The 5 Pillars of Successful Social Engineering Attacks
Thought Social Engineering attacks were something of the past? Think again! In fact, these types of attacks work so well because people are still the weakest link in cyber security. So, how do attackers do to hack the human brain?
What is Social Engineering?
A few statistics about social engineering attacks:
- According to Wombat Security’s 2019 State of the Phish, around 83% of all companies report that they experienced phishing attacks in the previous year.
- According to a Computer Weekly study, 17% of tester employees will fall victim to social engineering attacks.
- According to FBI statistics, CEO fraud is now a $12 billion scam.
Because companies are making efforts to train their employees to spot phishing attempts and individuals are becoming more careful towards security, malicious Social Engineers are getting smarter in the ways they trick their victims.
To state recent events, Google Calendar invites are now being abused for phishing scams. Since Google Calendar is a trusted application, users are less likely to ignore these invitations and events, and often they’ll click on the link without much thought. In many cases of this “calendar phishing,” the embedded links redirected to a website that used a questionnaire that asked for credit card details and/or personal information to deliver prize money.
Additionally, SaaS and webmail services phishing scams have recently increased to 36% of all phishing attacks. Because online SaaS applications have become fundamental business tools (convenient to use and cost-effective), phishers see them as a growing source to “yield financial data and also personnel data that can be leveraged for spear-phishing”, according to Greg Aaron, APWG Senior Research Fellow.
A last example of Social Engineers becoming smarter would be the recent “Push Notification” scam where attackers are trying to dupe smartphone owners into turning over their personal information by clicking on push notifications that look like legitimate messages from well-known companies. The messages actually direct recipients to phishing pages, where they’ll be asked to enter their credentials.
How do successful Social Engineering attacks happen?
Even with all the security efforts on individual and corporate levels, as well as daily damaging news, social engineers still make thousands of victims. How does that happen?
All successful social engineering attacks seem to have common key points.
Mårten Mickos, CEO of HackerOne, recently took part in a live Q&A on Quora, offering career-growing tips, discussing his own professional experience, and how Social Engineering attacks work. In his answer, he observes that Social Engineering attacks are based on 5 key pillars.
In this day and age, Social Engineering can be used by malicious actors to gain unauthorized access to a person or even company’s customers or employees data. According to Mårten, cybercriminals will direct their social engineering attacks using these 5 key pillars:
FAMILIARITY – An intruder will use the same jargon or dress like those in the office in order to gain entry in without anyone objecting.
AUTHORITY – An intruder will appear with authority (such as acting as a serviceman or police officer) to dismantle any resistance or scrutiny from those who should be guarding the place.
SYMPATHY – An intruder may appear lovable and ask for sympathy in order to get access to a password or other useful item.
URGENCY – An intruder will make the other party feel like there is a crisis brewing and very rapid action is needed.
INTIMIDATION – An intruder may offend or challenge you in order to throw you off balance so that you forget to check something or to say no.
Social Engineering is not only used with malicious intent. In fact, SE tactics can also be used by professional Penetration Testers to test a company’s employees and determine its most important threat vector/s.
Want to learn more about how to successfully hack the human brain and the necessary tools to do so? Catch a replay of the EH-Net Live! webinar “A Perfect Crime: The Tech and Psych of Effective Phishing” with Erich Kron of KnowBe4.
Still a stranger to all things SE but curious to know more? Get a primer into the science of SE and how to carve a career in this field in this webinar replay “The Future of Social Engineering” with Chris Hadnagy (aka @HumanHacker on Twitter)
Connect with us on Social Media: