Social engineering is the craft of manipulating individuals into surrendering confidential information or access rights. Cyber criminals exploit the innate human tendency to trust and assist others. This method is often simpler and more direct than the complex task of hacking software. Understanding specific social engineering tactics is crucial to strengthen our defences.

The cybercriminal may use multiple steps in order to gain access to systems these could include:

Reconnaissance: The attacker gathers information about the target. This could involve studying an organisation’s hierarchy or an individual’s social media activity to understand their interests and habits.

Reconnaissance is the initial phase in a social engineering attack, where the attacker conducts thorough research to collect as much information as possible about the target. This phase is akin to a predator observing its prey, meticulously noting habits, movements, and any potential vulnerabilities. In the digital world, this often translates into cyber criminals scouring through various data sources to build a profile of the target organisation or individual

For an organisation, attackers might study the company’s website, press releases, and any published reports to understand its structure, operations, and ongoing projects. They may also examine job listings to gain insight into the technologies the company uses and the types of roles they are looking to fill. LinkedIn is a treasure trove for such information, where attackers can identify key personnel, their roles, and even the nature of their professional relationships.

For an individual, the reconnaissance could involve a deep dive into social media platforms like Facebook, Twitter, or Instagram. Attackers look for posts that divulge personal interests, habits, daily routines, and even the individual’s network of friends and family. For example, an attacker might note when the target posts about being at certain locations, their favourite hobbies, or life events such as birthdays or anniversaries.

Let’s consider a scenario: A cyber criminal is targeting a financial institution. They begin by identifying the finance manager through the company’s LinkedIn page. Through careful examination of the manager’s LinkedIn activity, the attacker sees recent posts about a cybersecurity seminar they attended, indicating an interest in the subject.

Moving to other platforms, the attacker discovers the manager’s public Facebook profile, where they’ve posted about attending a local jazz festival, revealing a personal interest. The attacker also notices the manager frequently engages with posts from a specific charity they support.

Armed with this information, the attacker crafts an email tailored to the finance manager. It appears to be from a reputable cybersecurity publication the manager follows, offering an exclusive interview opportunity at an upcoming jazz event. The email includes a PDF attachment supposedly containing interview details but is, in fact, embedded with malware. Because the email aligns so closely with the manager’s interests and appears credible, the likelihood of the attachment being opened is high, potentially giving the attacker access to the financial institution’s network.

This example demonstrates how an attacker can use seemingly harmless information to craft a personalised and highly effective social engineering attack.

Pretexting: The attacker creates a credible story or scenario—like posing as IT support—to justify their need for certain information or access from the target.

Pretexting is a social engineering technique where an attacker creates a fabricated scenario or identity to manipulate the target into providing access to sensitive information or secure areas. This method relies on building a believable narrative that explains why the requested information or access is necessary. Here’s a detailed explanation and a step-by-step guide on how cyber criminals might employ pretexting:

Step 1: Creating the Backstory

The attacker invents a plausible scenario that will be used to approach the target. This backstory is crafted carefully to anticipate any questions or objections that the target might have. For example, the attacker may pose as an IT auditor conducting routine checks, a researcher gathering data for a survey, or a technician responding to a reported issue.

Step 2: Establishing Identity and Authority

Using the pretext, the attacker presents themselves as someone with the right to request sensitive information or access. They might forge official-looking documents, carry counterfeit ID badges, or create fake profiles on corporate directories to reinforce their false identity.

Step 3: Engaging the Target

The attacker approaches the target either via phone, email, or in person, depending on the scenario they’ve created. They introduce themselves in the context of their pretext, often dropping names of real employees or referencing actual events to bolster their credibility.

Step 4: Building Rapport and Trust

To lower the target’s defences, the attacker might engage in small talk or appear to empathize with the target’s workload or challenges. This human connection can make the target more amenable to providing what the attacker is asking for.

Step 5: Requesting Information or Access

Once a rapport is established, the attacker moves on to request the specific information or access they need. They will use the context of their pretext to justify why this request is reasonable and necessary. For instance, they might ask for login credentials to verify the target’s account is secure or request access to a restricted area to complete their ‘assigned task’.

Step 6: Overcoming Objections

If the target is hesitant or questions the request, the attacker is prepared to offer further justifications or evidence to support their story. They might name-drop supervisors, cite fake policies, or even pretend to call a higher authority for ‘verification’.

Step 7: Exiting the Interaction

After obtaining the desired information or access, the attacker concludes the interaction in a manner that leaves the least suspicion. They might thank the target for their help, promise to send a follow-up, or provide a timeframe for when the target can expect to see the results of the ‘work’ done.

Example of Pretexting in Action:

An attacker has chosen to target a financial firm for sensitive client data. They conduct research and discover the firm recently contracted an external IT company to upgrade their systems.

Step 1: The attacker decides to pose as a consultant from the IT company, stating they’re conducting follow-up audits on the recent upgrades.

Step 2: They create fake business cards and email signatures that match the IT company’s branding, and prepare answers to potential questions.

Step 3: The attacker sends an email to a targeted employee within the firm, introducing themselves and mentioning the upgrades as a pretext for their contact.

Step 4: During the exchange, they express understanding of the firm’s busy environment and the importance of the upgrades to the employee’s workflow.

Step 5: The attacker requests the employee’s login details to ‘ensure the upgrades were applied correctly to their account’.

Step 6: If the employee hesitates, the attacker reassures them by providing a contact number (which is actually directed to an accomplice) for verification.

Step 7: Once the details are obtained, the attacker assures the employee they will receive a report on the audit by the end of the week, thus ending the conversation without raising alarm.

This process shows how pretexting combines storytelling with manipulative tactics to deceive the target into compromising security. It is a powerful tool in a cyber criminal’s arsenal, exploiting human nature to trust and cooperate, especially when faced with seemingly legitimate authority or requests.

Initial Contact: This is made via phone, email, or in person. The attacker may use urgent or persuasive language to create a sense of urgency or authority.

The “Initial Contact” stage is where the attacker first reaches out to the target, using the insights gained during the reconnaissance phase to establish a connection. This contact is designed to build trust or exert pressure, leveraging human psychology to prompt the target into taking a desired action.

Here’s a detailed step-by-step breakdown of how an attacker might initiate contact through different methods, using urgent or persuasive language:

Via Email:

1. Crafting the Message: The attacker composes an email designed to appear as though it’s from a legitimate, authoritative source, such as a bank, government agency, or a senior figure within the target’s own organisation. They will often use a similar email address, logos, and language to the entity they’re impersonating.
2. Creating Urgency: The email will typically contain a message that creates a sense of urgency or immediate risk, such as a security alert or a problem with the target’s account that requires prompt attention.
3. Call to Action: The target will be urged to take immediate action, such as clicking on a link to ‘verify’ their account information, or opening an attachment to view important details regarding the supposed issue.Example: The finance manager receives an email alerting them that their corporate email account will be suspended due to unusual activity unless they ‘confirm’ their login credentials via a provided link.

Via Phone:

1. Assuming an Identity: The attacker may pretend to be an IT technician or company executive. They’ll use technical jargon or organisational slang to appear credible.
2. Conveying Authority: By speaking with confidence and using assertive language, the attacker conveys authority, pressuring the target to comply without question.
3. Immediate Compliance: The attacker insists on the target’s immediate compliance, using phrases like “urgent issue” or “immediate action required,” often threatening consequences for non-compliance.Example: The finance manager receives a call from someone claiming to be from the IT department, urgently requesting their password to prevent a critical system outage.

In Person (Tailgating):

1. Physical Appearance: The attacker might dress in a way that blends in with the organisation’s environment or wears a convincing uniform.
2. Feigning Familiarity: The attacker may drop names of known employees or reference specific company events to seem like they belong.
3. Exploiting Politeness: They may carry heavy boxes or appear in a rush, prompting employees to hold doors open for them without requesting identification.Example: An attacker, dressed like a courier, arrives at the finance manager’s office claiming they have a package that requires immediate personal attention, possibly containing sensitive documents.

In each of these methods, the attacker’s goal is to manipulate the target into providing access or information before the target has the chance to fully consider the risks or verify the legitimacy of the request. The successful execution of this phase is pivotal for the attacker, as it often determines whether the subsequent phases of their attack will proceed.

Exploitation: Leveraging the provided pretext, the attacker manipulates the target into divulging information or performing an action that compromises security, such as revealing passwords or granting network access.

Exploitation is the phase in a social engineering attack where the attacker capitalizes on the trust or authority established through pretexting to coerce the target into divulging confidential information or compromising security protocols. The success of this phase relies on the attacker’s ability to manipulate the conversation and influence the target’s actions. Here’s a detailed explanation and a step-by-step example of exploitation by a cybercriminal:

Step 1: Reaffirming the Pretext

The attacker begins the exploitation phase by reinforcing the fabricated scenario established during pretexting. They may restate their supposed role, purpose, and urgency of the situation to remind the target of the necessity of their request.

Step 2: Creating a Sense of Obligation or Duty

The attacker often implies that by assisting, the target is fulfilling their duty or helping to resolve an important issue. This plays on the target’s desire to be helpful and cooperative, especially within a work context where failing to assist could be seen negatively.

Step 3: Applying Pressure

If the target hesitates or questions the request, the attacker may apply pressure by suggesting negative consequences of non-compliance, such as security breaches, audit failures, or personal repercussions for the target.

Step 4: Guiding the Action

The attacker precisely instructs the target on what to do, making the process seem simple and harmless. For revealing passwords, they may direct the target to a phishing website; for granting access, they might ask them to hold a door or disable a security feature.

Step 5: Providing Reassurance

Throughout the process, the attacker provides reassurance to alleviate any concerns the target may have. They confirm that the target’s actions are correct, normal, and appreciated, which helps to further lower the target’s guard.

Step 6: Rewarding Compliance

After the target complies, the attacker offers praise or gratitude, which not only solidifies the action taken but also sets the stage for potential future interactions or requests.

Step 7: Disengaging

The attacker ends the interaction in a manner that leaves no room for immediate reflection or doubt. They may suggest that they will follow up with confirmation emails or calls, or that the target will see the benefits of their action soon.

Example of Exploitation in Action:

An attacker, having already established a pretext as a member of the IT department conducting security checks, moves to exploit an employee’s trust.

Step 1: The attacker calls the target employee, reminding them of the ongoing ‘security protocol updates’ they mentioned in a previous interaction.

Step 2: They express gratitude for the employee’s cooperation and emphasize the importance of their role in maintaining the company’s cybersecurity.

Step 3: The attacker suggests that a failure to update security details promptly could result in vulnerabilities that would be the employee’s responsibility.

Step 4: The attacker directs the employee to a website that mirrors the company’s internal portal and instructs them to enter their login credentials to ‘complete the security update’.

Step 5: When the employee types in their details, the attacker reassures them that they’ve done the right thing and that their prompt action has helped secure the company’s data.

Step 6: The attacker thanks the employee profusely, reinforcing the idea that they’ve made a significant contribution to the company’s security.

Step 7: The attacker quickly ends the call, claiming they must proceed with checks for other departments, leaving the employee with no immediate reason to question the interaction.

By executing these steps, the attacker skillfully manipulates the target into compromising their own security and potentially the security of the entire organisation. The attacker’s smooth transition from pretexting to exploitation relies on psychological manipulation, making the target feel involved, important, and convinced that they are making the right decisions.

To counter these threats, organisations employ a multi-faceted approach combining technology and awareness. Vigilance is key, with employees trained to recognise suspicious communications, dubious offers, and to maintain a healthy scepticism of unsolicited aid requests.

Execution is the culminating phase of a social engineering attack where the cybercriminal utilizes the information or access obtained through exploitation to achieve their ultimate goal. This could involve data exfiltration, financial theft, system sabotage, or establishing a long-term presence within the target’s network. The success of the execution phase depends on the cybercriminal’s ability to carry out their plans discreetly and efficiently to avoid detection. Here’s a detailed explanation and a step-by-step example:

Step 1: Confirmation of Access or Information

The cybercriminal first verifies that the access or information they have acquired is valid and meets their needs for the intended action. This might involve logging into the system using the credentials obtained or accessing the restricted area they’ve gained entry to.

Step 2: Establishing a Foothold

Once access is confirmed, the cybercriminal works to establish a foothold within the system. This could involve creating backdoor accounts for future access, planting malware that can spread across the network, or identifying additional systems they can compromise.

Step 3: Avoiding Detection

Cybercriminals employ various techniques to avoid detection, such as executing their actions during off-hours, mimicking legitimate network traffic, or using encryption to hide their data exfiltration activities.

Step 4: Achieving the Objective

With their foothold established and detection measures in place, the cybercriminal moves to achieve their objective. They may begin transferring funds, exfiltrating sensitive data, or disrupting services, depending on their goal.

Step 5: Maintaining Access

In many cases, cybercriminals will seek to maintain access for future exploitation. They may leave behind tools or malware that allow them to return to the compromised system undetected.

Step 6: Covering Tracks

After executing their intended action, cybercriminals often take steps to cover their tracks. This could involve deleting logs, using misdirection tactics, or planting false evidence to implicate another party.

Step 7: Exit Strategy

Finally, the cybercriminal implements their exit strategy, which involves removing any tools or malware that could be used to trace back to them, and disconnecting from the compromised system in a way that doesn’t raise alarms.

Example of Execution in Action:

An attacker, having obtained the finance manager’s credentials through pretexting and exploitation, proceeds to execute their plan.

Step 1: They log into the financial system using the manager’s credentials late at night to avoid attracting attention.

Step 2: Once in the system, they create a hidden account with administrative privileges for unfettered future access.

Step 3: To avoid detection, they use a VPN and tools that mimic legitimate user activity patterns.

Step 4: They initiate a transfer of funds to an offshore account, staggered over a period to avoid large, suspicious transactions.

Step 5: They install a remote access trojan to maintain a presence in the system for potential future thefts.

Step 6: The cybercriminal clears the server logs of their activity and uses a time-stamping tool to alter file access times to before their attack commenced.

Step 7: They disconnect from the system, ensuring that no active connections can be traced back to them at the time of discovery.

To ensure success, cybercriminals may use additional tactics such as social media manipulation to create distractions, employ anti-forensic techniques, and leverage encrypted channels for communication and data exfiltration. They may also use psychological manipulation to discourage the target from reporting the incident or to delay the target’s realisation that they’ve been compromised. It’s a meticulous process that often requires patience, precision, and a thorough understanding of both technology and human psychology.

Digital Signatures and Document Management:

1. Adobe Acrobat Reader DC: Widely used for PDF documents, Adobe Acrobat allows users to add digital signatures with timestamp information, ensuring the authenticity and integrity of the document.
2. DigiStamp: Offers digital timestamping services to ensure the integrity and time of creation of digital documents.
3. GlobalSign: Provides digital signing services with timestamping for various documents, ensuring legal and regulatory compliance.

Software Development and Version Control:

1. Git: A version control system used in software development. It automatically timestamps commits, helping developers track changes and the history of their project.
2. Subversion (SVN): Another version control system that timestamps each modification made to the codebase, useful for tracking changes and rollbacks.

Data Backup and Synchronisation:

1. Time Machine (macOS): Apple’s backup software that uses timestamping to catalog backups, allowing users to restore files from specific points in time.
2. rsync: A command-line tool used for backups and file synchronization in Unix/Linux systems, which can preserve file timestamps during transfers.

Security and Compliance:

1. Security Information and Event Management (SIEM) Systems: Tools like Splunk or IBM QRadar use timestamping to log security events, which is crucial for incident analysis and compliance with regulations like GDPR or HIPAA.
2. Blockchain Technology: Used for creating secure, timestamped records of transactions or data entries, ensuring transparency and security in various applications like finance and supply chain management.

1. Baiting

How it’s done:

1. Preparation: Cybercriminals prepare a bait, such as a USB drive, which is embedded with malware. The USB is made to look appealing, often labeled with enticing terms like “Confidential” or “Bonuses”.
2. Placement: The bait is left in a location where potential victims are likely to find it, such as a company parking lot, a cafeteria, or a public bench.
3. Wait and Exploit: When an individual finds and uses the bait (e.g., plugs the USB into a computer), the malware automatically installs itself, giving attackers access to the victim’s device.

Protection Measures:

• Educate employees about the dangers of using unknown USB drives.
• Implement a policy against using external storage devices on company computers.
• Use antivirus and anti-malware software that can detect and quarantine malicious payloads.

2. Phishing

How it’s done:

1. Crafting the Message: Attackers create emails or messages that mimic legitimate sources, such as banks, service providers, or company executives.
2. Incorporating Triggers: The message includes a sense of urgency or a compelling call to action, like clicking on a link or opening an attachment.
3. Collecting Information: If the recipient follows the instructions, they are typically led to a fake website where they enter sensitive information, which the attackers then collect.

Protection Measures:

• Train staff to recognize phishing attempts, focusing on scrutinizing email addresses and the content for legitimacy.
• Implement email filtering solutions to catch phishing attempts.
• Encourage the use of multi-factor authentication, reducing the impact of compromised credentials.

3. Quid Pro Quo

How it’s done:

1. Offering the Bait: Attackers offer a service or benefit in exchange for information or access. For instance, they might pose as IT service offering to fix a non-existent problem.
2. Fulfilling the Exchange: Once the victim agrees, they are asked for something in return, like login credentials or direct access to their system.
3. Exploitation: The attacker uses the provided information or access for malicious purposes, often unbeknownst to the victim.

Protection Measures:

• Advise employees never to share sensitive information or credentials, even if the offer seems legitimate.
• Verify the authenticity of the offer through independent channels.
• Regularly remind staff about common quid pro quo scams.

4. Tailgating

How it’s done:

1. Identifying a Target: Attackers choose a secure location they want to access and wait for an opportunity, such as an employee entering the building.
2. Gaining Access: They follow closely behind the authorized person, often carrying items to appear busy or using social skills to engage in conversation.
3. Exploiting Access: Once inside, they can plant devices, steal information, or gain insights into company security practices.

Protection Measures:

• Implement strict access control measures and physical security protocols.
• Train staff to be aware of tailgating and challenge unfamiliar individuals.
• Use security personnel and surveillance systems to monitor entry points.

5. Watering Hole

How it’s done:

1. Identifying the Target Group: Attackers choose a specific group they want to target and identify websites or services commonly used by this group.
2. Compromising the Website: They then infect these websites with malware.
3. Exploiting the Users: When members of the target group visit the compromised site, their devices become infected, allowing attackers to steal information or gain further access.

For further reading about data exfiltration please see the learning hub :

Protection Measures:

• Encourage the use of up-to-date browsers and antivirus software that can detect and block malicious websites.
• Educate users on the risks of accessing unsecured websites.
• Regularly audit and monitor network traffic for unusual activities.

By understanding these tactics and implementing these protective measures, individuals and organizations can significantly reduce their risk of falling victim to these common cybercriminal techniques.

Let’s examine common social engineering attacks:

To mitigate these risks, comprehensive security training is paramount. This includes instructing staff to scrutinise emails for anomalies, restrain from oversharing on social media, and question anything that seems overly fortuitous. Furthermore, technological safeguards like firewalls, multi-factor authentication, and email filtering add layers of defence.

Security training should extend to customers, informing them about these risks and encouraging the adoption of safe practices. Security analysts play a pivotal role by testing systems and setting best practice standards.

In conclusion, social engineering relies on human error—misplaced trust and unguarded kindness. Recognising the subtleties of these tactics and instilling a culture of security-mindedness is crucial in fortifying against such breaches.

For further information on the latest trends and protective measures against social engineering, resources such as the SANS Institute’s ‘OUCH!’ newsletter and the ‘Scamwatch’ platform are invaluable. They offer monthly updates and tools to identify, avoid, and report these insidious schemes.