The term Social Engineering is thrown around a lot within the cyber security industry as of late and, as it can be applied to quite a broad range of malicious acts, this can cause it to lose its meaning to a certain extent, leaving users confused as to what exactly classes as a social engineering attack, and what that actually means.
In this article we will be giving a full overview of the social engineering threat, including the actual definition of the term, breaking down the step-by-step process of a typical attack, explaining specific techniques that fall under this broad term, and finally offering tips for prevention and remediation.
What is Social Engineering?
Social Engineering is can be summarised as an attack that looks to gain unauthorised access, data, finances and more by manipulating people rather than exploiting technology.
This means that, instead of manually cracking passwords or breaking through firewalls, social engineering attackers will take advantage of human vulnerabilities like trust, habit, and emotional responses, tricking the victim into visiting a spoofed website, downloading malicious content, or even directly transferring funds.
As an example, we have outlined below how a traditional attacker might try to access a specific organisation/user's password, compared to how a social engineering attacker would approach a target with the same goal.
A brute-force attack works through every possible alpha-numeric combination until the password is cracked, sometimes taking weeks or months depending on the complexity of the password. This process can be sped up with the assistance of botnets, but is still relatively ineffective against users who change their passwords on a regular basis.
With social engineering, attackers use various manipulation tactics like impersonation or intimidation to make the user give up their password themselves - whether knowingly or unknowingly - taking all of the workload off the criminal.
Below is an example of a social engineering email aiming to gather login credentials:
The Step-by-Step Process
Common Social Engineering Techniques
Social engineering attacks can make use of various differing techniques depending on the goal of the campaign. Below are some of the most common techniques used across the email vector specifically.
Chances are you're already familiar with Phishing attacks, but many users don't realise that these actually fall under the social engineering umbrella. Phishing attacks are by far the most popular social engineering tactic, impersonating known brands or other senders to create a sense of trust with the recipient. Once this trust has been established, phishers use urgency and curiosity to guide users into clicking on links to malicious websites or downloading attachments with malicious payloads.
Spear Phishing is the highly-targeted version of phishing, focusing on a single target within a specific organisation rather than bulk-sending campaigns. Due to this pin-pointed targeting, attackers can create much more personalised messages, impersonating colleagues and partner companies, referencing on-going financial deals, etc.
Similar to Phishing, Baiting attacks often impersonate brands that the public would be familiar with - however the detail that separates these approaches is that Baiting attacks will guide the recipient into making a certain action through false promises of rewards, rather than relying on urgency or trying to recreate the target's every day communications.
A great example of this would be an email appearing to be from The National Lottery informing the recipient that they had won a large sum of money and simply have to follow a specific link to claim their prize.
With Pretexting campaigns, attackers gather the information they desire through patience and a well-crafted story. Unlike the previous examples, this technique isn't commonly used alongside popular brand impersonation, instead mimicking clients/customers or employees from partner companies. These attackers won't push for any actions to be taken in their first communication with the recipient, but will take time building a relationship through casual conversations and made-up minor requests, erasing any immediate suspicion.
Only when the attacker feels that they have truly gained the user's trust will they ask for actions to be taken - if the attacker is impersonating a client they may request 'their own' confidential data that the target company holds, or if they are impersonating a partner company they might ask for a payment or relevant database to be sent over.
Spear Phishing: Top Threats and Trends 2019
Preventing Social Engineering with Barracuda
Social engineering attacks can evade traditional email security solutions quite easily thanks to its more subtle approach, usually only including a slightly suspicious message rather than any obvious red flags like malicious payload or known criminal domains.
Barracuda Sentinel stands out from other inbox defence solutions, using its AI technology to learn a company's unique communication patterns so it can detect abnormalities in behavioural factors - for example, it might flag an email from an employee for including an unusual request from that individual, or even an email from Microsoft that includes a hyperlink that isn't typically associated with that company.
With its continuous learning, Sentinel is always keeping up with the quickly evolving threat landscape - even protecting against other threats on top of Social Engineering, like account takeover and domain fraud.