Social Engineering

Social engineering, in the context of information security, is a psychological tactic that manipulates people into revealing confidential information or performing specific actions. Unlike general psychological manipulation, social engineering can result in mutually beneficial outcomes and is often one step in a more elaborate fraud scheme. Experts predict it will be a significant challenge in the coming decade, increasing the need for better detection methods and cybersecurity education.

Techniques and Terms
All social engineering techniques exploit cognitive biases, which are weaknesses in human decision-making. Here are some common examples:

Pretexting (Blagging): Creating an elaborate, invented scenario (the "pretext") to trick a victim into divulging information or taking action. This often involves prior research and impersonation to establish legitimacy.

  • For example: A con artist impersonates a high-level executive from a company's financial services partner. They call an employee in the accounting department, claiming an urgent and sensitive wire transfer needs to be completed, and they have the authority to bypass standard protocols. They provide a fake authorization code and other details, convincing the employee to execute the fraudulent transfer.

Water Holing: Targeting users on websites they frequently visit and trust. Attackers compromise these trusted sites to set traps, knowing users are less cautious in familiar environments.

  • For example: Hackers compromise a website that is a popular resource for employees of a specific corporation. They embed malicious code on the site that automatically infects the computers of anyone visiting it, especially those coming from the corporation's IP addresses, thereby gaining a foothold in the company's network.

Baiting: Similar to a real-world Trojan horse, this technique uses physical media like malware-infected USB drives or CDs left in public places, relying on victims' curiosity or greed. These "road apples" are often given enticing labels to encourage insertion into a computer.

  • For example: An employee finds a USB drive in the company parking lot labeled "Confidential Employee Bonuses." The employee's curiosity leads them to plug the drive into their work computer, which then secretly installs malware that provides the attacker with remote access to the company's network.

Quid Pro Quo: An attacker offers something in return for a favor, such as providing "free IT help" in exchange for login credentials.

  • For example: An attacker poses as a help desk technician and calls a random employee. They claim to be conducting a routine system upgrade and offer to "help" the employee by guiding them through the process. The attacker then asks for the employee's username and password, promising that it's a necessary step to complete the upgrade, and a new password will be issued afterward.

Scareware: Bombarding victims with fake threats and alerts to convince them their system is infected, ultimately forcing them to install malicious software or extorting a ransom.

  • For example: While Browse online, a user receives a pop-up window that flashes and blares an alert, claiming, "Your computer has been infected with a virus! Click here to download a free scanner." The user clicks the link in a panic, and the "scanner" they download is actually a malicious program that locks their files and demands a ransom to decrypt them.

Tailgating (Piggybacking): An attacker physically follows an authorized person into a restricted area, often by pretending to be someone with legitimate access (e.g., a delivery person) and asking the authorized person to hold the door.

  • For example: An attacker, dressed in a delivery uniform with a few boxes in their hands, waits near the secured entrance to a data center. When an employee scans their badge and opens the door, the attacker calls out, "Hey, can you grab this for me?" or simply gestures with their full hands, prompting the employee to hold the door open out of politeness, allowing the attacker to slip in without being challenged.


Notable Social Engineering Incidents

  • 2017 Equifax Breach Help Websites: Following a major data breach, attackers created numerous malicious websites with slightly altered URLs to trick victims seeking help into providing sensitive information.

  • 2017 Google and Facebook Phishing Emails: A fraudster successfully impersonated a hardware supplier, scamming Google and Facebook out of $100 million over two years through false invoices.

  • 2016 United States Elections Leaks: Russian military intelligence used phishing emails disguised as Google alerts to compromise the accounts of Hillary Clinton's campaign members, leading to the leak of private emails and documents.

  • 2015 Ubiquiti Networks Scam: The company lost nearly $47 million when attackers sent phishing emails to their accounting department, instructing them to change payment account details.

  • 2014 Sony Pictures Leak: A hacker group, likely linked to North Korea, used phishing to install malware on employees' computers, leading to the leak of confidential data, including emails and personal information.

  • 2013 Department of Labor Watering Hole Attack: A U.S. Department of Labor server was compromised and used to host malware, redirecting visitors to a site that exploited a zero-day vulnerability to install a remote access trojan.

  • 2011 RSA SecurID Phishing Attack: Hackers infiltrated RSA through phishing emails containing a zero-day Flash exploit, gaining access to SecurID two-factor authentication data, which they later used to attempt to infiltrate Lockheed Martin's network. (32 min audio story.)