advice hub

Social Engineering

Social Engineering Attacks

A common misconception about cyber attackers is that they use only highly advanced tools and techniques to hack into peoples’ computers or accounts. Cyber attackers have learned that the easiest ways to steal your information, hack your accounts, or infect your systems is by simply tricking you into doing it for them using a technique called social engineering. Let’s learn how these attacks work and what you can do to protect yourself.

What Is Social Engineering?

Social engineering is a psychological attack where an attacker tricks you into doing something you should not do through various manipulation techniques. Think of scammers or con artists; it is the same idea. However, today’s technology makes it much easier for any attacker from anywhere in the world, to pretend to be anything or anyone they want, and target anyone around the world, including you. Let’s take a look at two real-world examples:

Guest Editor

Christian Nicholson (@GuardianCosmos)is a SANS instructor for SANS SEC560 and SANS SEC504, as well as Partner/Cyber Lead at Indelible.Christian specializes in Application Security, Purple Teaming, and Automation for secure integration, programming and engineering.

You receive a phone call from someone claiming to be from a computer support company, your ISP, or Microsoft Tech Support. The caller explains that your computer is actively scanning the Internet. They believe it is infected and have been tasked with helping you secure your computer. They then use a variety of technical terms and take you through confusing steps to convince you that your computer is infected. For example, they may ask you to check if you have certain files on your computer and walk you through how to find them. When you locate these files, the caller assures you that these files prove that your computer is infected, when in reality they are common system files found on almost every computer in the world. Once they have tricked you into believing your computer is infected, they pressure you into buying their security software or giving them remote access to your computer so they can fix it. However, the software they are selling is actually a malicious program. If you purchase and install it, not only have they fooled you into infecting your computer, but you just paid them to do it. If you give them remote access to your computer, they are going to take it over, steal your data, or use it for their bidding.

Common sense is your most powerful defense in identifying and stopping most social engineering attacks.

You receive a phone call from someone claiming to be from the government informing you that your taxes are overdue and that if you do not pay them right away you will be fined or arrested. They then pressure you to pay over the phone with a credit card, gift card, or wire transfer warning you that if you don’t pay you could go to jail. The caller is not really from the government, but an attacker attempting to trick you into giving them money.

Another example is an email attack called phishing. This is when attackers create an email that attempts to trick you into taking an action, such as opening an infected email attachment, clicking on a malicious link, or giving up sensitive information. Sometimes phishing emails are generic and easy to spot, such as pretending to come from a bank. Other times phishing emails can be highly customized and targeted as attackers research their targets first, such as a phishing email pretending to come from your boss or colleague.

Keep in mind, social engineering attacks like these are not limited to phone calls or email; they can happen in any form including text message, over social media, or even in person. The key is to know what clues to look out for.

Common Clues of a Social Engineering Attack

Fortunately, common sense is your best defense. If something seems suspicious or does not feel right, it may be an attack. The most common clues include:

  • A tremendous sense of urgency or crisis. The attackers are attempting to rush you into making a mistake. The greater the sense of urgency, the more likely it is an attack.
  • Pressure to bypass or ignore security policies or procedures you are expected to follow at work.
  • Requests for sensitive information they should not have access to or should already know, such as your account numbers.
  • An email or message from a friend or coworker that you know, but the message does not sound like them - perhaps the wording is odd or the signature is not right.
  • An email that appears to be from a coworker or legitimate company, but the email is sent using a personal email address such as @gmail.com.
  • Playing on your curiosity or something too good to be true. For example, you are notified your package was delayed, even though you never ordered a package or that you’ve won a prize in a contest that you never entered.

If you suspect someone is trying to trick or fool you, do not communicate with the person anymore. Remember, common sense is your best defense.


About OUCH!

OUCH! is a monthly security awareness newsletter for everyone. It is published by SANS Securing The Human and is distributed under the Creative Commons BY-NC-ND 4.0 license. You are free to share or distribute this newsletter as long as you do not sell or modify it. For past editions or translated versions, visit SecuringTheHumans.sans.org.

Editorial Board: Walter Scrivens, Phil Hoffman, Alan Waggoner, and Cheryl Conley.