In computer security, many issues occur despite the user’s best efforts. For example, you can get hit with malware from malvertising at any point, it’s down to bad luck really. There are steps you can take to minimise the risk, such as using an ad-blocker. But being hit like this isn’t the user’s fault. Other attacks though focus on tricking the user into doing something. These types of attacks come under the broad banner of social engineering attacks.
Social engineering involves using analysis and understanding of how people handle certain situations to manipulate an outcome. Social engineering can be performed against large groups of people. In terms of computer security, however, it is typically used against individuals, though potentially as part of a large campaign.
An example of social engineering against a group of people could be attempts to cause panic as a distraction. For example, a military performing a false-flag operation, or someone yelling “fire” in a busy location and then stealing in the chaos. At some level, simple propaganda, gambling, and advertising are also social engineering techniques.
In computer security though, the actions tend to be more individual. Phishing tries to convince users to click and link and enter details. Many scams try to manipulate based on fear or greed. Social engineering attacks in computer security can even venture into the real world such as attempting to gain unauthorised access to a server room. Interestingly, in the world of cyber security, this last scenario, and ones like it, are typically what is meant when talking about social engineering attacks.
Phishing is a class of attack that attempts to social engineer the victim into providing details to an attacker. Phishing attacks are typically delivered in an external system such as via email, and so have two distinct social engineering points. First, they must convince the victim that the message is legitimate and get them to click the link. This then loads the phishing page, where the user will then be asked to enter details. Usually, this will be their username and password. This relies on the initial email and the phishing page both looking convincing enough to social engineer the user into trusting them.
Many scams try to social engineer their victims into handing over money. The classic “Nigerian prince” scam promises a large pay-out if the victim can front a small advance fee. Of course, once the victim pays the “fee” no pay-out is ever received. Other types of scam attacks work on similar principles. Convince the victim to do something, typically hand over money or install malware. Ransomware even is an example of this. The victim needs to hand over money or risks losing access to whatever data was encrypted.
When social engineering is referred to in the world of cyber security, it typically refers to actions in the real world. There are plenty of example scenarios. One of the most basic is called tail-gating. This is hovering close enough behind someone that they hold open an access-controlled door to let you through. Tail-gating can be enhanced by setting up a scenario in which the victim might help you. One method is to hang out with the smokers outside on a smoke break and then go back inside with the group. Another method is to be seen to be carrying something awkward. This technique is even more likely to succeed if what you’re carrying could be for others. For example, if you’ve got a tray of coffee mugs for “your team”, there’s a social pressure for someone to hold the door open for you.
Much of in-person social engineering relies on setting up a scenario and then being confident within it. For example, a social engineer might pose as some sort of construction worker or cleaner who may be generally overlooked. Posing as a good Samaritan, handing in a “lost” USB thumb drive might result in an employee plugging it in. The intent would be to see who it belongs to, but it could then infect the system with malware.
These types of in-person social engineering attacks can be very successful, as no one really expects to be tricked like that. They do, however, carry a great deal of risk for the attacker who has a very real chance of being caught red-handed.
Conclusion
Social engineering is the concept of manipulating people to achieve a targeted aim. One way involves creating a real-looking situation to trick the victim into believing it. You can also create a scenario in which there is a social pressure or expectation for the victim to act against standard security advice. All social engineering attacks, however, rely on tricking one or more victims into performing an action that the attacker wants them to.
