Social engineering is a particularly wily way to attack someone.
This type of attack plays on people being people, with all our different motivations, behaviours, and social expectations. Social engineers appeal to our emotions, our sense of urgency, and sometimes even our desire to be a good person.
Social engineering is an attack technique that plays on human behaviour and error to get private information, access, or valuables. Attackers aim to understand what motivates people's actions, and then use that understanding to deceive and manipulate them. While social engineering attacks often happen online, they can also happen in person or through other channels like phone or text message.
This week we’ve added a module on social engineering to SafeStack Academy's Security Awareness training for small businesses. No one wants to be the target of a social engineering attack, so we hope this module will add to your cyber security toolkit by helping you learn what to look out for and how to react.
One of the most important things to remember is that social engineering attacks can happen to anyone — even cyber security experts. SafeStack security specialist Toni shares her story below, along with her number one tip for dealing with a potential attack.
Unsettling emotions and how social engineers use them
You know that feeling you get when you forget to do something important? Maybe your boss asked you to do something but it slipped your mind, or you had a hectic day and missed a meeting invite from your coworker.
In that initial moment of panic your body reacts, flooding your system with adrenaline. Your heart catches in your throat, your pulse races, your palms start to sweat. It’s not a fun time.
I got that feeling the other day when I was looking through my emails. Every now and then, I check my spam folder to make sure everything in there is actually spam and I haven’t missed something I need to respond to.
And there it was: an email from our CEO, Laura Bell. In fact, two emails from Laura Bell.
Oh no, what had I missed?!
The panic hit instantly. Not because Laura is a tyrant who would be angry at me for missing emails— she’s a lovely and understanding person.
I was worried because I hold myself to a high standard, and I care about doing a good job. Sound familiar?
Also, I’m new(ish) to SafeStack, so I don’t yet know all the possible ways Laura might communicate with me. We use chat for most team communications, so even though Laura asking me to do something by email is extremely unlikely, it seemed legitimate in that moment of panic.
But then I looked closer. These were not genuine emails from Laura.
They were a great example of a social engineering attack, in the form of phishing emails. These crafty little emails were designed to get my attention, create a moment of blind panic, and lure me into interacting with an attacker.
There were three clues that tipped me off.
- The first clue, of course, was that they were in my spam folder (good job, Gmail).
- The second clue was that it’s very unlikely that Laura would communicate with me in this way, considering we have regular chat channels that our team is available in.
- I saw the third clue when I opened one of the emails. The sender’s details were wrong, saying “Laura Bell <stosto1234@<redacted>”.
Social engineers use our emotions and motivations to their advantage. In this case, the attacker was playing on my motivations of wanting to be a good employee who’s responsive to their boss.
The email was short, to the point, and wanted me to interact with it in some way. The goal was probably for me to reply to it, as this would show I'm available and open to more sophisticated phishing attacks.
I don’t know for sure, because I didn’t take it any further than this. Instead, I reported it as a phishing attempt to my company, deleted it, and moved on.
I knew that was the right thing to do and I felt comfortable doing it — but even as a trained and experienced cyber security professional, this email still successfully exploited my emotions. This can happen to anyone, and it’s nothing to feel ashamed of. The people running these attacks put a lot of thought and effort into getting you to do what they want.
Which brings me to my number one piece of advice for situations like this: ask questions.
- Why was this sent to my spam folder?
- Why would our CEO communicate with me this way?
- What email address is this from?
These questions saved me from being exploited by this attack.
Running through them also made me pause and think before I took any action. The email was designed to dial my emotions and my sense of urgency all the way up — it was “from” my boss, and she needed me to do something “immediately”. Heightening emotion and urgency are two key ways an attacker could push me towards taking impulsive action before considering the risks. By slowing down and thinking, I was doing the opposite of what they wanted.
What social engineering can look like in the real world
Emails are a common vehicle for social engineering attacks, but they also happen in real life. Asking questions helps here, too.
Imagine you work in a company with a team big enough that you couldn’t possibly know every single person who works there. This might be your reality.
One day, you’re walking into your building, which is locked and accessible only to people with staff badges. A heavily pregnant person rushes up to you, balancing a tray of coffees and with a couple of bags on each shoulder.
The considerate thing to do is hold the door open and let them go in front of you, right?
It is. It’s also exactly what an attacker who’s trying to get into a confidential area would want you to do. If you did this, the attacker now has access to your workplace, and they didn’t even have to flash an ID badge.
“But I don’t want to be rude and suspicious!” you say. Good news: you don’t have to be.
All you have to do is be friendly and ask a couple of questions.
Here are a few things to try.
- Say hi and offer to hold their bags or coffees while they get their access card or ID badge out.
- If they don’t have one, they could be a legitimate visitor. You can find that out by politely asking who they’re there to see.
- You can also offer to walk them to reception, where the staff can call ahead to the person the visitor is meeting with.
The visitor might try to convince you there’s no problem in letting them in. Be friendly but assertive, and remember you can be helpful without letting them go places they shouldn’t be going.
It can be tempting to skip your company’s security procedures because you want to be helpful — especially if you’re in a rush or you have other things on your mind — but those procedures are there for a reason. Spend a few extra minutes to make sure you follow them.
But wait, there's more
While we’re on the topic, here are a couple of other types of social engineering attacks to keep an eye out for.
- The “too good to be true” giveaway or offer. If it’s too good to be true, it probably is. Also known as a quid pro quo attack, this one involves you providing personal information in exchange for a reward. It works because you feel like you’re getting something valuable in return for giving away something minor — but the attacker just takes your information (which is probably not as minor as you think it is) and you get nothing.
- Pretexting attacks. This is a more sophisticated one. You still get a phishing email, but before you get it, you’ve had a phone call that sets up the email. The caller establishes a story or relationship that makes you more likely to open the email and interact with it. You might even feel trusting enough to take a sensitive action that the email asks for, like making a payment.
I'm never interacting with anyone again
Now you have some ideas of how a social engineering attack could land in your world, you might feel like the best course of action is to be completely suspicious of everyone all the time (or hide under a blanket forever).
But there’s no need to lose faith in humanity. Just ask more questions.
No matter what the specific situation is, the attacker probably hasn’t thought of everything. Your questions will confirm that everything is a-okay, or they’ll uncover a social engineering attempt.
Either way, you’ll be glad you asked.
Ready to learn more about social engineering?
SafeStack Academy’s Security Awareness training programme is designed to make you and your team safer and more secure online. We add new modules each month, and this month’s module is all about social engineering. Like all our modules, it’s full of practical tips you can put into practice right away.
What's in the module?
This module gets learners thinking about how social engineers collect information and use it to weave a credible story, playing on people’s emotions and making them more likely to take actions that serve the attacker’s purposes.
Learners will build their awareness of social engineering, putting them in a better position to spot attempted attacks and avoid falling into traps.
Among other things, our Social Engineering module covers:
- How social engineering attacks work
- Different attack techniques and how social engineers gather information
- Practical tips for spotting a possible social engineering attempt and what to do if you think you’re being targeted.
As with all our Security Awareness modules, this one only takes a few minutes to work through, and brings together interactive activities and quizzes to make sure you get the most out of your learning.
You’ll also get a printable summary of the module for easy reference whenever you need it.
Who is this module for?
Everyone. We don’t mean to spook you, but social engineering attacks can happen to anyone. Knowing what to look out for and how to react is useful for all of us.
Try it yourself
We love to hear from you
We hope this module gets you and your team thinking about social engineering and how to spot attempted attacks. We'd love to hear your feedback. Get in touch on firstname.lastname@example.org and let us know what you think.