Complete Social Engineering Guide

Social engineering is the act of using human flaws to manipulate them into giving up sensitive information. This is a technique used by cyber criminals using the human psychology rather than a technical approach to gain access to systems, buildings or data.

Social engineering was around for quite a long time even before computers were invented.

So how is it related with cyber security?

Cyber criminals started seeing that it’s much easier to manipulate human emotions and reactions rather than directly attacking the technology.

In the digital age we live in now, there is a lot of encryption and security involved which makes it almost impossible to crack an intercepted encrypted message (we will talk about encryption a bit later).

Imagine that a group of robbers wants to gain access to a safe but it’s impossible to break in. Plan B is to ‘convince’ the owner of the safe to willingly give the codes to open the safe.

Same concept is used in cybersecurity. Here’s an example.

Imagine you want to access a computer network of “ABC Company”. First you will try to find the software flaws and if there’s none (or if it’s too difficult), you go to plan B (this is where social engineering comes). You will pose as a technical support person and trick an employee to let you inside the company and to their computers which gives you direct access to their networks.

This seems too easy. There have been many cases where hackers had infiltrated companies using similar techniques. Most of the attack was based on tricking the human brain. So what are the “human flaws” that hackers manipulate in social engineering?

“Bugs in the human hardware”

All social engineering techniques targets the human decision-making attributes and are exploited in various combinations to attack a victim. Most of social engineering techniques are used to steal confidential information from people.

There are many flaws when we make decision but there are six key attributes that are used for social engineering. The 6 principles of influence was established by psychiatrist Robert Cialdini. They are as follows:

• Reciprocity
• Commitment and consistency
• Social proof
• Authority
• Liking
• Scarcity

1.   Reciprocity

In social psychology, this is a social norm of responding to a positive action with another positive action. People are wired to return a favor. A common place to see this tactic being used is in marketing. In supermarkets the free samples are a good example.

Another example is Ethiopia providing aid to Mexico after the 1985 earthquake despite the fact that Ethiopia was suffering from civil war and famine at the time. This was a way to repay Mexico for the diplomatic support they got in 1935 when Italy invaded Ethiopia.

In cyber security this is being used when an attacker is in some way generous or being thoughtful, the victims feel like providing special access or overlook some things.

2.   Commitment and Consistency

Humans are wired in such a way that if we commit to something, we are more likely to honor that commitment. It doesn’t matter if it’s orally or a written agreement we tend to keep it even if the original motivation is removed after the agreement.

This is a powerful influence on our behavior because it reflects back to our self-image. A common tactic used in social engineering is to ask for small requests then building up for a huge favor. This builds trust between the victim and the attacker making it easier to exploit them.

A real life example for commitment and consistency can be seen in online marketing where popups show up on sites saying “I’ll sign up later”.

3.   Social Proof

There’s a saying “don’t go with the flow” which was said based on people doing things based on other people doing the same thing. Let me share some examples:

An experiment was held where a person looking at the sky and pointing on the sidewalk where a lot of bystanders joined him and joined him. Check it out here.

In the disco age, the owners will unnecessarily make a big line outside of the club even though there was plenty of room inside. This tactic drove in more people to come.

Politicians frequently emphasize on the popularity and overstate their winning margins (their lying btw) which convinces the people to vote for them.

4.   Authority

People tend to respect and obey authority figures even if they ask to perform objectionable actions. A famous ransomware attack occurred where people got their files encrypted and were notified to pay a fee to the FBI to retrieve their data.

It’s more likely that a person would respond to a call from a bank or government agency without hesitation and this is widely used within the cyber criminals.

5.   Liking

People are easily persuaded by other people whom they like. In marketing this is also used, where companies use famous people to sell their product. People were more likely to buy it if they liked the person selling the product.

In the case of cyber-crime, an attacker can go through your social media and quickly grasp what are the things you like (if you have a very active social media presence). After gathering the information they can contact you as the person/brand requesting you to take an action.

6.   Scarcity

Scarcity will generate very high demand because everyone wants to get the best deal or to be unique from everyone else. For example if there’s a specific unique item but there’s only 30 in the whole world. People would want to get their hands on that as fast as possible.

Another example would be a special offer like black Friday where there are huge discounts for products and people wants to get their hands on them.

All the mentioned tactics are being used in social engineering in order to persuade a person to give up confidential information. The most common types of social engineering attacks usually take place over the telephone, social media and emails.

Another aspect of social engineering is when a criminal will physically pose as a technician, exterminator or tech support to get into companies and steal their data.

Have a read at this article, where a security expert easily gets access to a company by going through an employee’s social media, buying a $4 Cisco shirt from a thrift shop, uses social engineering techniques and got access to a lot of sensitive data.

Types of scams based on social engineering

There are many ways to measure scams, but most are measured from the number of people affected and the amount of money being scammed. Here are the top 5 scams that used social engineering:

1.   Debt Collection

Most complaints under this scam involves debt collectors where the victims receive calls from harassing collectors who threaten and repeatedly call attempting to collect a debt. This includes but not limited to credit/debit card fees, pay day loans and unauthorized use of credit/debit cards.

2.   Fake Government officials

If you received an email, letter or phone call from a government agency (like the IRS) instructing you to wire Western Union or MoneyGram money someplace or follow some link to enter information, it’s a scam! No government will never instruct people to carry out financial transactions using these methods.

There are a lot of videos on YouTube where people are prank calling these scammers and it’s hilarious.

3.   Identity Theft and Phishing

Very common type of scam where the attackers gain access to your sensitive information like social security numbers, date of birth which are then used to apply for loans, credit cards and financial accounts. Also by collecting personal information, the scammers will impersonate you on social media and other sites.

Phishing usually happens via emails where a victim receives an email which appears to come from a trusted source. These emails will have links or attachments which will request the victim to update existing account information. But those websites and emails are fake.

4.   Phone scams

Scammers will call people pretending to be from banks, government officials or credit card companies. Will request your personal information and request a payments to be done. These people are really persuasive and an example of this type of scam is the “your Microsoft license key has expired” among many others.

5.   Fake prizes, free gifts and fake lotteries

Have you ever received an email claiming that you won a prize, lottery or gift and you will have it if you paid a “small fee” or the delivery charges? Well I certainly have experienced that. These scammers will use genuine companies and brands to persuade the victim.

Usually a lottery scam will take the form as follows. First you will receive an email saying that you have entered a lottery and couple of hours later will receive a follow up email saying you won a huge amount of money. In order to claim the prize, you have to pay the “administrative fees”. No genuine lottery asks for money for paying any type of fees.

If you want to learn in depth about the types of scams that take place have a look at the top scams of 2020.

Scammers use social engineering techniques in order to gain access to your personal information. Here’s a list of potentially valuable information:

• Full name
• Email address
• Date of birth
• Ethnicity/Race
• Gender
• National ID / Social Security Number
• Passport Number
• Driver’s license number
• Vehicle registration plate number
• Location information
• Events attended
• Pictures
• Education and employment history
• Grades
• Job title
• Salary

Life cycle of a social engineer

1.   Information gathering

This is the first and most important step of carrying out a social engineered attack. This requires a lot of patience and keenly watching habits of the target. During this stage the attacker will gather all the information of the target which includes but not limited to:

• Personal information
• His/her interests
• Work details
• User credentials

And many more. The more information the attacker has on the victim, the higher the chance of the attack being successful. Here’s a complete list of Personally Identifiable Information.

This stage determines the success rate of the overall attack.

2.   Engaging with the victim

After gathering all the information the attacker will start opening up a conversation with the victim without the victim finding anything suspicious. Since there were enough background research, it’s easier to engage with the victim.

3.   Attack phase

This step is generally taking place after a period of time engaging with the target. During this time the needed information is retrieved by using social engineering techniques and builds a form of trust between the victim and the attacker.

However during this period the attacker is very subtle not to make anything look suspicious and spook the victim. After the attack is done the results will also be in effect during this stage.

4.   Ciao, Adios, Good-bye

The last step, where the attacker slowly ends the communications with the victim. He will shut down all communications with the victim with time but slowly without arising any suspicion in the victim.

This leads for the motive to be fulfilled as well as the victim to rarely know that the attack ever happened.

Why social Engineering?

Social Engineering techniques have become a really popular and successful method of exploiting victims in the recent years. In the early 2000s hackers would directly attack the technology due to the fact that there were many flaws on websites/software and the security was not as strong. Carrying out a brute force attack even by a simple hacker was possible back in the day.

However, Brute force attacks is not a go to option at this day and age.

Why?

Encryption is just too strong for this and it will take years to break. With time the technology has upgraded to such an extent where attacking it becomes almost impossible.

In 2015 FBI wanted to implement backdoors in iPhones so that they would be able to gain access to criminal’s phones but this was not implemented. Here’s a video where government officials are discussing about the encryption policy and a potential US policy.

The most common encryption algorithms are:

• Triple DES – Triple DES was designed to replace the original Data Encryption Standard (DES) algorithm, which hackers eventually learned to defeat with relative ease.
• RSA – This is a public-key encryption algorithm and the standard for encrypting data sent over the internet.
• Blowfish – Blowfish is yet another algorithm designed to replace DES.
• Twofish – The keys being used in this algorithm may be up to 256 bits in length and as a symmetric technique, only one key is needed.
• AES – The Advanced Encryption Standard (AES) is the algorithm trusted as the standard by the U.S. Government and numerous organizations.

The most common encryption method we have on the internet is AES 256 bit encryption. For you to understand how this works have a look at this example:

As you can see above, the phrase “this is encryption” after encrypting with a 256 bit algorithm we get something completely jumbled up. If a hacker gets hold of the result there’s no way he’s going to decrypt it. Check out the site to have a hands on experience with AES encryptions.

Since encrypting algorithms got stronger and it became extremely hard to exploit the technology, the cyber criminals found a much easier way. Exploiting humans! This was much easier and the method of exploitation is by using social engineering techniques.

Countermeasures

Take a step back

Most attacks take place by making people to act first and think later. If you receive a message which conveys a sense of urgency or a high-pressure sales tactic, carefully review the urgent matter and respond accordingly.

Do a background check

If you are getting an email/message from a company that you’re currently using and it looks sketchy, be cautious. Do your own research by checking the company’s website or contact the company and double check the facts. It’s okay to be paranoid sometimes.

Don’t click on links on your email

Most email scam attacks happen from links. Don’t click on links on your email. Try to copy and paste the URL to your web browser and get to the site. By hovering over the link you will see the actual URL at the bottom.

Your friends email might be hijacked

It’s very common for hackers and spammers to take over other people’s email accounts and other communication accounts. After getting control they prey on the trust of the person’s contacts. Even if the sender seems like a friend, before clicking on any links, check up with the person before clicking on links or downloading any attachments.

Don’t download anything from emails

If you don’t know who the sender is personally and you’re getting emails with downloads attached, then that should be a red flag. Most malware are transmitted via emails and one click can infect your device.

Foreign lotteries are fake

If you receive an email from a foreign lottery or money from an unknown relative or requests to wire money via Western Union to a foreign country, it’s a guaranteed scam.

Ignore and delete requests of financial information or passwords

If someone asked you to provide financial information or account details for some kind of offer or deal, don’t forget that it’s a scam

Reject offers for help or requests for help

Legitimate organization will never contact a user to provide for help unless you specifically requested it. Any request to restore credit scores, refinance a home, answer your question is a scam. Similarly if a charity is requesting help which you don’t have any prior relationship with, best avoid it. If you want to give, search for reputable charities on your own to avoid falling for a scam.

Set your spam filter to high

Every email provider has a spam filter. To find yours, check your settings and set them to high. If you want a step-by-step guide, search your email provider plus the phrase “spam filter”. However, periodically check your spam folder to see if legitimate files have ended up there by accident.

Secure your devices

Keep all your software and operating systems up to date. Install anti-virus software, firewalls and email filters on your devices. Always have your smartphone up-to date.

Conclusions

Cybercriminals lurk in all over the place waiting for us to slip. Your security is as strong as your weakest link. This is where the criminals attack. While the criminals has to be lucky just once to get into your system, you have to be lucky every single time and luck don’t play a big role on this.

Always be attentive and pay attention to detail. Have multiple security measures installed so that you will be able to stop the hackers in their tracks. Trust your gut and if it seems too good to be true, it probably is.

Let us know what you think in the comments below.