What makes social engineering especially dangerous is that it relies on human error, rather than vulnerabilities in software and operating systems. Mistakes made by legitimate users are much less predictable, making them harder to identify and thwart than a malware-based intrusion.
1. Information Gathering (Investigation)
The likelihood of success for most attacks depends on this phase, so it is only natural that attackers invest the majority of their time and attention here. Information-gathering techniques are elaborated on in the Framework. With the right information, the attacker can determine the attack vector, possible passwords, likely responses from individuals, and refine goals. At this phase, the attacker becomes familiar and comfortable with the target and formulates a strong pretext(s).
2. Establish Relationship and Rapport (Hook)
This phase establishes a working relationship with the target. This is a critical point, as the quality of the relationship determines the level of cooperation and extent to which the target will go to help the attacker accomplish the goal. It can be as brief as hurrying towards the door with a big smile and eye contact so the target holds the door open for the attacker to walk through. Or it could be connecting on a personal level over the phone or as personal as showing family pictures and sharing stories with the receptionist in the lobby. It can also be as extensive as building an online relationship with the target through a fake profile on a dating or social networking site. Creating rapport is covered more in-depth in the Framework.
3. Exploitation (Play)
This is when the attacker uses both information and relationships to actively infiltrate the target. In this phase, the attacker focuses on maintaining the momentum of compliance established in phase 2 without raising suspicion. Exploitation can take place through the divulging of seemingly unimportant information or access granted/transferred to the attacker. Examples of successful exploitation include:
- The act of holding the door open or otherwise allowing the attacker inside the facilities
- Disclosing password and username over the phone
- Offering social proof by introducing the SE to other company personnel
- Inserting a USB flash drive with a malicious payload to a company computer
- Opening an infected email attachment
- Exposing trade secrets in a discussion with a supposed “peer”
4. Execution (Exit)
This phase is when the attacker achieves their ultimate goal, or for various reasons the attack ends in a way that avoids suspicion. Generally, an attack ends before the target begins to question what is happening. Instead, the attacker ends with the target feeling like they did something good for someone else, ensuring possible future interactions to continue. In addition, the attacker erases digital footprints and ensures no items or information are left behind. As a result, the attacker accomplishes two important goals. First, the target does not know an attack took place. Second, the attacker keeps his identity hidden. A well-planned and smooth exit strategy is the attacker’s goal and final act in the attack.
As one of the most popular social engineering attack types, phishing scams are email and text message campaigns aimed at creating a sense of urgency, curiosity or fear in victims. It then prods them into revealing sensitive information, clicking on links to malicious websites, or opening attachments that contain malware.
An example is an email sent to users of an online service that alerts them of a policy violation requiring immediate action on their part, such as a required password change. It includes a link to an illegitimate website—nearly identical in appearance to its legitimate version—prompting the unsuspecting user to enter their current credentials and new password. Upon form submittal the information is sent to the attacker.
Given that identical, or near-identical, messages are sent to all users in phishing campaigns, detecting and blocking them are much easier for mail servers having access to threat sharing platforms.
This is a more targeted version of the phishing scam whereby an attacker chooses specific individuals or enterprises. They then tailor their messages based on characteristics, job positions, and contacts belonging to their victims to make their attack less conspicuous. Spear phishing requires much more effort on behalf of the perpetrator and may take weeks and months to pull off. They’re much harder to detect and have better success rates if done skillfully.
A spear phishing scenario might involve an attacker who, in impersonating an organization’s IT consultant, sends an email to one or more employees. It’s worded and signed exactly as the consultant normally does, thereby deceiving recipients into thinking it’s an authentic message. The message prompts recipients to change their password and provides them with a link that redirects them to a malicious page where the attacker now captures their credentials.
There no such a solution called “anti-scam” What is the best defense against social engineering? It’s many things. But primarily, it’s an educated and prepared team, a cautious company protocol, and a conscious effort to maintain common sense. First Educated them then test the effectiveness of the education process using phishing & scamming simulation platforms