Sage Advice - Cybersecurity Blog

Why We’re Vulnerable to Social Engineering Attacks

why-we-are-vulnerable-social-engineering.jpgTechnology is not enough to keep you cyber secure.  You must also consider the human element.  Your employees are an important first line of defense against a cyber-attack.  Unfortunately, they are also your weakest link.  Some of the most highly publicized data breaches over the last several years, including Target and Anthem, were the result of a successful social engineering attack.

So, what is social engineering?  In essence, it’s a con job.  The con man, or social engineer, acquires sensitive information or inappropriate access privileges by building a trusted or intimidating relationship with an insider.  The sign of a truly successful social engineer is that they receive information – or get the person to do what they want them to do – without raising any suspicion.   

It’s human nature that makes us so vulnerable.  The three common psychological traits that help social engineers succeed are:

  • Our desire to be helpful.
  • Our tendency to trust people we don’t know.
  • Our fear of getting into trouble.

These key motivators are present in each of us to varying degrees.  Even those of us who feel we aren’t necessarily trusting by nature, if someone has the right story, the right voice, the right speech pattern, the right body language, etc. we can still be fooled.  It’s really all about the social engineer’s ability to create confidence – confidence that they are who they say they are, and they are legitimately seeking information.

A social engineer uses some of the same techniques that con men use to defraud people:

  1. Respect for Authority: The social engineer exploits respect for or fear of authority.
  2. Chance of Ingratiation – a Reward: The target is led to believe that doing what’s asked of them (like clicking a link in an email) will enhance their chances of receiving a benefit.
  3. Moral Duty: The target is encouraged to act out of a sense of moral duty or moral outrage.
  4. Guilt: The social engineer creates situations designed to manipulate empathy and create sympathy.
  5. Desire to Please: The social engineer relies on the natural instinct to be helpful.  

At the end of the day, the job of a social engineer is to figure out their target’s biggest weakness and take advantage of it.  For example, people in a customer service role typically have the characteristics of someone who wants to be helpful, and can be exploited in this way. 

Here are some common attack vectors and delivery channels social engineer’s use.

Email Phishing Attack

In this scenario a fraudulent email posing as a legitimate business or service is sent, and includes a link to a website where they are asked to update personal information, such as passwords, credit card numbers, etc.  This is also a common method for installing malware. 

Vendor Spoofing

A social engineer poses as a vendor on a service call to try to get access to information and systems in this scenario.  To be successful, it typically requires up-front research to create a plausible story behind the reason for the visit.  Information can be gathered either through pre-texting phone calls or web resources, such as the company’s webpage or the LinkedIn profiles of employees.

Information Technology / Information Security Spoofing

Here, a social engineer poses as a member of the company’s internal IT or IS department staff.  They call an employee and try to get them to follow some sort of instructions, usually run a command on their network or provide password information.  This is popular because people are used to following directions of an IT professional.

Website Spoofing

This scenario involves creating a phony website that appears to be legitimate.  The social engineer downloads all the elements of a well-known vendor’s website and registers a deceptively similar URL name.  Then they make the site live, send out a phishing email, and the unsuspecting recipient doesn’t recognize that something is off.

Phone Spoofing

This is a very easy practice where you use a service that changes the phone number being displayed on the recipient’s caller ID.  It tricks people into believing the social engineer is who they say they are. 

A successful social engineering attack in remarkably easy to execute.  A common attack could go something like this…

I call an organization posing as a new employee working remotely.  I pretend to be a little timid because I can’t log-in.  I don’t know my credentials.  I ask the target if they will give me the extension for our IT department.  Then the friendly person, just wanting to be helpful to a fellow employee, gives me the extension.  My next move is to call back through the phone spoofing server – and instead of my real phone number identified on their caller ID, their IT department’s internal extension is shown.  This immediately establishes a level of trust with the person answering, and they are likely to follow my instructions. 

Cybersecurity awareness training, including tips and technique to defend against social engineering attacks, should be a part of your organization’s cybersecurity strategy.  Your people are an important first-line of defense against an incident, and it's your responsibility to make sure they are prepared.

Free Download: Ransomware Survival Guide

We’ve all seen the headlines. Ransomware attacks are escalating. It’s essential that your organization has the proper controls in place to defend your organization against an attack.  But defense strategies are not enough. With some ransomware strains touting success rates of 40% or higher, it’s even more important that your organization is prepared to confidently respond to, and survive, a ransomware attack. Download our Ransomware Survival Guide to arm yourself with the knowledge you need to defend against and prepare for an attack.

Go to Download


Topics: Social Engineering, Cybersecurity Culture

The Tyler Cybersecurity Lifecycle

Cybersecurity isn’t a destination.

Cybersecurity Lifecycle

There is no single, straight path that will get you to the point where you can say, “We did it! We’re 100% cyber-secure.”

A more realistic destination is cyber resiliency – the ability to prepare for and adapt to changing conditions, so you can withstand and recover rapidly from disruptions. Achieving cyber resilience depends on what we like to call the cybersecurity lifecycle – an ongoing cycle of interconnected elements that compliment and reinforce one another.

Learn More