Hacking humans: Devious tricks attackers use to infiltrate via employees

When we hear the word “hacking” we typically imagine a hooded bad guy coding in a dark room, using cyber skills to breach technical systems and networks.

But what if we told you that 80-95% of all computer attacks begin with the hacking of a human being? That’s right, hacking human beings (a.k.a. social engineering) is usually “phase one” of any cyberattack. This doesn’t require so many technical skills but rather a clever understanding of how human nature responds to phishing lures.

What is Social Engineering? 

Social engineering is a technique used by threat actors to trick online users into revealing sensitive information (such as passwords) or convince them to perform an action (such as clicking a link) that ends up compromising an identity, a system or network.

While email phishing is probably the most popular form of social engineering, other forms are also on the rise such as smishing (SMS text phishing), quishing (QR code phishing), BEC (business email compromise), and vishing (voice phishing).

How Do Social Engineering Attacks Work?

Regardless of medium or method (email, voice, text) social engineering attacks are typically executed using the following steps:

1. Conducting Reconnaissance

Just like an investigator that surveys, monitors or observes a potential target -- who they meet, where they spend time, where they live, etc., attackers too will often do background research on their targets.

This includes combing through social media profiles (checking their social media interactions, mentions and connections), learning about their colleagues, friends and family members; obtaining their contact information and finally using tools like open source intelligence (OSINT) to uncover vulnerable and exploitable assets that they can target or operationalize. 

2. Designing a Pretext

Just like in the old movie “The Talented Mr. Ripley” where a con-artist crafts a fake story to convince everyone that he’s the son of a shipping tycoon, attackers too will create situations or stories to dupe their targets. It can be anything from a discount code to an investment opportunity, from a “verify your email” notification to a notification highlighting expiration of a service or password; or even a phone call from an alleged friend to an unexpected call from the IT helpdesk.

3. Creating Trust

The success of any social engineering attack hinges on the attacker’s ability to win trust. Threat actors will often impersonate known individuals or organizations; create a look-alike domain (microsft.com) or a fake website that bears the same look and feel as the original.

They’ll create a social media handle that bears the same name and profile photo of an impersonated individual. They’ll even walk the extra mile by adding fake connections or followers, to make the profile seem more authentic and trustworthy.

Cybercriminals are also alarmingly employing generative AI tools to establish trust, cloning voices and superimposing faces on videos (a.k.a., “deepfakes”) to develop new and powerful ways of establishing trust.

4. Exploiting Human Emotions to Hit Home

It’s common for con artists to exploit human emotions to cement a relationship or convince a potential target to do something. Similarly, cybercriminals will harness human emotions like fear, lust, greed, sympathy, impatience, as part of their social engineering campaign to win their target’s interest and attention and improve their chances of success.

Threat actors also take advantage of cognitive biases and the fact that we are judgmental and fairly predictable. 

How to Reduce the Risk
of Social Engineering

As generative AI matures, social engineering attacks will become more exploitive than what we see today. Here are some tips and best practices that can help mitigate the threat:

* Invest In Security Training, Not Awareness: You don’t want people to just be aware of social engineering risks, you want to alter their online behaviors. Using phishing simulation programs and hands-on workshops, organizations can bolster security instincts in employees, teach them how to identify red flags and get them habituated to reporting phishing attacks to IT.

* Make Training Fun, Engaging And Rewarding: Only one in ten people retain their cybersecurity training. To improve retention, engagement and interest, it would be advisable to use incentives and gamification (puzzles, games, contests) to improve employee motivation and build a positive culture of security. Studies show that arrogance, fear and punishment can lead to a toxic security culture. 

* Have Clear Policies And Processes: It’s important that organizations articulate clearly what is expected from employees. Similarly, employees must have a clear understanding of their responsibility and accountability towards cybersecurity. In addition, employees should know how to proceed and whom to contact if they encounter a threat.

* Leverage Technical Controls: Use phishing-resistant multi factor authentication (MFA) to reduce the risk of identity theft. Provide commercial password managers to employees so they can avoid password reuse and create complex passwords. Patch tools and systems regularly to mitigate vulnerabilities.

* Use OSINT Tools To Reduce Exposure: Adopt a more proactive approach to security by using OSINT tools to understand the digital footprint of an organization as well as their employees. Free sites like haveibeenpwned.com can help companies teams discover if their employee credentials have been breached online.

Human beings make mistakes falling for clever social engineering and phishing scams, but we’re also quick leaners, intuitive and adaptable. If organizations work towards strengthening security intuition and culture, this can help defend against social engineering attacks.