If you’ve ever been the recipient of a scam email, you’ve been targeted by social engineering. This popular technique used by hackers is designed to take advantage of what makes us human, our social instincts, behaviours and emotions, to trick and manipulate us into divulging personal information.
How it works (with examples)
There are lots of different types of social engineering attack, but generally, an attack will assume the following format:
- A scammer will send a message to its target, posing as a legitimate organisation or individual.
- The message may require you to click a link, open an attachment or simply reply with some personal information.
- Depending on the type of attack, your device may become inoperable or your data may be stolen and sold on the Dark Web or used to further penetrate the company you work for.
It’s best to see examples of social engineering in practice, so here are a few cyber attacks we’ve seen over the last few years that had a social engineering approach:
Zoom Phishing Campaign
With the rise of remote working during the pandemic, it’s no surprise video conferencing platforms like Zoom were targeted by cybercriminals. The phishing email was designed to take advantage of the redundancy fears that many were having at the time, inviting its recipients to sign into their ‘quarterly review’ meeting on Zoom. Once the link was clicked, you’d be taken to a site that looks very much like Zoom’s, but a closer inspection of the URL showed that was not truly the case.
Toyota Business Email Compromise
A parts supplier for Toyota cars, this company lost around $37million in 2019 because of a social engineering attack. In this case, a bad actor manipulated an employee on the inside to change account details on an electronic transfer of funds. This would likely have involved a lot of careful planning and spoofing of emails on the hacker’s part to convince a perfectly intelligent employee. This was the third attack that year on the Toyota group, however, so arguably the company could have been better prepared for future cyber incidents.
WhatsApp Family Scam
Social engineering can even go as far as to exploit our own maternal or paternal instincts, with a WhatsApp scam this year framed as a child’s plea for financial support following an incident. The hacker usually pretends to be the recipient’s child, on a new number because their phone got damaged, and they would ask their parents for money to perhaps buy a new phone or pay an urgent bill. The scam was reported to Action Fraud over a thousand times between February and June, with victims losing up to £2000 to the fraudsters.
Types of Social Engineering
Hackers have got quite creative over the years and developed plenty of different types of social engineering attacks. Let’s explore some of the most common…
This is the most prolific social engineering tactic, with many other hacks falling under this umbrella. Phishing involves a bad actor sending a fake email disguised as a legitimate one. This phishing e-mail may pressure the unfortunate recipient to reply with their personal information or financial details or urge them to click on a malicious link ready to deploy malware and infect their device.
As the name suggests, vishing isn’t far off phishing, but (you guessed it!) it’s done using voice. Vishers might call to tell you that your bank account has been compromised and you need to give them login credentials or attempt a payment. Most banks provide scam warnings and tell you that their representatives will never ask for this information, so it’s always a red flag if someone calls and requests this.
Another of the -ings’s, smishing refers to SMS-phishing, where bad actors will send a text to your phone, often posing as a legitimate organisation, in an attempt to capture personal information. Attacks will usually hide their real phone number using spoofing technology or burner phones.
People are often less wary on their phones, making them particularly susceptible to smishing attacks, and with the rise of BYOD, they are becoming increasingly harmful to businesses too.
Baiting is a form of social engineering that usually promises some form of prize or reward like a free download, relying on the curiosity or greed of the recipient. The download is usually riddled with malware ready to infect your device. Another method of baiting uses physical media like USBs, perhaps labelled with something enticing so an employee inserts it into their computer and releases the malware that way.
Business Email Compromise
As the name suggests, social engineers that utilise the business email compromise method have a business as their end target, usually for financial gain. Unlike other phishing attacks, business email compromise is normally highly tailored to the recipient and for this reason, can be harder to detect.
It may involve an account being breached and then emails sent from the employee’s inbox, requesting payments from suppliers or clients, which can be very damaging to the company’s reputation. Alternatively, the hacker may pose as a senior executive and ask employees in the finance department to make payments to the hacker’s account.
These types of social engineering attacks are generally more sophisticated, targeted at senior-level executives of a company and usually designed to encourage a secondary action like a transfer of funds. Often they contain personal information about the organisation or recipient and will read like a professional business email using the expected tone and language. Some of the largest financial losses from social engineering have been because of whaling attacks.
Clone phishing involves the cloning of a legitimate message sent by an organisation. It may read like a genuine email from someone at the company or include attachments that appear legitimate, like an invoice. But in reality, the hacker has altered the email to include a malicious link or attachment and spoofed the email to appear from a legitimate sender. Often these emails will be sent to a large number of people, and the hacker just has to wait and see how will succumb to the trick.
Moving into the physical realm, a tailgating attack occurs when an individual manages to gain unauthorised access to a company’s office, for example by asking a legitimate employee to hold the door open while posing as a delivery driver. Once they have physical access to the business, they might leave a malicious USB for someone to pick up, take a record of an employee’s credentials or even steal company equipment.
In a pharming attack, a hacker re-routes users from a specific website to a malicious, fake sire in an attempt to harvest personally identifiable information. These attacks are especially common in the finance sector and with online payment platforms. The attacks happen in two stages - malicious code is injected into your device and this code then misdirects you to the fraudulent website.
What makes these attacks particularly dangerous is that, since the code affects local host files, you will always be redirected to the fake site. Even typing the URL manually or clicking on a bookmark won’t change this. Pharming attacks are rarer, however, because they can take a lot more work for a hacker to pull off.
A type of malware, scareware is designed to (surprise, surprise) scare you. Normally this kind of attack will urge you to buy and download an anti-virus or scanning software, warning you that your computer or files have been infected with something dangerous. Often these warnings are in the form of pop-ups and will use tactics like a progress bar to show your computer is being scanned or show a screenshot of infected files on your computer. People tend to act fast if they’re scared or worried, which is exactly what these social engineering attacks feed on.
The Impact of Social Engineering
Social engineering hacks have been around for quite some time and are still the number one technique hackers utilise in breaches because they’re relatively easy to carry out and can have the potential to be very profitable.
Even the old-school scams that we wouldn’t think could fool anyone are still making hackers money. For example, the famous Nigerian prince scams are still scamming people out of $700,000 a year.
As we’ve seen, hackers can make money from a social engineering attack in lots of ways. They might intercept wire transfers, create fraudulent payment portals, demand a ransom after encrypting files with malware or sell data they’ve stolen on the Dark Web.
All these can cost a business, not to mention the additional spending that has to happen in the aftermath of an attack - legal costs, PR, regulatory fines, new security measures and so on. According to IBM’s 2022 report, the average total cost of a data breach is now thought to be around $4.35m.
The effects of social engineering on a business often involve financial losses, as money is usually the primary motivator for cybercriminals. However, a business can also be impacted in other ways.
Downtime: If a social engineering attack releases harmful malware onto the target’s systems, like ransomware, for example, the company may be locked out of files or systems until they pay a ransom, or they may experience downtime while expunging infected devices of the malware.
Disruption to operations: A business hit by a cyber attack like social engineering can have its operations disrupted for a number of reasons. As above, if systems have been infected, this can delay and disrupt normal business operations. Time and resources in the company may have to be spent on disaster recovery, leaving less for other staff responsibilities. Cyber attacks usually require the attention of IT staff and senior management roles, which can cause a hold-up in other areas of the business.
Fallout in the supply chain: Depending on the attack, other companies in your supply chain may have been affected and you’ll have to deal with the fallout. This could lead to the termination of some supplier contracts who may lose faith in you following the attack.
Loss of customers: Similarly, a social engineering attack on a business can harm its reputation with customers. If a company you were working with got successfully attacked by cybercriminals, you’d probably consider taking your business elsewhere too wouldn’t you? An incident like this suggests that the company are not capable of protecting your data and it makes you less inclined to trust them.
The impact of social engineering is serious, so it’s a much better idea to implement proper preventative security measures to minimise the risk of such an attack. We’ll explore some of these preventative measures shortly.
Top Social Engineering Statistics
As humans, it’s easier to really appreciate the severity of something if we look at the numbers, so here are our top 5 statistics around social engineering:
- It’s estimated that 70-90% of cyber attacks are due to social engineering
- According to Norton LifeLock (previously Symantec), one in every 3,722 emails in the UK is a phishing attempt
- 45% of employees don’t report social engineering attempts for fear of getting in trouble
- In 2020, Google recorded approximately 2 million phishing websites
- The average organization is targeted by over 700 social engineering attacks each year.
How to Spot a Social Engineering Attack
So if we know social engineering is such a critical problem, why haven’t we gotten better at spotting the signs of a possible attack?
Social engineering has become a lot more sophisticated over the years, with cybercriminals being presented with plenty of new avenues due to the rise of homeworking. It’s no wonder social engineering attacks increased by 270% over the pandemic.
Our ways of working nowadays still involve a greater mix of devices and networks being used, with less visibility and IT presence in offices. Not only are attacks themselves getting more creative and carefully crafted, but employees working from home are less wary and unable to get second opinions on suspicious emails.
Making sure employees are clued on up on cyber security best practices and how to spot social engineering tactics is essential to an organisation’s defence.
Here are some common signs to watch out for:
A sense of urgency
If an email, phone call, or text you recieve is asking you to take some action or provide personal details and there’s a tone of urgency, it’s always best to be cautious. Hackers use this urgent to tone to panic people into action because we tend to be more irrational in a state of panic.
Vague when probed
Hackers don’t like it when you start asking questions. If someone who calls or emails avoids answering questions about themselves or the business they’re contacting from, it’s not a good sign. It’s always best to try and verify the information they give you online - you can check company websites and social channels like LinkedIn.
Unusual attachments or links
Most social engineering attacks via email and text are trying to get the recipient to click on something. If you weren’t expecting a message from this person, be wary of opening anything before you’ve been able to check its legitimacy.
Too good to be true
Along with fear, social engineers will use exploit common human traits like greed and curiosity. If you get a message offering a great opportunity or reward, act with caution. More times than not, if something appears too good to be true, it probably is.
Where to Report Social Engineering Attempts
If you’re based in the UK and you’re on the receiving end of a scam, you should alert Action Fraud. Once you send in a report, it gets reviewed by the National Fraud Intelligence Bureau and they will determine whether there is enough information to alert police forces. Providing Action Fraud with reports of scams helps us build a clear picture of fraud and cyber crime across the country.
You can report a scam by using their online reporting tool, or calling their fraud hotline on 0300 123 2040.
If you receive a suspicious email, you can forward this to email@example.com, where it will be reviewed by the National Cyber Security Centre (NCSC) and if thought to be malicious, they block the address the email came from and remove links to malicious websites.
If you get a suspicious text, most phone providers allow you to forward the message to 7746 for free, where it’ll get reviewed.
Preventing Social Engineering
Avoiding getting fooled by a social engineering attack comes down to better cyber security awareness and training among employees. With humans error the number one cause behind cyber attacks, it makes sense that many of the social engineering prevention techniques are a case of improving vigilance and understanding cyber security best practices.
Some top tips to share with your workforce are:
Contact the sender via your own means - If you receive a suspicious looking message, get in contact with the sender through a legitimate company phone number to check they are who they say they are. If it’s a colleague emailing a request like transferring funds, double check with them on the phone before doing anything else.
Security awareness training - As a company, you should be delivering compulsory cyber awareness training at least once a year so employees are kept up to date with best practices and current threats and social engineering scams that are making the rounds. People need regular reminders that the cyber threat is real and social engineering attacks are prolific, so they must be given the tools and knowledge they need to combat them.
Use email filtering and firewalls - Make sure your company has configured email security tools to identify and block suspected spam emails. This can help take some of the pressure off your human workforce. Web firewalls are also important for blocking malicious websites.
Don’t be swayed by urgent messages - If there’s urgency, it can be tempting to act fast, but always consider, is this message realistic? Would this company be contacting me in this way and ask for this information? There’s no harm in slowing down, and it can save you or your company hugely in the long run.
Always verify links - If you’re not expecting the email, always check the link destination by hovering your mouse over the URL. If it doesn’t seem to match up, don’t click. If you ever do find yourself in a situation where you’ve clicked on a phishing link, however, here’s what to do.
Never insert a USB you find - This is another way hackers can try to infect your device with malware. If you pick up a USB and you’re a little curious to see what’s on it, maybe you’re innocently trying to find its owner, avoid plugging it could have been left deliberately by a bad actor.
Penetration testing - get an annual penetration test to assess your company’s ability to defend against social engineering attacks. Many pen tests carry out social engineering techniques to see how your employees respond. This can be a good indicator of where your time and attention for prevention is best directed.
We hope this guide into social engineering has helped solidify the reality of these attacks. They can be so simple, yet very destructive for an organisation. Cyber awareness helps, of course, but at the end of the day we are all human, and even security experts can fall for social engineering attempts. However, by fully understanding the kinds of techniques hackers use and what you can do to be cautious, you and your organisation stand the best chance of minimising the risk of being fooled by an attack.
For more advice about social engineering, contact our security specialist team at firstname.lastname@example.org.