Social engineering is a harmful tactic employed by hackers to manipulate people’s behavior, exploit their trust, and gain unauthorized access to their sensitive information or systems. This technique can be viewed as a type of psychological manipulation that takes advantage of human weaknesses instead of technical flaws. It involves deceiving individuals into revealing confidential information, granting unauthorized access, or performing actions that serve the attacker’s interests.
A Brief History of Social Engineering
The term “social engineering” was first popularized by Dutch industrialist J.C. van Marken in the late 19th century, who used it to describe efforts to improve worker welfare and productivity through psychological means. However, its malicious connotation evolved with the advent of espionage and con artistry.
One of the earliest notable instances of social engineering in a modern sense was during World War I and II. Spies and military personnel used deceptive tactics to extract secrets from enemies, relying heavily on psychological manipulation.
The field took a more structured form in the mid-20th century. Sociologist William Foote Whyte’s 1955 book, Street Corner Society, detailed how he embedded himself within a social group to study their behaviors and interactions, exemplifying the power of social manipulation.
In the context of computing and cybersecurity, social engineering gained prominence with the rise of hacking in the 1970s and 1980s. Pioneering hacker Kevin Mitnick became infamous for using social engineering tactics, such as pretexting and phishing, to infiltrate systems and access sensitive information. Mitnick’s exploits highlighted the severe security risks posed by social engineering and raised public awareness about the need for better security measures. This is also detailed in the book he co-authored – The Art of Deception: Controlling the Human Element of Security.
Today, social engineering remains a significant threat in cybersecurity, with techniques evolving alongside technological advancements.
6 Common Social Engineering Techniques
1. Phishing:
Phishing is a social engineering techniques that involves sending fraudulent communications, often via email, that appear to come from reputable sources. The aim is to steal sensitive data such as login credentials, credit card numbers, or other personal information.
A Notable example was reported by Vox in 2016. The post describe How John Podesta’s email got hacked. At the time, John Podesta was the chairman of Hillary Clinton’s presidential campaign and he fell victim to a phishing attack. He received an email that looked like a legitimate Google security alert, asking him to change his password. Clicking the provided link led to a fake site where he entered his password, which was then stolen by attackers. This incident led to the release of thousands of emails and had significant political ramifications .
2. Pretexting:
Pretexting involves creating a fabricated scenario (pretext) to trick someone into providing information or performing actions they wouldn’t normally do. This often involves impersonating someone in authority or with a legitimate need for the information.
One of the most famous cases of pretexting involved Hewlett-Packard (HP) in 2006 and it was documented by new York times in one of their articles – Hewlett-Packard Spied on Writers in Leaks. To identify the source of leaks within its board, HP hired private investigators who used pretexting to obtain phone records of board members and journalists by pretending to be them. This scandal led to legal actions and significant reputational damage to HP .
3. Baiting:
Baiting is a social engineering techniques that involves luring victims with the promise of a reward or something enticing. This technique can involve physical media (like infected USB drives left in public places) or online schemes (like fake downloads). In 2011, the Stuxnet worm was famously spread using baiting tactics. Infected USB drives were deliberately left in places where they were likely to be picked up by employees of targeted organizations. When inserted into a computer, the USB drives installed malware that ultimately caused significant damage to Iran’s nuclear program.
The book written by Kim Zetter – Countdown to Zero Day: Stuxnet and the Launch of the World’s First Digital Weapon.” Crown, also documented the art of baiting. She wrote “The virus now known as Stuxnet was unlike any other piece of malware built before: Rather than simply hijacking targeted computers or stealing information from them, it proved that a piece of code could escape the digital realm and wreak actual, physical destruction—in this case, on an Iranian nuclear facility.”
4. Tailgating:
Tailgating involves following an authorized person into a restricted area without proper credentials. This often happens in corporate settings where an attacker may follow an employee through a secure door, relying on social norms to avoid confrontation.
An example of this technique can be found in the book written by Kevin Mitnick – The Art of Deception: Controlling the Human Element of Security. Kevin Mitnick was a notorious hacker that frequently used tailgating during his hacking exploits in the 1990s. By simply following employees into secure areas or convincing them to hold the door, he gained physical access to restricted zones where he could then carry out further attacks. His exploits led to widespread awareness and changes in corporate security practices.
5. Quid Pro Quo:
Quid pro quo is a social engineering techniques that involves offering a service or benefit in exchange for information. Attackers might pose as IT support, offering to fix a supposed problem in exchange for login details. A famous instance of this technique was exposed in a series of experiments where hackers posed as IT staff and called employees of various companies. They offered to help fix a computer issue in exchange for the employees disabling their security software or providing passwords. Many employees complied, revealing the vulnerability of even trained professionals to social engineering attacks.
6. Reverse Social Engineering:
Reverse social engineering is a technique where the attacker creates a problem for the target, which they then pose as the solution to. Unlike traditional social engineering, where the attacker reaches out to the victim, in reverse social engineering, the victim is manipulated into reaching out to the attacker for help. Kevin Mitnick often employed this technique in the 1990s by sabotaging systems or creating network issues within companies. He would then position himself as a capable technician or IT expert who could resolve these problems. Victims, unaware of his true identity, would seek his assistance, granting him access to systems and information they otherwise would not have. This method allowed Mitnick to gain deep access into highly secure networks without raising suspicion.
How to Prevent Social Engineering
1. Use Strong & Complex Password:
One of the safest way to prevent social engineering attack is by using strong and complex passwords. The use of random or easy to guess password will put you or your accounts at risk. It is also recommended and safe to activate second factor authentication (2FA) for maximum security.
2. Use Multi-Factor Authentication (MFA):
MFA is otherwise known as 2FA and are commonly called two-factor authentication.
Two-Factor Authentication (2FA) was developed as a security measure to enhance the protection of online accounts and sensitive information. The concept of using multiple factors for authentication dates back several decades, but the modern implementation and widespread use of 2FA are more recent.
It requires users to authenticate their identity using multiple factors, such as passwords, biometrics, or security tokens. This method adds an extra layer of security, thereby making it more difficult for attackers to gain unauthorized access.
3. Identity Verification:
Don’t be in a hurry to open an attachment or link whenever you receive an email, most especially external emails. It is rather safe to first verify the source of the mail.
You can do the following:
- Check the Sender’s Email Address: Ensure that the sender’s email address matches the official email domain of the organization or person they claim to represent. Sometimes, phishing emails use similar-looking domains or spoofed addresses.
- Verify the Content: Look for any suspicious or unusual content within the email, such as strange links, attachments from unknown sources, or unexpected requests for personal information.
- Hover Over Links: Before clicking on any links in the email, hover your mouse cursor over them (without clicking). This action will display the actual URL where the link leads. Verify if the URL matches the claimed destination or if it seems suspicious.
- Check for Spelling and Grammar: Many phishing emails contain spelling mistakes, grammatical errors, or awkward language. Be cautious if the email appears unprofessional in its writing style.
- Avoid Unexpected Attachments: Do not download attachments from unknown or unexpected sources. Malicious attachments can contain viruses or computer malware.
4. Create Awareness:
Individuals and companies can create awareness against social engineering by conducting regular training sessions that educate employees about common tactics used by social engineers, such as phishing emails, pretexting, baiting and other techniques aforementioned. These sessions should emphasize the importance of verifying requests for sensitive information, recognizing suspicious behavior, and adhering to security policies.
