Organizations view information as a strategic resource, and the importance of integrating applications and IT systems are becoming increasingly important. So, in recent years—as a result of accelerated digitization—the list of risks and types of cyberattacks has grown. Furthermore, emails containing ransomware-infected attachments have become more sophisticated. Against this backdrop, it is absolutely crucial to educate stakeholders about social engineering.
A Brief History of Social Engineering
Social engineering was developed in the 19th century by Charles Fourier, a French sociologist and follower of the utopian socialism movement. Also referred to as human engineering, it is now seen as the practical application of social sciences.
This phenomenon’s best-known practical application is in cybercrime—a field that makes very good use of social engineering techniques. In computer science, social engineering is a non-technical method to steal information from computer networks. Its practices are successfully applied when network protection systems are difficult to penetrate.
The techniques of social engineering have been analyzed by cybersecurity specialists and authors such as Kevin Mitnick in “The Art of Deception”, Christopher Hadnagy in “Social Engineering: The Art of Human Hacking”, and Dr. Robert Cialdini in “Influence”.
Social Engineering Methods and Techniques
Fake news, trolling, manipulation, disinformation, phishing, payroll, and elicitation techniques are all examples of social engineering. The intended purposes are to undermine trust, create polarity, and to destroy/block IT infrastructures—with the ultimate goal of gaining financial advantages. Other aims include obtaining/destroying/altering information, lowering employee morale by compromising management, espionage, terrorist attacks, or damaging critical national infrastructure.
These attacks are often successful due to a lack of staff training and/or failure to comply with basic security rules, and they remain effective due to their exploitation of common human characteristics—such as fear of confronting a boss, career aspirations, or excessive politeness.
The Oldest Social Engineering Attack
The oldest successfully applied social engineering attack we know of is the famous Trojan Horse. The aim was to infiltrate the city of Troy, which remained unconquered for 10 years due to its impenetrable physical structure. The plan of action was extremely simple and effective.
To examine the wooden horse—intentionally made larger than the gates—the Trojans voluntarily removed their fortress’ physical defenses. They also disobeyed the rules of access to the citadel by not verifying the contents of this object (filled with elite soldiers), and this tactic exploited a belief of the era. It was believed that large statues have religious purpose and bring blessings to their owners. And nowadays, this process and strategy underlies many cyberattacks.
How Social Engineering Works
Identifying a social engineering attack is extremely difficult because one has to fight human bias and ingrained beliefs.
Social engineering usually uses non-technical means and person-to-person contact or cell phone/internet-based communications. Social engineers build trusted systems to achieve their goals. For example, they can use open sources as a starting point (Twitter, LinkedIn, Facebook, Instagram) to maximize the effects of their actions.
Employees bring their personal vulnerabilities to work—shaped by their culture, environment, education level, psychological profile, previous work experience, IQ, or cognitive biases. Social engineering can be a “person-to-person” attack where one person tries to get a staff member to do something inappropriate or dangerous for the organization, such as providing sensitive information or allowing access to a target (or computer network) deemed secure. Social engineers unscrupulously exploit whatever tools they have at their disposal to achieve their goals, e.g. emotions about natural disasters, political crises, etc. The attacker’s limits depend solely on his or her intelligence, creativity, and imagination.
Conclusion
When technology cannot be defeated, the social engineer turns to the most vulnerable element in the security system: humans. Through social engineering, attackers exploit basic human traits like ignorance, naivety, reciprocity, and emotions. With proper training and strong security practices, companies can prepare and defend against these types of cyberattacks.
