Social engineering is the art of manipulating humans — but Chris Hadnagy calls it "hacking the human." And the president and CEO of Social-Engineer LLC has seen a lot of it while fighting the good fight to educate people about human manipulation for the past 16 years. These days, with lots of money to be made off of deception, social engineering criminals use modern tricks to gain access to information, money, or secure buildings.
"When it comes to human hacking, not much is different over the last couple thousand years," Hadnagy says. "But what we see [changing] is the way attackers are thinking through attacks."
So, too, are the technologies that are helping them be even more effective.
Research firm CyberEdge reports that the number of organizations hit with at least one successful social engineering attack per year is around 79%. And according to Proofpoint's recent "Human Factor" report, more than 99% of cyberthreats the company observed required human interaction to execute, signifying the importance of social engineering in successful cyberattacks against an organization.
"Individual users [are] the last line of defense," says Kevin Epstein, vice president of threat operations for Proofpoint. "To significantly reduce risk, organizations need a holistic, people-centric cybersecurity approach that includes effective security awareness training and layered defenses that provide visibility into their most attacked users."
Social Media 'Pretexting'
Even with increasing awareness about social engineering through education, social engineering continues to be very effective.
One of the reasons the stakes are higher now, and why social engineering is impacting so many, is because of social media, Hadnagy says. Spear-phishing messages, a common form of social engineering that targets a specific person, are often created using information collected from social media sites.
Hadnagy says a vast majority of spear-phishing messages now contain details from social media. "People put so much information on social media it is giving the attackers a leg up in developing pretexts for attacks," he says.
Snooping through social media accounts helps attackers craft a phony, but believable, reason (or "pretext") to approach their victim. Indeed, social media sites are now a playground for criminals looking for details they can use to pull off a variety of cons. Criminals create fake social media profiles to collect information from people they connect with in order to pretext. By learning more about their targets, attackers can later craft convincing messages and convince their targets to click on a malicious link or send money to a fake charity, for example.
"Impersonating legitimate accounts makes a scam seem much more realistic, so users are more likely to fall for scams that are posted by an account spoofing a credible person or organization," says Ashlee Benge, Threat Researcher at ZeroFOX. "An impersonating scam page may post a promotional link offering free or discounted items, linking to what is actually a phishing attack or a site containing some other malicious content."
Hadnagy says this social media pretexting technique is frequently used in business email compromise/email account compromise attacks. According to the FBI's latest report, BEC/EAC attacks cost Americans $1.3 billion in 2018, with some victims being hit for $50,000 at once.
Social media sites are also a place where scammers can cast a wide net and hope for the best. Creating malicious content around popular news stories is one strategy often employed.
"Often, scams shadow news cycles," Benge says. "Scammers use current events for inspiration, and we often see spikes in scams related to major world events. We also see spikes in domains registered related to current events. For example, immediately after the Capital One breach, we observed many new typosquatting domains registered related to the breach."
Vishing & SMiShing
You've surely received these calls. "Hello, this is Microsoft support. Your computer is infected." Vishing, which is a scam that involves simply calling the victim to obtain sensitive information, is a massively popular way to target people, Hadnagy says.
"The phone – it is huge. Vishing vectors are being used in so many attacks. Calls to support phish, calls to get credentials, calls to breach a network," he said. "We have seen it all."
And while many of us are now using our mobile phones for much more than calls, social engineers are one step ahead, finding ways to exploit mobile phones and use them for scams in other ways.
SMS messages are now a common conduit for scams, ZeroFOX's Benge adds. Just like an emailed phishing message, a SMiShing ruse involves sending a link to a malicious site with the hopes that the recipient will click. SMS and messaging applications are just other avenues for social engineers to reach their mark.
Last Line of Defense
In response to this sophistication of social engineering attacks and the threat they pose to security in organizations, Hadnagy has been hosting his SEVillage as an adjacent event at multiple security conferences in recent years. SEVillage includes multiple tracks of education around social engineering, as well as capture-the-flag competitions for security professionals.
Next year, he is launching a national SEVillage event in Orlando, Florida, that builds on the concept he initially created. The objective is to move beyond security professionals and help people from all professional backgrounds to recognize and use social engineering in their daily life. It is education all kinds of people truly need and will be focused on learning and connecting with other people, Hadnagy says.
"Social engineering is the largest used vector today. How can we learn to defend? One of the ways is to learn to use and then recognize social engineering vectors in everyday life," he says.
Image via Wikipedia: Maquette Trojan Horse, used in the movie Troy, a gift from Brad Pitt to the Turkish town Çanakkale Photo: Fredrik Posse, May 2006Joan Goodchild is a veteran journalist, editor, and writer who has been covering security for more than a decade. She has written for several publications and previously served as editor-in-chief for CSO Online. View Full Bio