You know the scene: You’re waiting patiently in a long line, when someone cuts to the front loudly announcing, “Sorry, but we’re in a hurry!” It happens so fast, and their excuse for cutting the line sounds legit enough that no one calls out their obvious social faux pas. This scenario, though relatively minor, is actually an example of social engineering.
Broadly speaking, social engineering can be defined as “any act that influences a person to take an action that may or may not be in their best interest.” In information technology, social engineering involves manipulating someone into revealing information (like a password) that could be used by a hacker to attack a network or system. Social engineering tactics are exploited by bad actors in the realm of cybersecurity.
Ahead, we’re going to explore the motivations and techniques of some hacking social engineers. But to be extremely clear: We’re in no way condoning or endorsing these acts. Accessing data in a system without authorization is illegal. Being able to spot social engineering tactics is key in preventing them from happening in the future.
What do social engineers want?
In one word: access. A person may employ social engineering and a range of other tactics to gain access to a profile within a system they shouldn’t have the ability to access. The most relatable example is a hacker accessing your bank account and using your personal information to steal your money. They might also wish to access entirely private systems like those in hospitals, factories, and warehouses. Their motivations are endless, but hacking has been typically classified into three categories:
- Black hat – access systems without permission and with malicious intent
- White hat – access systems with permission to help reveal security vulnerabilities and/or find flaws in engineering
- Grey hat – access systems without permission, but without the same malicious intent as black hats. Often reveal vulnerabilities, ask for a reward “bug bounty,” seek skill, or crave notoriety.
Any of these kinds of hackers may engage in social engineering to gain the access they are seeking, and access to your profile may not be the ultimate goal. For example, a black hat hacker using social engineering may compromise an email address. Once the email is compromised, they can use it to correspond with other users who may trust that email address and engage with compromised content they’d otherwise never visit. One of those users could have valuable data readily available to be discovered and exploited, and thus an actor with genuinely malicious intent has a vulnerable target and a trustworthy means of communication. Let’s explore some fixed action patterns and how a motivated social engineer can exploit them.
One of the most powerful tools for social engineers is simply acting polite. Getting people to like you is one of the best skills regardless of your trade. The absolute best tool for learning this skill, in my opinion, is the book “How to Win Friends and Influence People” by Dale Carnegie. Originally published in 1936 and revised in 1981, it has had a huge effect on people and their careers for nearly a century. This book is highly regarded by sales professionals and executives across all industries for offering a clear-cut explanation of how to engage in positive fixed action patterns with peers. The entire book is endlessly quotable and memorable, but I’d like to just summarize to review just the very first of the six major sections, “Fundamental Techniques in Handling People”:
- Don’t criticize, condemn, or complain.
- Give honest and sincere appreciation.
- Arouse in the other person an eager want.
To establish this sort of rapport over the internet is to have someone completely at your disposal, and the only requirement is being kind. Imagine the havoc that could be wrought with these sorts of communications coming from a compromised email address. A particularly offensive form of this type of social engineering comes in the form of online romance scams — a problem so serious the FBI has a page dedicated to it. Telling someone you like them and getting them to like you back has, regrettably, been weaponized.
Quid pro quo
This phrase is Latin for “something for something.” Quid pro quo is a cornerstone of any meaningful relationship. Essentially, it is the reciprocity between two or more that has been scientifically proven to enhance generosity among the group. But giving and taking is about earning trust. “A bartering arrangement between two parties is an example of a quid pro quo business agreement where one exchanges something for something else of similar value.” The social engineer will seek to establish this quid pro quo relationship without giving up anything of value. They’ll sometimes intentionally use what magicians call a “time delay” to prevent the perception of a bribe or “coming on too strong.”
There are a lot of real-life use cases, but let’s imagine a black hat hacker wants access to some system. They are good with computers, or they wouldn’t be a hacker, so they gather some phone numbers of businesses and start calling those businesses offering to help with their computer – whether those businesses asked for the help or not. It may take 100,000 phone calls or more, but eventually, someone replies that they indeed need help with their computer. No problem for the hacker! They just need the username and password to get started. The “something for something” in this scenario is the help with your computer in exchange for the username and password. Once the social engineer has legitimate access, it’s potentially game over for the business owner.
Baiting is similar to natural game and wildlife hunting because some reward is offered to unsuspecting prey. Some of us are old enough to remember the scourge that was pop-ups, and if you don’t, consider yourself lucky. Legitimate and malicious pop-ups alike were so prevalent many machines were rendered unusable in the late 1990s and early 2000s. They’re still around, but the problem today is much better thanks to W3C convention implementations and the evolution of pop-up blocking software.
After the relative abolishment of pop-ups, baiting has largely moved to email. We’ve all experienced the highly suspicious email with the “too good to be true” offer. A more nefarious form of this attack might include “spoofing” — or impersonating an authentic source — like asking for a user to log in but redirecting them to a site that isn’t the intended one. For example, a person could receive an email from “[email protected]” with the title “Your account has been compromised,” and everything in the body appears completely authentic, original, and from Microsoft. The email instructs the reader to click a link to refresh their credentials which takes them to “https://www.microsott.com/account.” You could have paid very close attention to that email, and spoofing has been widely available for a long time to create that legitimate-looking source email address, but the destination URL definitely isn’t Microsoft. Sadly, it’s people with diminished eyesight and unfamiliarity with technology, like the elderly, who often fall for this type of social engineering scam.
No one wants to get yelled at by their boss! Or, even worse, be the person that inspired a slow, simmering rage within an executive in your organization. This is an extremely powerful fixed action pattern people on the job are particularly susceptible to. Look no further than the infamous Milgram experiment in which test subjects applied what they believed to be larger and more painful electrical jolts to an unwilling victim at the direction of the experiment moderator — the so-called “authority figure” in the room. The same power of persuasion can be manipulated by a motivated individual wishing to engage in social engineering, and they don’t always require the anonymity afforded by the internet.
In this example, a motivated individual could use compromised credentials or the “spoofing” technique discussed above to send some message from a position of authority. They may engage the target using any skills we have discussed or others. For example, by “liking” they could compliment the subordinates’ efforts, use a “time delay” to build trust, potentially offer some reward like “baiting,” and then the target would be fully compromised. Contrarily, the motivated actor posing as an authority might wish to be as quick, direct, and authoritative as possible while relaying commands with negative outcomes as a reprisal. Both techniques ultimately conclude with the acquisition of the access the motivated actor desired as it takes an exceptionally strong-willed person, or some great evidence, to stand up to a supervisor on the job.
Social engineering wrapped up
It might be easy to feel like everyone on the internet is out to get you or your Facebook friends might be spies, but that is almost certainly not true. The internet is all about large numbers of people, huge collections of data, and scale. Truly, the FAANG companies just won’t do it if it doesn’t scale. The most sophisticated hackers have a similar approach to their target gathering techniques meaning they cast extensive nets to trap the most vulnerable victims. Hence, the reason why we all experience pop-ups and scam emails is because they are scalable solutions that can be broadcast to hundreds of thousands of users at once. Returning to our ‘quid pro quo’ example with the hacker making 100,000 phone calls — remember it only takes one yes and the entire system is compromised.
The first step to preventing yourself from becoming a victim of social engineering is by removing yourself as a potential target. Don’t reveal so much information about your life, family, career, and friendships online so that a hacker might feel empowered to try and use social engineering against you. Another step is to immediately discontinue communication with anyone you even slightly suspect of not being who they say that they are. Do not waste time by sharing your suspicions with them because they probably have a likely explanation if they’re good at social engineering.
Finally, the most convenient and effective tool we currently have at our disposal to thwart great social engineers is two-factor authentication. Like a PIN to your debit card, this feature can be the last and most critical defense of your access to online platforms, and there’s no valid use case in which it is recommended to share it across devices. You’ll have much less to worry about by making smart decisions online, being discerning in your communications, and enabling two-factor authentication. Interested in a career in cybersecurity? Don’t wait! Start here today.