Social Engineering Methods

4 Ways Criminals Exploit Human Behaviour

In 2016, a member of a Google research team conducted a social engineering experiment. Scattering 300 USB drives across a university campus, they found that over 45% of drives were plugged in and had files examined.

Typically motivated by an altruism to find the owner, as well as curiosity, the unsuspecting users demonstrated that social engineering can be simple. Having questioned these helpful stooges, the researchers found that 68% had taken no precautions when connecting a USB drive.

Though in this instance it was merely a harmless experiment, the devices could have just as easily contained malware or exfiltration software. Leaving devices in the right place, malicious actors could potentially exploit this curiosity with very little effort, bypassing network defences and causing untold damage.

Social Exploitation

There are many methods to socially engineer an attack, not all of them are particularly complicated or even that unfamiliar.

The common factor being, they are all designed to exploit a human weakness in aiding a malicious actor in gaining control or access. Today, social engineering is recognised as one of the greatest security threats that organisations face and is typically a mix of both insider and outsider threat.

When thinking about social engineering attacks, there are four main areas to consider:

  1. Pretexting

This method of social engineering is essentially the creation of a story which is then used to compel a victim into a situation where they find it increasingly difficult to deny requests.

It may be a crying child at someone’s side, or in the background of a phone call, eliciting sympathy, it could also be a fabricated tale of needing an ‘insignificant bank detail’ to avoid an unwanted consequence.

Though both sympathy and empathy are a sure sign of decency, these characteristics can undoubtedly be exploited too. Whereas other methods of social engineering may rely on urgency or fear, pretexting relies on creating a false sense of trust.

  • Baiting

Exemplified by the above research into USB drops, baiting appeals to people’s curiosity, their vanity and their greed.

Offering something that is a little ‘too good to be true’ and waiting to see who comes biting. This method may take the form of devices, emails or even downloads, all designed to prompt users to hand over login credentials, access or sensitive information.

  • Tailgating

A simple, yet very effective method of gaining entrance into a secure location, tailgating (or piggybacking) can involve the impersonation of a delivery person, a security guard or a hapless employee who has misplaced their ID.

Though it may again seem easily avoidable, social engineers have used this method to gain access to some of the most secure corporate environments imaginable and even place bugs in CEO’s offices. The next time you hold that door open to a stranger, you may want to think twice.

  • Quid Pro Quo

Roughly translated as this-for-that, quid pro quo is an attack that relies on exchange. From offerings of cash, to a simple gift of a pen, it is surprising how easily an office worker can be gently persuaded to hand over their network passwords.

Though it is not always this obvious and quid pro quo can encompass, for example, the impersonation of IT service people who offer help in exchange for actions such as the disabling of anti-virus software.

Information security is a wide topic, and social engineering attacks represent just a portion of the methods which can be used by nefarious actors to further their goals, and steal and exploit your information.

Security Awareness for your Organisation

Enjoyed our blog? Learn more about how Hut Six can help improve you security awareness with training and simulated phishing. Start a free trial now, or book a meeting with one of our experts.

Featured

Data Protection by the Numbers

What Year Was the Data Protection Act Introduced?

What Year Was the Data Protection Act Introduced? Blog by Information Security Awareness Training provider Hut Six Security.

InfoSec Round-Up: May 29th 2020

InfoSec Round-Up: May 29th 2020 - Hut Six

GitLab Phishing, Red Cross Cybersecurity, and easyJet Lawsuit - Infosec Round Up, May 29th 2020

Data Protection Principles

How Does the Data Protection Act Protect your Rights?

How Does the Data Protection Act Protect your Rights? Blog by information security awareness training provider Hut Six Security.

Ransomware Explained

How a Ransomware Attack Works

Knowing how a ransomware attack works is the key to avoiding them and the damage they can pose to your organisation. Blog by Hut Six Security.

Hut Six Staff Snippets: Handling Sensitive Information

Hut Six Staff Snippets: Handling Sensitive Information - Hut Six

Luke talks about his favourite Information Security tutorial, Handling Sensitive Information. Information Security video by Hut Six Security.

InfoSec Round-Up: May 22nd 2020

InfoSec Round-Up: May 22nd 2020 - Hut Six

Cryptomining hijack, EasyJet Hack and NHS Failing audits - InfoSec Round-Up, May 22nd 2020

Recognising Phishing Attacks

4 Ways of Recognising Phishing Attacks in 2020

Ways of recognising phishing attacks to ensure your organisation stays secure. Blog by information security awareness training provider Hut Six Security.

Data Protection Act's Eight Principles

What are the Eight Principles of the Data Protection Act?

What are the Eight Principles of the Data Protection Act? Why has this changed to seven in the DPA 2018? Blog by Hut Six Security.

Hut Six Staff Snippets: Encouraging a Secure Culture

Hut Six Staff Snippets: Encouraging a Secure Culture - Hut Six

Kayleigh talks about her favourite Information Security tutorial, Encouraging a Secure Culture, which explains the importance of building a secure culture.

Infosec Round-Up:  May 15th 2020

Infosec Round-Up: May 15th 2020 - Hut Six

Norfund Breach, Celebrity Data hack, and Ransomware Research - InfoSec Round Up, May 15th 2020