What is social engineering?

Oct 22, 2020  - written by  in Security

Hacking and social engineering are two different, but related terms.

Hacking is when someone gains unauthorized access to a computer network or resource, regardless of how they actually do it, and social engineering is when someone uses some kind of manipulation to get information or access to information they shouldn’t have.

By this broad definition, social engineering is as old as confidence tricks and spying, but when people talk about social engineering, they’re usually talking about it in the context of getting access to computer systems of some kind.

The term “social engineering” was coined by hacker Kevin Mitnick, who became prominent through his hacking, and it describes techniques that he would use to lie, coerce, sweet talk, or otherwise manipulate his way into getting what he wanted.

Who are social engineers?

Depending on how broadly you want to define the term, anyone could really be a social engineer, but in the more specific sense of the term, there are three broad categories of social engineers:

Government actors

  • Intelligence agents
    In this case, the social engineer is looking to gain access to information of value for their government.
  • Law enforcement
    Law enforcement agents might also use social engineering techniques in order to pursue an investigation, or less ethically, in order to intimidate or harass targets, such as in countries with oppressive regimes.
  • Cyber warriors
    Cyber warfare came to the forefront of public consciousness in the 2016 election, but cyber warfare also uses social engineering to more directly attack other countries, such as when the United States sabotaged Iranian uranium processing equipment by surreptitiously leaving thumbnail drives laying around that were infected with Stuxnet, a sophisticated worm that targeted industrial control machines.

Corporate actors

  • Security professionals
    A penetration tester is someone who is hired by a company to test how secure their network and systems are. They may use social engineering to try to gain access.
  • Information Brokers
    Information brokers are companies that specialize in selling information. Employees of information brokers sometimes use social engineering to obtain information about a target.
  • Head hunters
    Head hunters are hired by a company to recruit specific talent. They might use social engineering to get more information about a potential recruit, such as pretending to be someone they know and asking them to do a task related to a specific skill to see if they possess that skill.
  • Corporate espionage
    Some actors may also be hired by corporations to gather intelligence about their competitors.

Criminals

  • Identity Thieves
    Sometimes identity thieves are trying to steal your identity in order to get access to your bank account, but they might also be looking to impersonate you online for a number of reasons
  • Disgruntled Employees
    A disgruntled employee is a potentially dangerous social engineer precisely because they may be familiar with all of the security procedures that you have in place and would also know how to put a current employee at ease, by referencing shared experiences, known locations, and even known office personalities
  • Scam Artists
    Finally, scam artists make their living off of social engineering efforts to manipulate you.

What motivates social engineering?

Human motivation seems complicated but you don’t have to be a psychologist to understand that it actually often comes down to a few basic motivations. While some of the motivations might depend on specific roles mentioned above, social engineers might also be interested in tricking their targets for a few reasons:

  1. Money
    The social engineer might be in it for the money. This is, of course, a very familiar motivation, and is at the heart of most phishing and other scams. Generally someone is trying to steal your money.
  2. Politics
    In addition to “hacktivists” who use hacking techniques that might include social engineering to target individuals, companies, governments, or non-profit organizations they have political differences with, it’s just as common for government agents to use social engineering to go after political opponents, both foreign and domestic
  3. Fun
    Some of the best social engineers are usually at least in part motivated by a sense of enjoyment they get out of pulling one over on someone. This relates also to …
  4. Ego
    There’s also certainly something to be said for being able to say you achieved some daring exploit as well.
  5. Revenge
    Or maybe it’s not about the gratification of accomplishing a big hack, but more personal than that, like an ex-employee going after the employer that fired them.
  6. Social belonging
    Everyone wants to feel like they’re a part of a group, and people in social groups do things to impress one another. A social engineer might be interested in impressing a group they are a part of or want to be.

How does social engineering work?

Whoever the social engineer is and whatever their motivation, what social engineering boils down to is being able to convince someone to give you information or access that you shouldn’t have.

Usually, social engineering relies on some kind of strategy to disarm someone’s natural apprehensions. Generally, social engineers do this by using something called “pretexting.”

An example would be a social engineer getting access to someone’s bank account by calling the bank and impersonating that person.

It could also involve accessing a workplace by dressing up as a delivery person, or impersonating a coworker (especially problematic for large organizations) or even a boss.

The more research and planning that goes into a “pretext” the more successful it’s likely to be.

How do social engineers get information?

Getting information is generally the goal of a social engineer but it’s often also the starting point for being able to establish the trust required to gain the necessary sensitive information.

First of all, there’s often a lot of information freely available online that a social engineer can use. This might be seemingly innocuous information like date of birth, phone number, email address, or physical address.

With this basic information, a social engineer may be able to get access to personal accounts like bank accounts. If that’s their goal.

They might also gather information through dumpster diving. Sometimes individuals and companies might throw away information that tells a social engineer what they need to know, and a perusal of their trash can lead to discovering a key piece of information for a social engineer to use.

Finally, there’s a method intelligence agencies refer to as “elicitation”. This is the art of obtaining information without actually asking for it. This is generally pretty targeted, but it could be information gleaned by casual conversation, either online or in person. Especially if you have access to particularly sensitive information, it’s important to be wary of what information you provide, even in small talk, to strangers. It might seem innocuous to describe a certain aspect of your workspace, but this could potentially be used to gain access.

How does social engineering manipulate people?

There are a few forms of manipulation used in social engineering. Usually they’re exploiting some kind of cognitive bias when they do so. Some common techniques are:

  • Appeal to authority

If you’re familiar with the Milgram experiment you’ll know just how susceptible people are to complying with someone just because they perceive that person as an authority. Posing as a police officer, or a manager, or just someone who seems like, looks like, or acts like they’re in charge.

In a social engineering scenario, someone complies with the social engineer because they think that person is some kind of authority. This is often used by phishers who are a step above the “Nigerian prince” scam. For example, they might email you pretending to be your boss in a meeting with an important client and needing you transfer money to them to keep that customer happy. By pretending to be your boss, they are appealing to authority.

  • “Sunk cost”

The “sunk cost” fallacy is the belief that once you’ve invested so much into something—whether that be time, or money, or effort—you should continue to do so “to see it through,” even if that investment has so far proven unproductive. Social engineers might use this tendency to get you to commit to a course of action that you wouldn’t otherwise because you’ve already gone so far.

  • Consistency

This works similarly to the “sunk cost” fallacy in that both are based on the idea that people fundamentally want to be consistent. You can be manipulated by this in very subtle ways. This technique is often used in criminal interrogations. For example, rather than being asked to come clean about their involvement in a particular crime they’re lying about, a suspect can be asked to commit to a smaller detail, like being able to describe a person, place, or thing involved. Detectives can use this small commitment to direct the behavior of that person to remain consistent with the previous statement. This technique can be used by anyone to get information out of anyone else.

  • Reciprocity

“Reciprocity” is a term from social psychology that basically boils down to responding to a positive action with another positive action.

In the context of social engineering, this can take a few forms. The classic example is giving someone a compliment. Receiving a compliment naturally makes someone want to do something nice in return. But this can also apply to situations like negotiations and price haggling. When someone concedes a certain amount from their initial offer, the other person feels the need to concede some as well because the initial concession gets understood as a kind of “gift.”

  • Scarcity or FOMO

A social engineer might also play on a sense of scarcity or your “fear of missing out.” This feeling is often used to create a sense of urgency that gets you to take your guard down.

Phrases like “if you act now …” or “only x left…” get people to click links in emails, for example, without examining them more carefully.

  • Social Proof

This is another concept from social psychology but it’s basically the effect sought by bartenders putting money in the tip jar at the start of the night. This induces customers to tip them because they see that other people have tipped. It creates a kind of social obligation that causes people to make decisions that they wouldn’t otherwise.

These are all methods that people can use to manipulate someone, psychologically, and as many of the examples mentioned above show, they aren’t all always used in the context of social engineering, or necessarily maliciously. However, because they rely on people’s innate biases, they can be used to lead people down a path that leads to revealing information or providing access to places or systems that the person asking shouldn’t be allowed.

How to protect yourself against social engineering

The only real way to avoid social engineering is being careful. If you work in a sensitive area, don’t talk about details to people you just met. If you field questions or calls from customers, be aware that people may call pretending to be someone they’re not and may use some of these techniques on you.

Don’t let people bully you into breaking the rules on their behalf.

If you’re not the one answering the phone but have decision making power, make sure your team is well trained and that you have processes in place to prevent social engineering.

Finally, phishing attacks are some of the most common kinds of social engineering. When you get an email asking you for anything sensitive, above all, don’t rush. Take your time to verify any requests. Slow down and check any links and the sender email address. Ask for proof that the person contacting you is who they say they are.

If you think you’re a victim

⚠️ Report it right away!

Contact anyone, like your bank or cell phone provider, who might need to monitor your accounts. If sensitive work information may be exposed, contact your employer. Change all of your passwords, and file a report with the police if necessary.

And don’t be afraid to verify! For example, if your bank calls you, ask for an extension to call them back.