform to what they see other people doing.
Are all of the other employees shirking security training?
What kinds of behavior around security practices are challenging because of your corporate culture?
Obeying Authority — aka "This authoritative person told me to".
Obedience to authority figures is ingrained in many cultures.
Often security is compromised by submitting to false authority figures.
Important | Verify Requests from Authority Figures One should always verify any request purported to have come from a VIP. |
Likability — aka "I’m more likely to help you if I like you."
Commonly security standards are overridden for attackers when asked nicely; this is doubly true with the attacker is "nice" or likable.
Scarcity — aka "Limited Time Offer"
A simple way to get people to lower their guard is to offer something with scarcity. Implying something is scarce leads to people taking action without fully thinking about the consequences.
Attackers can use this to make you click a link or install software which you shouldn’t.
Unity — aka "The more alike we are, the more trusting we are".
Attackers will often prey upon our similarities: "Hey, we both have crazy bosses, I need your help, or he’s gonna chew me out!"