Decoding Online Social Engineering: Revealing Tactics and Strengthening Defences

In this blog, we will explore what social engineering is, how it operates, and most importantly, how to mitigate the risks associated with it. By gaining a better understanding of social engineering, you will be better equipped to safeguard your organisation against its harmful effects.

Recent government reports have highlighted the alarming rise of cyber attacks on medium to large businesses in the UK. These attacks are estimated to cost an average of £19,400, which is a considerable amount for any organisation. However, this figure may not be entirely accurate, as many businesses do not report their breaches, making the actual cost potentially much higher. In light of this, ITRM recognises the need for businesses to take cyber security seriously. This blog aims to provide valuable insights into one common method of cyber crime: social engineering.

What is online social engineering?

Understanding Online Social Engineering:

Online social engineering refers to a malicious tactic employed by cyber criminals to exploit human vulnerabilities and gain unauthorised access to sensitive information. This technique typically involves the use of deceptive tactics, such as phishing scams and pretexting (creating a fake story), to trick unsuspecting targets into disclosing confidential data. By exploiting human error, cyber criminals can breach security defences and gain access to valuable assets, including financial accounts, personal data, and intellectual property.

How is online social engineering different to typical cyber attacks?

Online social engineering is a type of cyber crime that sets itself apart from other forms of cyber attacks as it exploits the vulnerabilities of end-users, typically employees, by misleading them into revealing sensitive information or performing some form of action that compromises security. Unlike a typical cyber attack where a hacker would breach an IT infrastructure remotely using malware, social engineering relies on human error and often involves psychological tactics such as manipulation, deception, and coercion. 

How does online social engineering work?

Online social engineering can come in many forms, we are going to delve into one of the most common methods used, Phishing. Phishing is a broad topic that has various sub-variants within it, such as Whaling, Spear-Phishing, Smishing, Quishing and many more ‘ings’, to learn about specific terminology, see here. 

Have you ever received an email or a message from someone that seemed suspicious? Well, this is called 'phishing' where cyber criminals try to manipulate people into revealing sensitive or important information by sending fake messages whilst impersonating someone else. 

Why do people fall victim to online social engineering?

As previously mentioned, social engineering relies directly on human error. The attack can utilise certain psychological traits that humans commonly respond to:

• Trust and authority - Employees are conditioned to listen to those who are more senior and complete tasks they may receive. Cyber criminals will use emails that appear to be the same as someone in power within your organisation. As an example, a "boss" could send you an email telling you to sign up for a webinar, in signing up, you have given your details to a criminal, endangering your credentials and your business.
• Limited-time offers - Have you ever received an email discount for 30% off a website or online shopping with a limited time/amount remaining? This tactic is employed by cyber criminals to rush a user into making a rash decision, upon clicking the link, you sign in to what you believe to be the website with a discount but end up giving your information to a cyber criminal.
• Social Proof - Cyber criminals will trick victims into believing they are yet to complete certain work surveys by including, for example, 'you are the only remaining member of staff to complete this survey'. This manipulates end-users into unwillingly giving away their sensitive information by creating a sense of urgency and pressure to finish it quickly.

What is a developed online social engineering attack?

Social engineering attacks are carried out using various methods, some of which are more sophisticated than others. A more developed attack often begins by targeting high-level employees, such as Financial Directors (FD), who are tricked into downloading spyware that infects their endpoint devices. 

In the event of an initial infection, the hacker may not launch an immediate malicious attack. Instead, they may opt to bide their time and closely observe the user's behaviour, such as their writing style and formatting preferences, as well as their typical invoicing practices. Over time, the hacker can amass a wealth of information about the user, including a list of their frequent contacts and the nature of their relationships with them. By building a comprehensive database of information about the Financial Director, the hacker can carefully plan and execute a more effective attack in the future.

Upon creating a comprehensive database of relevant information, they can use it to orchestrate a refined cyber attack. To do this, they can create a fake email address and send deceptive emails to a targeted list of individuals. An example of an email the hacker would send would be an invoice on a date that doesn’t raise suspicion with the money going to a different account. If these individuals are not well-educated in cyber security or if the correct security protocols are not in place, they may fall prey to the hacker's tactics and become victims of the attack.