This Site Requires JavaScript Enabled.
Toolkits
  • IN Individuals Toolkit
  • SB Small Business Toolkit
  • ET Elections Toolkit
  • JO Journalists Toolkit
  • MBO Mission-Based Toolkit
Small Business / Prevent Phishing and Malware
Social Engineering: Human Attacks in a Cyber-Focused World.
By Edward S
09/22/21

What is social engineering and why should we care?

Social engineering is defined as “any act that influences a person to take an action that may or may not be in his or her best interests.”[1]

Attackers can use influence and manipulation techniques to gain access to sensitive information or deliver a malicious piece of software (payload). 98% of cyber attacks rely on social engineering and 43% of recent attacks on small businesses were executed using phishing or another social engineering attack route (vector).[2]

There are four primary social engineering attack vectors:

  • Phishing – Malicious emails that pretend to be from reputable sources.
  • SMiShing – Phishing via text or SMS.
  • Vishing – Voice phishing, using a phone or VoIP (Voice over Internet Protocol) software.
  • Impersonation – The physical impersonation of someone who can be trusted.

The first three of these vectors are the most common. However, it is important to be aware of the risks posed by them all. Attackers often follow a similar pattern when carrying out social engineering engagements (attacks), and these can be summarised into several key stages. Understanding the processes an attacker might use can help us address and mitigate the risk of attacks against individuals and organisations such as small businesses.

A social engineering attack

These are the five key stages of a social engineering engagement.[3] I will briefly explain each of these and how the risks might be mitigated.

  1. Open Source Intelligence (OSINT) / Intelligence Gathering
  2. Pretext Development
  3. Attack Plan
  4. Attack Launch
  5. Compromise

An attacker will always start by gathering as much information as possible about an individual or the wider organisation. This will help them to later develop a strong pretext for one of the attack vectors. It is important to limit personal and commercial online visibility where necessary.

From a business marketing perspective, limiting commercial online visibility is understandably counterproductive. Therefore, it is important to ensure that internal policies, organisational structure, and business processes are kept private. This sort of information can be used by an attacker to present themselves as knowledgeable when communicating with individuals, enabling them to build trust.

Attackers will often seek out very personal information to exploit. By restricting our online presence and the privacy of our social media profiles, we can reduce the risk of an attacker uncovering something they could use against us.

Pretexting is “the practice of presenting oneself as someone else in order to obtain private information.”[4] I often like to think of the pretext as the “superhero backstory” for a social engineering engagement.

An attacker will use what they have learnt during the intelligence gathering stage to develop a pretext they believe an individual or a group of individuals is likely to fall for. Social Engineering, at its core, is built off psychological principles (for example, principles such as tribe mentality, quid pro quo, and concession). An attacker can use these concepts to build trust in what they are saying and asking during the social engineering attack.

Once an attacker has prepared their pretext they will plan out the next stages of the attack. From the intelligence gathered, they will work out which of the attack vectors would have the highest likelihood of success against their target(s).

In the final stages of the engagement the attacker will launch their attack either by sending the phishing/smishing message, by calling a number they have found for a vishing attack, or by physically visiting a business’ office for an impersonation attack. If the attacker has crafted a strong pretext, these attacks are likely to succeed, and the payload will be delivered whether to start a ransomware attack or to insert spyware and exfiltrate (steal) data.

Fundamentally, it is not possible to prevent a highly motivated and sophisticated social engineer from gaining access to whatever they are seeking. However, by building awareness and educating those who are at risk we can reduce the likelihood of an attack being successful.

How to mitigate the risks of a social engineering attack

The most critical stage for an attacker is intelligence gathering, and this is the area which is the easiest to protect. As a business, you can introduce policies to help prevent attackers from learning about the internal workings of your organisation. It is highly recommended to advise employees and limit what they can share about their roles and the company, on all social media.

Attackers often have the most success when using personal information about an individual. It is recommended that you and your colleagues secure your private social media accounts and ensure the privacy settings are configured so they are not leaking any personal information. Always be aware of what you are sharing online and consider how it could be used against you if it became publicly available.

It is also important to educate and build awareness about the risks of the attack vectors like phishing. Have a look at our toolbox titled “Preventing Phishing and Malware” for more advice in this area. Make sure to also have a look at our recent blog post which looks at mitigating the risks of phishing and ransomware in greater detail. (Cyber Threat: Phishing and Ransomware – Risk and Mitigation Tips for Small Businesses).

The author Edward S is on a four-week work experience placement with GCA.

Bibliography:

[1], [3], [4]  “Social Engineering: The Science of Human Hacking” – Christopher Hadnagy
[2] https://purplesec.us/resources/cyber-security-statistics/
[3] Adapted from the “Social Engineering Pyramid”

Back to Blog Next Post
  • About
  • Community Forum
  • Submit a Tool
  • Privacy Policy
  • Terms of Service
  • Legal Notice
  • Artificial Intelligence Policy
    and Disclosure
  • Invest in Us

Copyright @ 2024 Global Cyber Alliance | Sitemap

Scroll to top

Tool Types

Video
Third Party Tool
Policy Document
Instructions
Third Party Scan

Time

“Time” defines the approximate time it will take to implement the tool, including installation and setup. Based on your system and experience, the time may be longer or shorter than the time estimated.

Tool Levels

Level 1

Requires minimal technical knowledge to complete setup. Users with little-to-no familiarity with computer systems will still easily be able to implement Level 1 tools.

Level 2

Requires basic technical understanding of operating systems and settings controls. Users with a basic understanding will be able to easily implement Level 2 tools.

Level 3

Requires an intermediate level of understanding to implement. Users will need an intermediate understanding of computer systems and code languages.

Level 4

Requires advanced levels of understanding of computer systems, settings and code languages. Users will need experience with advanced system configurations.

Support

Contact Us
[email protected]

Community Forum
https://community.globalcyberalliance.org/