Social Engineering Methods

4 Ways Criminals Exploit Human Behaviour

In 2016, a member of a Google research team conducted a social engineering experiment. Scattering 300 USB drives across a university campus, they found that over 45% of drives were plugged in and had files examined.

Typically motivated by an altruism to find the owner, as well as curiosity, the unsuspecting users demonstrated that social engineering can be simple. Having questioned these helpful stooges, the researchers found that 68% had taken no precautions when connecting a USB drive.

Though in this instance it was merely a harmless experiment, the devices could have just as easily contained malware or exfiltration software. Leaving devices in the right place, malicious actors could potentially exploit this curiosity with very little effort, bypassing network defences and causing untold damage.

Social Exploitation

There are many methods to socially engineer an attack, not all of them are particularly complicated or even that unfamiliar.

The common factor being, they are all designed to exploit a human weakness in aiding a malicious actor in gaining control or access. Today, social engineering is recognised as one of the greatest security threats that organisations face and is typically a mix of both insider and outsider threat.

When thinking about social engineering attacks, there are four main areas to consider:

1. Pretexting

This method of social engineering is essentially the creation of a story which is then used to compel a victim into a situation where they find it increasingly difficult to deny requests.

It may be a crying child at someone’s side, or in the background of a phone call, eliciting sympathy, it could also be a fabricated tale of needing an ‘insignificant bank detail’ to avoid an unwanted consequence.

Though both sympathy and empathy are a sure sign of decency, these characteristics can undoubtedly be exploited too. Whereas other methods of social engineering may rely on urgency or fear, pretexting relies on creating a false sense of trust.

• Baiting

Exemplified by the above research into USB drops, baiting appeals to people’s curiosity, their vanity and their greed.

Offering something that is a little ‘too good to be true’ and waiting to see who comes biting. This method may take the form of devices, emails or even downloads, all designed to prompt users to hand over login credentials, access or sensitive information.

• Tailgating

A simple, yet very effective method of gaining entrance into a secure location, tailgating (or piggybacking) can involve the impersonation of a delivery person, a security guard or a hapless employee who has misplaced their ID.

Though it may again seem easily avoidable, social engineers have used this method to gain access to some of the most secure corporate environments imaginable and even place bugs in CEO’s offices. The next time you hold that door open to a stranger, you may want to think twice.

• Quid Pro Quo

Roughly translated as this-for-that, quid pro quo is an attack that relies on exchange. From offerings of cash, to a simple gift of a pen, it is surprising how easily an office worker can be gently persuaded to hand over their network passwords.

Though it is not always this obvious and quid pro quo can encompass, for example, the impersonation of IT service people who offer help in exchange for actions such as the disabling of anti-virus software.

Information security is a wide topic, and social engineering attacks represent just a portion of the methods which can be used by nefarious actors to further their goals, and steal and exploit your information.