The 5 Pillars of Successful Social Engineering Attacks
Thought Social Engineering attacks were something of the past? Think again! In fact, these types of attacks work so well because people are still the weakest link in cyber security. So, how do attackers do to hack the human brain?
What is Social Engineering?
Social engineering is the practice of using deceptive methods to dupe employees of an organization into giving up their secure login information. Cybercriminals then use that information to attack an organization for financial gain or other malicious reasons.
A few statistics about social engineering (SE) attacks:
- According to Wombat Security’s 2019 State of the Phish, around 83% of all companies reported at least one phishing attack in the previous year.
- According to a Computer Weekly study, 17% of tester employees will fall victim to social engineering attacks.
- According to FBI statistics, CEO fraud is now a $12 billion scam.
Social engineering is growing increasingly sophisticated. Because companies are making more of an effort to train their employees on how to spot social engineering, many cyber criminals have adapted and evolved their techniques to outsmart their victims.
As an example, Google Calendar invites are now being abused for phishing scams. Since Google Calendar is a trusted application, users are less likely to ignore these invitations and events, and often they’ll click on the link without much thought. In many cases of this “calendar phishing,” the embedded links redirected to a website that used a questionnaire that asked for credit card details and/or personal information to deliver prize money.
Additionally, SaaS and webmail services phishing scams have recently increased to 36% of all phishing attacks. Because online SaaS applications have become fundamental business tools (convenient to use and cost-effective), phishers see them as a growing source to “yield financial data and also personnel data that can be leveraged for spear-phishing,” according to Greg Aaron, APWG Senior Research Fellow.
Social engineers are also administering “Push Notification” scams, where attackers try to dupe smartphone owners into turning over their personal information by clicking on push notifications that look like legitimate messages from well-known companies. The messages actually direct recipients to phishing pages, where they are asked to enter their credentials.
How do successful social engineering attacks happen?
Even with increased security and recognition at the individual and corporate level, social engineers are still racking up thousands of victims every year. How does that happen?
All successful social engineering attacks seem to have common key points.
Mårten Mickos, CEO of HackerOne, recently took part in a live Q&A on Quora, offering career tips, discussing his own professional experience, and sharing his experience fighting social engineering. He found that social engineering attacks are based on five key pillars.
In this day and age, social engineering can be used by malicious actors to gain unauthorized access to a person or even company’s customer or employee data. According to Mårten, cybercriminals will direct their social engineering attacks using these 5 key pillars:
FAMILIARITY – An intruder will use the same jargon or dress like those in the office in order to gain entry without anyone objecting.
AUTHORITY – A malicious actor will appear with authority (such as acting as a serviceman or police officer) to dismantle any resistance or scrutiny.
SYMPATHY – A criminal may appear lovable and ask for sympathy in order to get access to a password or other useful items.
URGENCY – They will make the other party feel like there is a crisis brewing and very rapid action is needed.
INTIMIDATION – An intruder may offend or challenge you in order to throw you off balance so that you forget to check something or to say no.
Many companies are fighting social engineering by employing it themselves. Organizations often hire pentesters to test a company’s employees and determine its most important threat vectors.
Want to learn more about how to successfully hack the human brain and the necessary tools to do so? Catch a replay of the EH-Net Live! webinar “A Perfect Crime: The Tech and Psych of Effective Phishing” with Erich Kron of KnowBe4.
Are you a little unsure of how social engineer affects cyber security but want to learn more? Get a primer into the science of SE and how to carve a career in this field in this webinar replay “The Future of Social Engineering” with Chris Hadnagy (aka @HumanHacker on Twitter)
Connect with us on Social Media: