Cybersecurity blog header

A practical guide to understanding social engineering attacks

Social engineering attacks exploit a multitude of vectors

There are movie tunes that have become so widespread in the collective imagination that one can recognize them even if one has not seen the movie to which they belong. That is the case of the main theme of The Sting, a Hollywood classic that perfectly portrayed how social engineering worked in the pre-digital era. The story of a gang of swindlers orchestrating an elaborate scheme to, as the title suggests, pull off a heist and get rich. The implementation of the Internet in all areas of our lives has brought with it the leap of social engineering attacks to a much greater level of complexity and scope.

Classic scams have given way to equally or more sophisticated techniques that combine knowledge of psychology and sociology with the use of digital technologies. A set of strategies that have little to do with magic tricks and a lot to do with knowledge of human behavior and how the digital world works.

Throughout this practical guide, we will address the keys to understanding what they are, how they work, and how we can protect ourselves with social engineering services.

1. What is social engineering?

The National Cybersecurity Institute (INCIBE) defines social engineering as «a technique used by cybercriminals to gain the user’s trust and get them to do something under their manipulation and deception». That something can take the form of providing personal data such as passwords or bank accounts or running a malicious program on a personal device.

Criminals use digital devices as a channel to access their victims. Whether they are cell phones through calls, SMS, emails, social networks, personal computers, tablets, pen drives…

But beyond the technological issue, which is fundamental, especially in those social engineering attacks that use malicious software, the human factor is the cornerstone of these cyber crimes, unlike others that are much more complex in their technical dimension.

2. The age-old art of manipulation

Manipulation is at the foundation of civilization. There are multiple stories of manipulation and deception in Greco-Latin mythology. Gods manipulating each other. Naive mortals trying to trick the gods to get benefits in return. And failing miserably.

One of the most referenced political-sociological works in history, Machiavelli’s The Prince, also revolves around the art of manipulation. Such has been its impact that the adjective Machiavellian serves to perfectly categorize social engineering attacks.

When it comes to this type of cyber-attack, the important thing is not so much the who, i.e. the cybercriminals hiding on the other side of the devices, but the who, the how, and the what for.

3. Users are the weak link

Getting a good cybersecurity system right is a daunting task that requires technical expertise of enormous magnitude, since the system has been designed by professionals who know what they are doing. Even to breach a precarious cyber protection system, a high technical qualification is necessary.

This is why social engineering attacks change the approach to cybercrime. It is not the fortresses that need to be attacked, but the people behind them, and the gates of the citadel need to be opened.

Let’s turn again to the Greco-Latin past. Few stories are more famous than that of the Trojan Horse. The Greeks built a giant wooden horse and put warriors on it. They then offered it as a gift of peace to the Trojans, with whom they had been at war for a decade. When the horse broke through the impassable walls of Troy, the attack was lethal. Such is the impact of this story on our culture that in the field of cybersecurity a very widespread type of malware was baptized as Trojans.

Almost everything has been invented for centuries and centuries. The guiding principles of manipulation that made sense in ancient times are still valid in the global, digital world. The only things that have changed are the techniques and channels, adapting and enriching with scientific and technological advances, especially in recent years.

4. Psychology, sociology, and communication in the digital age

If social engineering attacks are based on the idea that in the digital world the weak link is people and not the machines, bots, and algorithms that sustain it, psychology and sociology must occupy a prominent place in their design and implementation.

This clashes, from the outset, with the conception, installed in public opinion, about cybercrime. Behind cybercrime, we imagine crackers with great computer skills, capable of hacking networks and devices.

Social engineering attacks, on the other hand, rely to a large extent on a precise study of the victim in specific cases, or of the target group when the attack is aimed at a wider public.

This requires knowledge of psychology, sociology, and communication. These three areas of knowledge allow us to understand how the victim thinks, how people behave in different scenarios and how best to communicate with us so that we fall into the trap.

The key lies in knowing, in advance, people’s patterns of behavior and reactions to certain issues. How do people respond when they receive a message from their electricity company announcing that they are going to be cut off because they don’t have their bank details? Although many people detect fraud, there will be others who panic and make the mistake of clicking on the link to fill in their information.

5. Perfect victims and digital literacy

One of the main indicators for measuring a country’s progress is its literacy rate. In the most developed countries, the literacy of the population is total, since, for several decades, compulsory education has ensured that all children can read and write.

This progress has been enormous and has had an immense social, economic and cultural impact. But in today’s times, it is also essential to make people digitally literate. In other words, teaching them to use the new information technologies and to move freely through the digital world.

In this regard, the problem does not lie in child literacy; today’s children and adolescents are already digital natives. Previous generations (millennials, X…) have been digitized, many times, in a self-taught way and for work and personal needs. The big problem lies in older people, who have not had to use, in many cases, digital technologies to work and who have a complicated relationship with the devices and the many advances that have occurred and continue to occur.

Precisely these people are the perfect victims of social engineering, since it is more difficult for them to discern which messages are lawful and which are not. Knowing whether an SMS that arrives from an account claiming to be their bank is real or, on the other hand, is the gateway to fraud and theft of money from their current account.

Therefore, dealing with social engineering attacks involves taking into account that many of them seek to take advantage of the digital literacy problems of older people. Someone who is used to moving around the Internet can detect at a glance that an email announcing that they have won a prize is a fraud, but someone who has not read about this type of abuse, nor received dozens of them, can fall into the trap.

6. The crime scene: social networks and communication channels

The iconic film by Alfred Hitchcock, the master of mystery, The Rope, was shot in a tricked-out sequence shot and on a single stage: the crime scene. In the case of social engineering attacks, that stage is as vast as the Internet itself.

Attacks can be committed through social networks. An Instagram story, a tweet, a direct message on Facebook. But also through instant messaging applications, such as WhatsApp or Telegram, where malicious messages or chains can reach us. Or phone calls and SMS. But, above all, through email. A communication tool both on a personal and, above all, professional and business level. An email can be the perfect gateway to breach personal and business data.

Cyber scams have therefore multiplied the channels of access to potential victims compared to the pre-digital era. This means that people have to be constantly alert to the messages that reach them, even when they think they are safe from any risk.

As in Hitchcock’s thriller, it is not only the scenario that matters but also the preparation. Cybercriminals don’t simply put together a message, but must have previously controlled the possible reactions of people and, therefore, the mutability of the scenario. It is not the same whether the person falls for the scam right away or is reluctant, or whether his behavior shifts between credulity and distrust.

Credential theft is one of the most frequent social engineering attacks

7. The targets of social engineering attacks

We have analyzed how technology and the study of behavioral patterns combine to construct social engineering attacks, which are the most common victims and how the scenarios work. But what is it all for? What are the objectives of these attacks? To get people to perform a certain action.

7.1 Execute a malicious program

The most technically advanced social engineering attacks can aim to execute a malicious program to control a certain device or intrude into an entire network. There are many malware techniques, such as the Trojans mentioned above or worm attacks.

In addition to technical preparation, the key lies in luring the victim to a link that opens the door to malware. A simple click can trigger a crisis.

Through these attacks, criminals can obtain all the information stored or accessible on the device. A wealth of valuable data that, if breached, can cause great damage to the person or company that is the victim of the malicious act.

This is why it is important, as we will point out below, to act with prudence and caution, even in the face of messages that, on the surface, appear trustworthy or innocuous.

7.2 Providing private keys

This objective is more closely linked to psychological manipulation, since it requires the person, of their own free will, to provide their private passwords. The password to their email account or access to their online banking. Key information that affects their privacy, their money, and even those of the company they work for.

Emails are not only the most used scenario to commit social engineering attacks, they are also one of the main targets to be breached. Why? Email is a door that opens many more doors. Obtaining the keys to enter an email account can allow a criminal to access a huge amount of personal and professional information that facilitates larger frauds. Hijacking business data, selling strategic information to competitors…

In the digital world, a person giving out their private passwords is similar to giving someone the keys to their house or car on a purely physical level. No matter how much you trust your insurance agent, you don’t just give him the keys to your house. So neither should you give keys to people who call or write, ostensibly on behalf of a company you are a customer of.

7.3 Carrying out fraudulent transactions

In addition to getting a person to voluntarily give away one of their many private keys, social engineering attacks can also get victims to carry out fraudulent transactions, such as buying an object or service that does not exist or sending money to an account expecting something in return. And even to donate money to a just social cause that is not real either.

Through these actions, criminals manage to commit economic fraud without the need to design malware, simply by setting up a legitimate business or organization.

In general terms, we can argue that, through these activities, the victims are making it easier for the attackers to achieve their goals, whether it is committing fraud, getting hold of confidential information, or intruding into a network.

8. How to proceed: how many contacts are needed?

As we have already pointed out, social engineering attacks are not homogeneous. Some objectives are more important than others, and the scenarios are diverse and, therefore, so are the procedures. To systematize these attacks in a way that makes it easier to understand them, we can group them according to the number of contacts between the criminals and their victims that are necessary.

8.1 Hunting

Social engineering hunting attacks are based on a single contact between the criminal and the person he is attacking. This means that:

  • The aim is to attack as many users as possible.
  • A general public or a specific target (e.g. the over-65s) is targeted, but not individual people who have been meticulously studied.
  • The design of the message is key since the success of the attack will depend on its ability to manipulate and deceive.
  • Do not require scenario planning based on the target’s response.
  • This approach is typical of types of attacks such as phishing or its derivatives.

Thus, hunting seeks to obtain the maximum benefit in a single attempt. For example, by sending mass emails or SMS to thousands of people. There is no communicative exchange between offender and victim because the relationship is unidirectional. It can therefore be used to direct a person to a malicious link but is less efficient if the objective is to obtain private keys or to get the potential victim to carry out a transaction.

8.2 Farming

The approach and development of farming attacks are different, since their execution involves several communications with the person being attacked. To be precise, as many contacts will be made as necessary to achieve the objective or, at least, to steal as much personal or business data as possible.

This type of attack is more complex to plan since it is necessary to think through the different scenarios that may occur during the communication process. Examples of farming include extortion using supposedly private information available to the attacker or impersonation of a legitimate company employee.

In these cases, the treatment of the potential victim may be more individualized. Criminals can learn information about the victim in advance, e.g. via social networks. And use this data to their advantage when designing the attack strategy.

This is why we use farming as a concept to identify how to proceed. These are limited to launching attacks in several decisions. While social engineering farming attacks consist of sowing, data collection, aggressive communications, etc., and then reap the rewards in the form of fraud and theft of money or information.

9. The phases of social engineering attacks

Although hunting and farming attacks differ in the way they proceed, as we have just pointed out, and there are multiple types of social engineering attacks, as we will discuss in the next section, we can systematize their execution by pointing out four main phases.

9.1 Information gathering

This first phase is strictly preparatory. In it, the criminals carry out a collection, as exhaustive as possible, of the victim’s data. Where he works, where he lives, who he associates with…

Here, social networks play a fundamental role, since they function, in many cases, as mirrors that reflect images of our lives. They include our friends, family, and, sometimes, our work colleagues. But also our interests and opinions. At some point, we even show our feelings. All this information can be the key to social engineering attacks and successful manipulation.

If the target of the attempted crime is a company, rather than a physical person, the attackers will try to collect as much information as possible about the workers, the functioning of the organization (hierarchy, work areas…), its suppliers (banks, electricity, telephone and internet providers…) and its spatial characteristics.

Collecting this information is useful for all types of social engineering attacks, since the higher the level of personalization, the easier it is for the victim to succumb to the attack. But, above all, it is essential for farming attacks, as it is part of that seeding process.

9.2 Building trust

After the preparatory phase has been completed, the actual attack can be launched. All types of social engineering attacks need to build trust in the first place. If that bond is not created, the person or organization targeted by the attack will not fall for the cyber scam.

Personalization, which we noted earlier, is a great help in building a relationship of trust. If a person pretending to be your banker calls you by name and gives you information about you or your accounts, you will not mistrust them.

Trust is also key in hunting attacks, since, if you get an email with a link, it must look genuine, otherwise the email will most likely be deleted without being clicked.

The more experienced the victim is in the digital world, the more effort must be made to build trust. If trying to gain access to a company employee’s computer, the attacker will have to have planned the alibi extremely well so that the employee trusts that he is who he claims to be. For example, a professional from the cybersecurity company the organization works with.

9.3 Manipulation of the person

With the information obtained in the previous two phases, the attacker will proceed to manipulate the victim to meet his objectives. The techniques are manifold, ranging from appealing to personal interests or human passions such as greed or desire, to instilling fear or respect, and may even resort to coercion.

It is at this stage that the psychological aspect and the study of behavioral patterns are most relevant. Manipulation is, as we said before, an art. It was in Troy and it is in the digital world.

9.4 End of the attack

On many occasions, individuals or organizations become aware that they have been victims of fraud when they discover that money is missing from their accounts or someone contacts them announcing that they have valuable information at their disposal.

But there are also cases in which the victims do not even discover that they are victims. When this happens, the attackers have managed to complete the attack, get the information they wanted, and at no time raise suspicions.

If they achieve this, not only will they have got away with it, but they will also be able to attack the person or organization again and thus make a greater profit.

The volume of social engineering attacks has been growing steadily in recent years

10. Ten types of social engineering attacks

Methods and phases help us to systematize how social engineering attacks work and to draw up a typology. As with everything in the field of cybersecurity, these types of malicious actions mutate and transform, as criminals need to innovate to achieve their goals. This is especially true if companies and individuals protect themselves against attacks. This list does not, therefore, cover all social engineering attacks, but some of the most common ones.

10.1 Phishing

This is the best known of all attacks that employ manipulation. Its name shows us, to a large extent, its essence: fishing for victims.

This type of social engineering attack operates in the style of hunting. To do so, it uses email, the work communication tool par excellence, as a channel and a stage.

Virus-infected attachments or links to fraudulent pages with malware are included in the email. The aim is to take control of the device on which the link or document was opened and steal confidential or valuable information from it.

Although phishing incorporates a sphere of manipulation, since the design of the email and the text contained in it must be credible and seductive, the key is in the technical element. That is, in the design and implementation of the malware.

When a potential victim is a powerful person or company, such actions are called whaling, playing on the concept of whales, the largest aquatic animal.

10.2 Spear phishing

Phishing is a generalist attack, i.e. it is not personalized to the potential victim. Spear phishing, on the other hand, is an evolution of phishing that does focus the content of the email on the specific person to be targeted to obtain, in turn, a specific type of information.

For example, an attacker can send a malicious email to all the people working in a company, to see if any of them fall for the trap and download the infected document or click on the link. But they can also target a specific employee, personalizing the message to build trust so that he or she unwittingly executes the malware.

Spear phishing emphasizes the preparation phase of the attack and the gathering of information beforehand. And it is especially useful if you want to access data from a specific department of an organization or data that is known to be accessible to very few people.

10.3 Smishing

This attack is also derived from phishing. In this case, instead of using e-mail as a medium, SMS is used.

Unlike phishing, SMS cannot send attachments, but the user can be redirected to a link to a fraudulent website or asked to call a premium rate number.

This type of social engineering attack has the advantage, for the attackers, that SMSs are more trustworthy than e-mails. Criminals usually impersonate companies. For example, a gas supply company redirects the user to a link to check their bill.

10.4 Vishing

If the previous one used SMS, this attack focuses on telephone calls. Thus, the offender pretends to be a worker of some kind of company or institution that generates trust in the victim. And, from there, he manipulates him to obtain a series of data such as private passwords, banking information, or other content of interest about him or the organization to which he belongs.

In these cases, manipulation is the key to the cyber scam. Hence, they require careful planning of the different responses that can be given to the victim depending on his or her speech.

10.5 Baiting

Not all social engineering attacks occur through communication channels. Baiting consists of leaving a bit, as in a hunt. This bait can be, for example, a flash drive containing malware. Thus, when a person comes across a storage device and connects it to his computer, the attacker will have achieved the same thing as phishing.

In this case, manipulation is relegated to the psychological aspect, since this aspect is limited to thinking of the location to leave the device and exploiting the greed we all have inside us. A free flash drive? Why not?

10.6 Pretexting

As mentioned above, the first phase of an attack is the collection of information. Well, if this information is exhaustive, it can be used to carry out a pretexting attack.

This typology is completely different from the previous one; in this case, manipulation is fundamental. Thus, the attacker constructs, beforehand, a fictitious but credible story and scenario to get the victim to voluntarily provide him with all the information he wants to know.

The aggressor not only needs knowledge of psychology, but also of narratology and the construction of a story that provides reliability and, at the same time, is interesting. A story with a bitter ending for the listener or reader.

10.7 Quid pro quo

This Latin precept leaves little room for doubt. One thing for another. The attacker offers a prize or satisfaction to the victim in exchange for the victim giving him the information he needs, for example by filling in a form.

The prize, as in any good scam, does not exist, but the offender has already obtained the information he wanted. This may seem puerile, it does not have to be a password or the numbers of a bank account. But it will help the attacker to launch a more complex and ambitious attack.

10.8 Digital mules

Anyone who has ever seen a movie or series about drug trafficking knows what mules are. People who transport drugs from one place to another in exchange for money. The concept may seem foreign to the world of cybercrime, but that is not the case.

There is a type of attack that derives from the quid pro quo and can turn victims into unwitting money laundering cooperators.

Criminals offer users a way to make easy money without having to leave the couch. They only have to act as intermediaries, making a specific transfer to an account and receiving a commission in return, as if they were banks themselves.

The problem lies in the origin of the money they get back: drug trafficking, human trafficking, arms trafficking… They have acted as intermediaries in an operation to launder illegal money. This is not only immoral but can also be prosecuted.

10.9 Shoulder Surfing

With this attack, the offender does not enter the device but observes it from the outside. Sniffing cell phones and computers of people around him and detecting information that may be useful to him. Such as email passwords or internal company platforms.

It’s not enough to be attentive to our screens, we must also make sure that no one else is.

10.10 Dumpster diving

The last type of attack that we are going to deal with in this practical guide also plays a physical role: dumpster diving.

In this case, the attacker does not monitor the screens, but approaches the company’s dumpsters and searches through the trash for documents containing personal, strategic, or financial data.

If he manages to obtain them, he can launch other types of social engineering attacks or directly extort money from the company or one of its employees.

11. How can you protect yourself against social engineering attacks?

At this point, it is time to think about how to prevent these criminal acts, or at least protect yourself against them.

11.1 Caution and awareness

It may seem obvious, but it is far from it: it is essential to be cautious. This advice applies to many areas of life (not all) and is certainly relevant when it comes to social engineering attacks. If a message or a call generates the slightest doubt in our minds, we should not click or download anything, nor give any personal or confidential information.

It’s not for nothing that the popular saying goes that «curiosity killed the cat». People are curious by nature and this characteristic is fantastic in many dimensions of our daily lives, but when it comes to protection against attacks it must be modulated with prudence.

Also key is the task of raising awareness that institutions and companies must carry out and that individuals must take on board. Social engineering attacks are dangerous because they can breach highly sensitive information for individuals, businesses, and administrations.

Just as we lock our car door to prevent it from being stolen, we must protect our devices and communication channels to prevent criminals from obtaining valuable data.

The digital world is real, and so are the problems that arise in it.

On the other hand, it is not enough just to warn of the dangers of social engineering, we must also train people to be prepared to deal with them, especially the most digitally deprived citizens.

11.2 Testing, analysis, and evaluation

Prudence and awareness are the driving principles that should guide individuals and businesses in their dealings with dangerous attacks, but obviously, an organization that is serious about protecting its information can do much more.

Tarlogic Security provides companies and institutions with a series of services that help to analyze, test, and evaluate the organization’s protection systems against social engineering attacks, as well as the behavior of its employees.

To this end, attacks are launched to show the vulnerabilities and strengths of the company and its staff in this area. The use of phishing, spear phishing, smishing, or vishing techniques makes it possible to know exactly what the behavioral patterns of employees are. The company can analyze them in-depth and, on that basis, assess what needs to be improved, pointing out which aspects need to be corrected.

With an accurate assessment of the situation, measures can be put in place to reduce the level of risk to a minimum and to raise awareness among the organization’s staff of the problems detected, to prevent them from occurring in the event of a real attack.

Thus, testing and analysis by specialists in cybersecurity and social engineering attacks become a key tool for optimizing protection against this type of malicious aggression.

No one was born learned, no matter how smart a person is, he or she can also be a victim of a scam. The Trojan leaders were able to withstand a decade of siege, proving their knowledge and worth, but instead succumbed to what appeared to be a gift. Assessment by professionals can show all the mistakes that can be made in protecting against an attack, and thus fix them before it’s too late.