CyberArk Glossary >

Social Engineering

What is social engineering?

Social engineering is a manipulation technique aimed at tricking individuals into revealing sensitive information, carrying out actions they wouldn’t normally perform, or making decisions contrary to their usual behavior. Social engineering attacks are strategies used by malicious individuals to take advantage of human psychology and persuade people to compromise their security or privacy.

Social engineers employ various psychological tactics, including flattery, intimidation, authority, trust-building and manipulation to exploit human behavior and emotions. These techniques are designed to elicit specific responses from the victim, ultimately leading to the disclosure of sensitive information or compliance with the attacker’s demands.

Some social engineers can specialize in different tactics. For example, a social engineer phishing specialist is an individual who focuses on perfecting phishing attacks and leveraging social engineering tactics to increase the effectiveness of their campaigns. These individuals often have a deep understanding of human psychology and persuasive techniques. Some of the popular social engineering tools are Maltego, Social Engineering Toolkit (SET), Wifiphisher, Metasploit MSF and MSFvenom Payload Creator (MSFPC).

Types of social engineering attacks

Social engineering attacks come in various forms, each employing different tactics to manipulate individuals into divulging sensitive information or taking specific actions. Here are some common types of social engineering attacks along with examples:

Name of attack Short description Example of attack
Phishing Phishing attacks often involve sending emails that mimic legitimate sources like banks, government agencies, or well-known companies. These emails might include hyperlinks leading to fraudulent websites intended to capture login credentials or solicit sensitive information. Additionally, malicious attachments can be employed by attackers to implant malware on the recipient’s device. An attacker sends an email claiming to be from a reputable bank, asking the recipient to click on a link and update their account information. The link leads to a fake website where the victim unwittingly provides their login credentials.
Pretexting Pretexting is a form of theft when the offender makes up an incident to force the victim to provide private information. This could involve asking for private or sensitive information while posing as a coworker, tech support, or service provider. An attacker impersonates a company’s IT support, calling an employee and claiming to need their login credentials to fix a technical issue. The employee, trusting the caller, provides the information.
Quid pro quo This attack involves offering a service or favor in exchange for sensitive information. For example, an attacker might offer IT help in exchange for login credentials or claim to offer free antivirus software while secretly installing malware. An attacker offers free software downloads in exchange for the victim’s login credentials, deceiving them into thinking they are receiving a legitimate benefit.
Vishing (Voice phishing) Vishing is a social engineering attack conducted via phone calls. Attackers might impersonate a trusted entity, such as a bank representative and attempt to extract sensitive information from the victim over the phone.

 

An attacker pretends to be a bank representative over the phone, urgently requesting the victim’s account information to resolve a supposed security issue.

 

Baiting In physical security breaches, attackers may follow authorized personnel into secure areas by closely trailing them without proper identification or access. An attacker leaves USB drives in a company’s parking lot, labeled as „Employee Bonuses.“ Curious employees plug the USB drives into their work computers, unknowingly infecting them with malware.
Tailgating (Piggybacking) In physical security breaches, attackers may follow authorized personnel into secure areas by closely trailing them without proper identification or access. An unauthorized person follows an employee into a secure facility without proper access, exploiting the employee’s unwitting cooperation.

In addition to the specific attack types mentioned above, social engineers adapt their tactics to exploit the unique characteristics, preferences and vulnerabilities of their targets. A highly focused kind of social engineering is watering hole attacks. Instead of going straight after that group, an attacker will set up a trap by hacking a website that they know is frequently visited by that group. The effectiveness of social engineering attacks often depends on the attacker’s ability to customize their approach to the specific individual or organization they are targeting. This adaptability makes social engineering a highly versatile and persistent threat in the realm of cybersecurity.

Social engineering tools

Social engineering tools are devices or resources that people, whether malevolent actors or ethical hackers, use to take advantage of psychological weaknesses in people and persuade them to reveal sensitive information, take activities, or make judgments that could jeopardize security. These tools are used in social engineering attacks when the attacker aims to deceive and manipulate their target.

  • Malware: Attackers breach victims‘ devices, distribute malicious attachments, and establish malicious websites using a variety of malware types. These tools are often designed to exploit vulnerabilities and facilitate social engineering attacks.
  • Information gathering tools: Gathering personal information about potential targets is crucial for tailoring social engineering attacks. Tools for reconnaissance may include Open-Source Intelligence (OSINT) tools, which scrape publicly available information from social media, forums, or other sources.
  • Impersonation tools: In vishing attacks, attackers might use caller ID spoofing tools to make their phone calls appear to be coming from a legitimate source or entity to increase the likelihood of success.

How to prevent social engineering attacks

Preventing social engineering attacks requires a multifaceted approach, beginning with comprehensive employee training to raise awareness about various tactics like phishing and pretexting. Multi-Factor Authentication secures enterprise apps, VPNs, workstations, mac and windows endpoints, virtual desktops and RADIUS servers to keep attackers out. The implementation of transparent communication policies, advocacy for multi-factor authentication and the establishment of effective incident reporting and response protocols are vital components.

Complementary efforts involve physical security measures such as access controls and identification badges, alongside digital safeguards like regular security audits and encryption for sensitive information. Cultivating a culture of security awareness and encouraging responsible information sharing, both online and offline, strengthens an organization’s defenses against social engineering threats.

Some of the strategies to prevent social engineering attacks are:

  1. Multi-Factor Authentication: Social engineering poses a risk of unauthorized access to passwords. Implementing Multi-Factor Authentication (MFA) is crucial, which may include various methods such as biometric access, security questions or one-time-password (OTP) codes. MFA enhances security by requiring multiple forms of verification, mitigating the impact of potential password breaches resulting from social engineering tactics.
  2. Continuously monitor critical systems: Additionally, it is recommended to conduct an annual social engineering engagement to assess the vulnerability of employees to social engineering risks. This evaluation provides valuable insights into potential weaknesses that require attention.
  3. Penetration testing: This testing method stands out as the most impactful method among the strategies for thwarting social engineering attacks. This involves conducting a pen-test to identify and attempt to exploit vulnerabilities within your organization, serving as a proactive measure to enhance security.
  4. Phishing simulations: Phishing emails remain the primary avenue for malware infections. An effective method for educating users on identifying phishing emails involves the use of phishing simulations. Typically offered through cloud-based platforms by specialized vendors, these simulations are customizable to the specific requirements of your organization and can be conducted remotely to train users in recognizing and avoiding phishing threats.

Learn more about social engineering:

  1. The MGM Resorts Attack: Initial Analysis
  2. Analyzing 3 Offensive AI Attack Scenarios
  3. How to Secure High-risk Web Sessions Using Consistent Controls
  4. Best Practices for Ransomware Protection