WTF   //   December 19, 2022

WTF is social engineering? (and how it manipulates us all)

Who can you trust online? Given the surging number of global identity thefts, it seems we are nowhere near cautious enough regarding digital interactions.

Neil Smith, partner success manager for EMEA North at cybersecurity firm Norton, pointed out that an estimated £2.5 billion ($2.05 billion) was lost by Britons in 2021 as a result of cybercrime, according to Payback a firm that specializes in retrieving lost funds for businesses that have been scammed. And repairing the damage caused by identity theft and cybercrime took 64 million hours. Meanwhile, in the U.S., the Federal Trade Commission received 5.7 million fraud and identity theft reports last year, and the losses to this crime reached $5.8 billion.

Further, said Smith, 55% of people in the U.K. admit that they would have no idea what to do if their identity was stolen. “The biggest worry is that it is often ourselves that is the root cause of identity theft,” he added.

Allen Ohanian, chief information security officer of Los Angeles County, agreed that there is a collective naivety. Alarmingly, 67% of us trust people online more than in the physical world, he said.

In early 2022, the World Economic Forum calculated that 95% of cybersecurity incidents occur due to human error. “Almost every time there’s an attack, it’s down to a mistake by or manipulation of people like you and me,” said Jenny Radcliffe, who goes by the moniker “The People Hacker.”

Indeed, 98% of all cyberattacks involve some form of social engineering, cyber security experts Purplesec worked out. Social engineering is essentially the gateway for nefarious online activity. Here’s an explainer:

What exactly is social engineering?

U.K.-based Radcliffe, a world-renowned social engineer, is hired to bypass security systems through “a no-tech mixture of psychology, con-artistry, cunning and guile.” She defines social engineering as “the manipulation of human factors to gain unauthorized access to resources and assets. It’s the active weaponization of your human vulnerabilities, behaviors and errors.”

Put another way, social engineering – a term coined 20 years ago by U.S. computer security consultant and author Kevin Mitnick – is the art of tricking a target into revealing confidential information. Social engineers can access sensitive information, such as passwords and bank account details, by taking advantage of our natural tendency to trust others while playing on people’s emotions.

This might involve masquerading as a friend, colleague or family member to persuade the potential victim to click a malicious link or email to pinch login credentials or similar activities designed to gain entry into target systems. 

Once that trust has been gained through social engineering, it opens up the possibility that other attacks will likely happen. For example, it might be identity theft, malware distribution in personal or business computers, or gaining information about higher-paid colleagues.

What are the typical methods of social engineering?

Phishing accounts for 91% of all data breaches, according to Deloitte. In this instance, a scammer will pose as a genuine person or company and typically carry out their attack through email, chats, internet advertising or websites. They might, for example, build a fake website that looks like a known brand and request users to reset their passwords or enter sensitive information. Notably, cybersecurity firm Barracuda found 43% of phishing attacks impersonate Microsoft brands. In 2020, Google recorded over two million phishing websites, almost 20% more than the previous year.

Radcliffe, who was speaking at a Norton event in London in December, said text messages are also common and often catch people out. “People fall for them because they don’t see their phone as a computer, but it’s probably your most powerful computer, and it tends not to be protected,” she said. “When we wake up in the morning, one of the first things we do is grab our phones, and we tend to be a bit dopey, so we might be tempted to click on something.”

She said unsolicited approaches on social media should also be treated with caution. “We tell kids all the time to be careful of strangers, that people may not be what they seem, and social media approaches are very dangerous,” she said. “LinkedIn, for example, is a great source for corporate espionage.”

Other types of social engineering attacks include spear phishing – a sophisticated variant of phishing that aims directly for a person at a high level at a company – and baiting, whereby supposed free prizes or pay rises are on offer. 

Finally, a quid pro quo – “this for that” in Latin – attack is a ploy that lures victims with a specific promise if they reveal information in return. For example, the scammer could call all employees in a company and offer them an uncomplicated solution – all the unsuspecting victims have to do is turn off their antivirus program. However, instead of a solution, malware is then installed, infecting their computers.

How prevalent are social engineering attacks?

Significantly – and more than you might think. The average organization is subjected to 700 social engineering attacks yearly, Barracuda found. Given there are approximately 260 workdays per year, that means dealing with 2.7 per day.

One thing is certain: you won’t get much help from the police or other authorities. “We have to protect ourselves because no one else is going to – law enforcement in this area is like drinking from a fire hose,” said Radcliffe. “It is at an epidemic level. There have never been more hacks, breaches and targets as there are now.”

What are the motivations for social engineers?

Radcliffe helps businesses and leaders understand their weak points through social engineering, but she is one of the good guys. The acronym MICE – money, ideology, coercion and ego – captures the main motivators, Radcliffe said.

Money, of course, is a driving factor. In 2018, Dr. Michael McGuire, a professor at the University of Surrey, estimated that “mid-level” criminals made up to $900,000 a year, and high earners generated up to $2 million – almost as much as a large company CEO. 

On the ego point, Radcliffe added: “Sometimes you just want to break into somewhere because it is there, it’s like scaling Everest.”

How much digging do social engineers do to snare victims?

A scary amount. Credentials, such as passwords leaked in a breach, can be bought for a few dollars on the dark web. So it’s well worth regularly checking whether any passwords have been compromised. Breached.Me is a useful website for this. 

“Criminals are being more selective about who they attack and getting better at sizing up their victims,” said Jonathan Hope, senior technology evangelist at cybersecurity firm Sophos. “For instance, they are working out where CEOs’ kids go to school and where they play golf so that they can trick them more convincingly than the usual phishing email.”

But it’s not just those at the top of a business that are at risk of social engineering. “People will say: ‘I’m not rich, famous or important enough to be hacked,'” said Radcliffe. “You have to understand that everyone, partly because they are linked in the chain, is worth hacking, and everyone has an identity worth taking.”

What are the best ways to guard against social engineering?

Be less trusting, be vigilant and treat communications with plenty of skepticism. If something doesn’t look right, it should raise a flag. Don’t open emails, click links, or download attachments from dodgy sources. Don’t fall for enticing offers – if it looks too good to be true, it probably is. 

Other tips include using multi-factor authentication as well as strong, unique passwords. Also, ensuring your antivirus software is up to date will offer peace of mind. And don’t answer any out-of-the-blue requests for personal information or passwords. Similarly, snub any unsolicited advice or help. 

Consider that every interaction you have online leaves what Radcliffe calls a “digital tattoo,” so think again about sharing that Instagram post that shows the inside of your home. “At any time anything you want to keep private is exposed, any time there is a security breach, it’s down very often to what we do ourselves,” she said.

Ultimately, social engineers are considered con artists because they can make almost anyone believe almost anything. So keep your wits and use common sense. After all, as Mitnick said: “You can’t download a patch for human stupidity.”