You receive an email from you head of sales: “I’m with a potential client, in order to close the lead I need you to go and buy $500 of Amazon gift cards”.

It seems strange, but you get another message “it’s a key customer, and this is really urgent. Please get on it right away”.

In doubt, you buy the gift cards and send them to the address that wrote to you (thinking it’s your head of sales).

This is a true story. As you can guess, hackers were behind the original email.

And the tool they use in their cyberattacks to convince their targets to act (buy a prepaid card, download a file), share information or fill in their credentials is called social engineering.

This article will answer the following questions:

  • What is social engineering?
  • How do hackers use it for phishing attacks?
  • How can you protect your users?

What is social engineering?

Definition of social engineering in cybersecurity

Social engineering is a way to manipulate people. In the context of cybersecurity, social engineering is the set of psychological manipulation tools and tricks used by hackers to convince their targets to take the action the hackers wish.

Social engineering techniques are based on elements of our decision process which are called cognitive biases. Simply put, they exploit “weaknesses” in our thought process to bypass our analysis and caution.

They are, in part, based on the 6 principles of influence set forth by R. Cialdini: reciprocity, scarcity, authority, commitment and consistency, liking and consensus.

The hackers’ goal is to find the right message and context to activate psychological levers that will lead their targets to act in a way that they normally wouldn’t and that is detrimental to them.

Attack vectors using social engineering

Hackers can use social engineering tactics in their attacks through a number of different vectors:

  • Email: The most frequent, hackers can use social engineering in their phishing and spear-phishing emails. Their goal is going to be to increase the credibility of their emails by adding elements of authenticity and to craft their message in order to increase the likelihood that their target will act on the email, for example by downloading an attached malware file and activating the macros
  • SMS: Hackers can use smshing (SMS phishing) and use social engineering messaging techniques to obtain information like one-time codes used in bypasses of multi-factor authentication. The example below shows how the example of a SMS used to get the one-time verification code sent by Google to the target after the hackers initiated a connexion attempt:
  • Phone call: Vishing (Voice phishing) can be used to convince very specific targets (in whaling attacks) by adding a layer of credibility since most people will be fooled into trusting an actual person they’re speaking to
  • Browser: For example in the case of a widespread attack that displays fake elements seemingly indicating a virus in browser windows to force the victim into calling a fake customer support who, against payment, will “clean” the computer remotely (potentially installing actual malware)
An example of browser scam using social engineering (from the FTC's website)
  • Postal: an official looking letter from the IRS claiming overdue payments? It could very well be a fraud using social engineering techniques like social proof and urgency
  • Physical: Someone asks you to let them into the office because he works for an official sounding company and has a meeting with your CFO, and doesn’t have an access card? It could very well be a form of social engineering in order to access your offices.

How do hackers use social engineering in their phishing attacks?

If we focus on email phishing - which is the most commonly used attack vector against companies - how do hackers use social engineering in their phishing and spear-phishing attacks?

What is the hackers’ goal?

Hackers are trying to trick their victims into acting in a way that will be detrimental to them. This could be:

  • Opening an attachment and activating the macros (which will trigger the download of a loader like Qakbot, Hancitor or Bumblebee to name a few)
  • Visiting a website and click on a link
  • Downloading a file and opening it
  • Filling out credentials online

In all these cases, this is a first step in a cyberattack which could lead to ransomware deployment, Business Email Compromise (BEC), data leak…

How do they use social engineering in their phishing attacks?

Hackers will rely on social engineering in their email in order to manipulate their target. For example by using the following:

  • Social proof or trust: The goal is to increase the credibility of the attack with fake elements of authenticity. In order to do this, hackers have a very useful tool: OSINT. The use of publicly available information can enable them to find the names of a company’s executives, its clients and suppliers, the managers of various teams… They can then use these to craft BEC attacks where they try and impersonate their target’s usual contacts (or, if they have compromised a mailbox, to write directly from legitimate email addresses)
  • Scarcity: The feeling of scarcity can lead to increase pressure to act. As an example, there is the feeling of urgency (”you only have 2 hours to reset your password”) or the desire for personal gain (”you have a new lead in your CRM”)
  • Authority: This is a powerful psychological lever for hackers (based on prior knowledge of the company’s structure during the reconnaissance phase). As mentioned above, a message from the CEO or Head of Sales will increase the odds, especially if it’s associated with a sense of urgency, that the right reflexes will be set aside in the analysis of the phishing email
  • Reciprocity: Reciprocity is a fundamental aspect of human society. It can be traced hundreds of years back: for example, the code of Hammurabi (18th century BC) mentioned with the legal principle of “an eye for an eye”. Hackers have alway known how to use this lever to reach their goals: from the start, with Nigerian prince frauds, the key element was the promise of reciprocity (immediate funds were required to unlock a more substantial amount from which a reward would be drawn)
  • Liking: Everyone loves compliments… and hackers have understood this perfectly! A phishing attack targeting researchers at a University in the UK begun with emails complimenting the researchers on their work (this is a case of targeted spear-phishing) and mentioning the possibility of acknowledgment through nominations in reviews or prizes
  • Commitment and consistency: Relying on the desire to act to protect one’s company can allow hackers to trick employees. For example, requiring the update of software used by the company (especially when combining this message with other psychological levers) is a potentially effective approach for hackers

Examples of social engineering in phishing emails

To illustrate, here are some scenarios from our phishing simulation engine that combine some of these social engineering tactics.

Docusign CEO : authority, social proof

New lead from CRM : social proof, personal gain

CFO reset password : urgency, social proof, authority, commitment

How can you protect your users?

How can you best protect your company from these techniques that rely on deeply set cognitive biases? Technological solutions clearly have a role to play - and an important one. But in addition, our conviction at Mantra is that a human issue also requires a human solution.

The best way to protect your teams on the "human" side is to give them the right tools to detect social engineering tactics.

In order to achieve this, some of the best practices we can recommend are:

  • Running frequent cybersecurity awareness courses that will remind them of the different tricks and techniques used by hackers, the different potential attack vectors, what the hackers are trying to achieve (attachment, download, credentials…)
  • Training through phishing simulations that will expose your teams (in a danger-free way) to these techniques. Here, frequency, realism and adoption are key !
  • Providing as much contextual information as possible to help them make the right decision

The goal is for your teams to be able to analyze correctly, in an automatic and reflex-like fashion, the phishing emails they receive.

Want to know more about Mantra’s approach to tackling this threat? Contact us here