We Are Only Human - Why Social Engineering is Critical to the Hackers - News and Blog

News & Blog

We Are Only Human - Why Social Engineering is Critical to the Hackers

In this blog post, we will delve into the subject of social engineering in the context of cyber security training. This post aims to provide an overview of the topic, engage in a meaningful discussion, highlight relevant training resources, and introduce the authors (by which I mainly mean “Security Awareness Trainers”) who bring their expertise to the table.

1. Overview of Social Engineering:

“Social engineering” has become a well-used term in the context of information security. The term social engineering refers to the psychological manipulation of people into performing actions and divulging often confidential, or at least personal information. Attackers use social engineering techniques to exploit human vulnerabilities and gain unauthorised access to systems, networks or sensitive data. To best prepare ourselves to withstand these attacks, it is important that we understand the key aspects of social engineering.

For a working definition, we are using – “a manipulation technique that exploits human vulnerabilities”. The type of attacks we see are varied but regularly include: phishing in the form of deceptive emails or messages that appear to be from a trusted source, tricking the recipient into revealing sensitive information or clicking on malicious links; pretexting or creating a false scenario (pretext) to gain the recipients’ trust, often pretending to be someone they’re not; baiting by leaving physical devices such as USB drives in places that entices us into using them, thereby compromising our systems; and impersonation, pretending to be a colleague, customer services representative or authority figure, to manipulate individuals into providing information or performing actions.

Social engineering relies on psychological tactics to exploit human behaviour. The common tactics we see are:

Authority, exploiting our natural tendency to comply with requests from line management and authority figures;
Urgency, to provoke action without critical thinking; building trust;
Reciprocity, offering something of value in exchange for co-operation.

Of course, the consequences can be severe, including data breaches, financial loss and reputational damage. If you are reading this article, you are more than likely aware that socially engineered attacks remain the most successful attack vector, despite increased awareness, the availability (and implementation) of improved security measures, and the frequent reporting of the latest social engineering tactics across all forms of media. The main reason why it is still so successful, and such a recurring topic for cyber awareness leaders, is almost certainly because the message is not repeated frequently enough and in a manner that is easily understood and naturally acted upon. We all make mistakes, on at least a daily basis, with many things in our lives. Using the internet, which is filling more and more of our daily lives, is just another thing whose familiarity can lead to contempt. It does not help that the internet’s greatest strength - its speed – it’s also its greatest cause of weakness.

2. Discussion:

Let’s have an in-depth look at the topic. The top-lines are probably well-known to you. Nevertheless, thousands of internet users still fall foul of them so I make no apology for returning to well-trodden ground. There are crucial practices that need to be implemented and/or reinforced, to both the workforce and your nearest and dearest. Top of the list be careful what you share.

Be careful what you share

One of my favoured openings at cyber security talks is to ask my audience to introduce themselves to their neighbour by their porn-star name. You will have seen this on several social media sites 10-15 years ago and earlier: combine the name of your first pet with your mother’s maiden name. Once the initial embarrassment has past, most people join in, laughing and chuckling. Of course, they’ve all just volunteered two answers to the five key “secret questions” we are asked when we open most financial accounts, along with first car, first school and place of birth! The message is, be careful about the channel you use to share personal information and be aware of what constitutes your personal information.

Password sharing is a massive “fail” although I’m sure we can think of several instances where it seems unavoidable: sharing media streaming accounts being an obvious one, alongside shopping sites and log-in details of loyalty accounts and so forth. We need to have frank discussions about what we should not be sharing and about the importance of passwords.
User names is currently a tough one to protect but most of us do have more than one email address, so I would recommend using an email address for the VIP stuff we do online and having at least one other address for the “tat” - online shopping, surveys, email sign-ups such as airport and railway wi-fi etc., those things that we really have no interest in beyond a single function, one-time use. We also need to think about why we are being asked for information. If you are signing up for an online health app, does it really need your home address? It is important that we remember that apps “talk to each other” and piggy-back functions. You’re cycling and running app probably needs to know your location but does your banking app?
Zero trust has become a key concept of cyber security, so how much do we understand about it and most importantly, how much do we use it? Zero trust architecture limits a user’s access to only specific resources. This reduces the risk of unauthorised access through social engineering tactics. Your workplace probably enforces this and hopefully you must ask permission to access certain files and folders. Of course, it can be frustrating, it can certainly add time to completing tasks. Nevertheless, I hope that the days are behind us where the senior person was automatically given access to everything, particularly as we know that senior employees, the C-Suite and the likes are the preferred target of an orchestrated phishing (or “whaling”) attack.

But how do we manifest zero trust when we are working at home?

Have you set up a separate Wi-Fi channel for work use on your “out of the box” router, or are you using the same log in as you share with friends and family?
Does the family PC have separate log in access for each family member? And have you set up an “admin” account for managing software downloads and other changes to the system?
Do you even know what is on your home network?
Can one family member access another’s sensitive and/or work-related folders?

We have heard of instances where family members working for different accountancy firms have accessed files and spreadsheets in the same computer window: imagine the furore of a malware attack on that home network!

“education, education, education”

Recalling Tony Blair’s first iteration of the soundbite “education, education, education”, the cyber security world has used it to emphasise the importance of enforcing and then reinforcing the security message. There are boundless online training packages, government-funded organisations, police-backed initiatives and a plethora of training courses that are available to one and all. We can pat ourselves on the back but the cyber awareness piece is often an afterthought and is rarely a continuous offering.

Whilst we are probably using some form of internet-connected device from the moment the wake-up alarm sounds until we close our e-reader before nodding off, the awareness of the dangers is probably raised once a year, sometimes as a simple box-ticking exercise necessary for completion of the annual appraisal.

Many of us remain in the “it’ll never happen to me” camp, much like we’d never leave our keys at home, lose our phone or go through a red traffic light. But I bet we all have, particularly the latter, which falls into a similar “calculated risk” category. Except we do know the risk of going through a red light. How many internet users truly know the risk of opening a phishing email? The difference being, if you are a motorist, you probably consider the red-light dilemma, and a myriad of other traffic offences, every single journey. Cyber-attacks? Not so much.

Over 70% of successful business-orientated cyber-attacks are facilitated by human error.

The consequence of a cyber-attack is probably not immediate, it doesn’t incorporate 10 tonnes of metal T-boning you, nor is it likely to incur a criminal record. So, I would contend that, if we don’t talk about cyber safety on a regular basis, the benefit of one-off “education” or awareness assessment is minimal. I think this is borne out by the fact that over 70% of successful business-orientated cyber-attacks are facilitated by human error. Who knows how many individuals have suffered from attacks that remain unreported or remain as yet unseen. I would suggest that, in light of this, the topic of socially engineered cyber-attacks should be a topic of every team meeting, every Board agenda and at least one family dinner per week! It sounds extreme but the pure volume of attacks on the human vulnerabilities of internet users is extreme.

97% of UK businesses reported a sophisticated phishing attack over the last 12 months.

We blithely practice fire drills, remove our shoes and belts at airports, allow ourselves to be frisked at sports venues. On average there are 423 workplace fires per week in the UK; there was one shoe bomber in December 2001; Yet if we are to believe so many reputable research papers, 97% of UK businesses reported a sophisticated phishing attack over the last 12 months and 90% were successful. If someone walked into the office and stole from the petty cash tin or even the fridge, every day of the week, I’m pretty sure we’d talk about it at every opportunity. It should go without saying that social engineering should be a hot topic, not a once-a-year box ticking exercise or an escape from the day job for a couple of hours.

Phishing attacks are becoming ever more sophisticated.

With the increasing use of, and accessibility to AI, phishing attacks are becoming ever more sophisticated. That smugness of being able to “easily spot” the spelling mistakes and the blurry logo is seriously undermined, and the commonplace is becoming more threatening. Perhaps you could start your next office meeting with “does anyone here have a social media connection with a beautician based in Eastern Europe?” Followed up by “why?” (unless you are a beautician, naturally). You could probably pare down the social media platforms! And just as a gentle aside, I referred to “sophisticated”, a term we frequently hear associated to cyber-attacks. I suggest it is a misnomer: the social engineer takes more care in the style of delivery and uses more advanced tools in the creation but really, the attacks themselves are no more sophisticated than the delivery of ten commandments on two tablets of stone.

Passwords and two-step verification.

Moving on, we come to passwords and two-step verification. Unique passwords for every account. Ideally, let the computer generate the password, it’s much better at it than we are. Despite what is usually stated, LiverpoolFC utilising a variety of 1 & 0 is England’s most popular password. Enough said! Those of us who told our young children, the first time they asked, to use the street name and house number or dog’s name and its birthday - did that child ever come back and ask you for another password? Are you using the street name and house number too?

A well-constructed password will bear scrutiny until it doesn’t.

In the workplace, we used to be encouraged to change our password monthly. This is now deemed unnecessary: a well-constructed password will bear scrutiny until it doesn’t. You should use platforms such as https://haveibeenpwned.com/ to check if your username and or password have appeared in a data breach. And let’s save passwords in a Password Manager, not on a piece of paper somewhere!

Password Managers are apps that operate as a safe repository for your usernames and passwords. The good ones will create passwords, let you know if a password is weak or strong, tell you when you have used a password for two or more accounts and warn you if your passwords have appeared in a breach. The password manager will also facilitate the second line of defence, multi factor authentication. This is a security method that combines something that you know (i.e. a password) with something you own, such as a smart phone or a token. Alternatively, it could utilise something you are - a biometric characteristic such as a retina scan, fingerprint, facial recognition or voice recognition. Many of us will be familiar with these if we use banking apps.

The security benefit is that if an account is accessed remotely, you as the genuine account holder will have a second line of defence to prevent the access as well as be aware that an attempt has been made. This is important in the workplace particularly with regards to protecting sensitive data; it’s also vital at home if you want to make sure the family aren’t accessing those shopping accounts without permission!

Keeping software and systems up to date.

Last but by no means least, keeping software and systems up to date helps to protect against known vulnerabilities that attackers may exploit. It should be second nature to set up “automatic updates” on our devices but we still need to be aware that the updates don’t always happen as they should (particularly if the end user has to acknowledge new Ts&Cs) so we should be checking our devices on a regular basis. If you see a notification that a “software update is available”, enforce it at once, even if you have to do something else for 15 minutes while it downloads. The Government’s Cyber Essentials scheme permits almost two weeks to install updates but I reckon the Black Hats are looking to exploit the vulnerabilities within 24 hours, so time is of the essence.

Case studies

If you want to get a feel for what a social engineering attack may achieve, there are many case studies to explore.

Probably the biggest/most audacious iteration, given the targets, was from 2013 to 2015 when Evaldas Rimausauskas, a Lithuanian, attacked Facebook and Google. Rimausauskas and his cohorts set up a fake company, purporting to be a computer manufacturer that worked with Facebook and Google, and bank accounts in the company’s name. They then sent emails to specific employees, invoicing them for goods and services that the manufacturer had actually provided. The invoices directed payment to the fraudulent accounts and cheated the two tech giants out of over $100m.
One of the UK’s most notorious social engineering attacks occurred in March 2019. The CEO of a UK energy provider received a phone call from someone who he was content was in fact his boss, the chief executive of the German parent company. Using artificial intelligence-based software to impersonate the German, the CEO was persuaded to transfer $243,000 to a Hungarian supplier, and a bank account which was controlled by the scammer. Of course, the use of AI for voice generation is quite advanced but it is with us, and “deepfake” attacks are likely to become more commonplace.

Other instances you may wish to familiarise yourself with, in greater detail, are suggested below.

3. Associated Training:

There is an extensive list of training resources available. I would contend that it is vitally important that we don’t treat this as a “one-off” training session. Rather, it is something that needs to be returned to on a regular basis; it is an area where we need to keep our guard up. The nature of social engineering plays on human (as well as machine) vulnerabilities: high workloads, holiday absences, extraordinary events, ubiquitous human concerns - you can scroll back to top for a reminder - so what may be obvious to us today may well get through our guard when our focus has changed. So do think carefully if you are being persuaded that a one-off training package is a panacea for all evil!

MKC Training’s, Cyber Training Alliance (CTA) is a true alliance of trusted Small and Medium Enterprises (SMEs) operating together to the mutual benefit of each company and collectively to the benefit of its customers. The CTA brings together complementary companies to deliver a coherent, powerful, and compelling offering to meet the needs of the ever-evolving cyber market with greater agility and value for money. The CTA was founded by MKC Training to bring together a trusted network of like-minded SMEs to deliver cyber training, delivering real skills rather than theory.

To help you further develop your skills and knowledge in Cyber Training, we've curated a list of relevant training resources. This includes a mix of free and paid options, online courses, certifications, workshops, and webinars. Each resource is briefly described, highlighting its key features, learning outcomes, and target audience.

If you would like to know more about our training capabilities, please contact courses@mkctraining.com for further information or following one of the links below.

Free options, in addition to what the CTA offers, start with the National Cyber Security Centre (NCSC). Whilst not offering courses per se, the information is as good as it gets.

If you simply want to increase your awareness, and that of your colleagues, employees, friends and family then there is plenty of reading matter, a good deal of which is bite-sized and pithy. Whaling For Beginners - Breach by Jerome Vincent and subsequent instalment Reputations are two novellas providing a great insight into the perpetration of a phishing attack and the subsequent ramifications, particularly for the victims. A search for “Coinbase breach” will bring up a few enlightening case studies into the 2022 attack that was accidentally facilitated by an employee, and the aftermath.

And just in case anyone is thinking “it will never happen to me”, also have a look at Case Study on Social Engineering Techniques for Persuasion by Mosin Hasan who details a successful hack of the Linux operating system, generally considered to be the most secure. A search will also bring up the details of the attacks on Elon Musk’s Twitter (before X) account that devastated the company’s shares value, and phishing exploits against the CIA, Barack Obama and many others.

4. Conclusion:

We have been looking at probably the industrial world’s most highly prevalent, not to mention most successful, method of attacking people, finances and data under the all-encompassing term of Social Engineering. I have no doubt that every reader already knew something about it; I have little doubt that every reader has been the target of it. I can hope that, at least for the next few days, you won’t be a victim!

We have expanded upon various types: phishing, pretexting, baiting and impersonation. We have discussed the best preventative measures: access control, passwords, two-factor authentication, software updates. We can close this blog with the sense that we are better prepared, forewarned and fore armed but we must never be complacent.

Tomorrow, we will add another app or device which will compromise that protective wall. We will inevitably face that moment of indecision of “to click or not to click”. And at some point, there will be an offer that might be too good to be true but it might also be too hard to resist! After all, we are only human…

About the Author(s)

Co Author: Neil Sinclair

Connect with me on LinkedIn!

Neil has established himself as one of the UK’s leading voices on cyber security awareness. A former senior Detective who worked in UK counter-terrorism for over thirty years, Neil was appointed COO of the London Digital Security Centre and later the National Cyber Lead for the Police Digital Security Centre. He has collaborated on a regular basis with both Government and Law Enforcement Agencies. He has seen recognised in “The Progress 1000: London's most influential people” for his work in Technology & Cyber Security and has been named in the IT Leaders 100 - a list of the most influential IT leaders in the UK. He is a regular Conference Chair, speaker and/or panellist at various Cyber Awareness Conferences and delivers cyber awareness talks to schools, universities, businesses and community groups.

Co-Author: Trevor Jackson

Founding Director of Metier Solutions Ltd

Connect with me on LinkedIn!

Trevor is Founding Director of Metier Solutions Ltd a trusted strategic consultancy, specialising in people, organisational performance, training and capability building. Lead training research, consultancy function for QinetiQ's cyber, information and training division and was head of architecture for BAE AI cybers business unit. A proven track record in market analysis, business strategy underscores a multidimensional approach to complex problem-solving.

Co-Authored: Blog Bunny

An advanced AI developed by OpenAI, GPT content is designed to simplify and explain complex concepts with authority and clarity. Specialising in transforming intricate topics into engaging, easy-to-understand articles, Blog Bunny employs its vast database and research capabilities to ensure factual accuracy and depth. Dedicated to enhancing the educational aspect of blog posts, a source for insightful, well-researched, and expertly written content that resonates with readers across various domains. Blog Bunny can be accessed at Blog Bunny.

Sources

Aldawood, H. (n.d.). Reviewing Cyber Security Social Engineering Training and Awareness Programs—Pitfalls and Ongoing Issues. The University of Newcastle, Australia.
Cisco. (n.d.). What Is Social Engineering in Cyber Security? Cisco.
Filipe Breda, Hugo Barbosa. Social Engineering and Cyber Security (2017) Universidade Lusófona, Telmo Silva Morais, University of Porto, March 2017
Chatti Subbalakshmi, Piyush Kumar Pareek & Rishi Sayal. A Study on Social Engineering Attacks in Cybersecurity, (26 March 2022)

Disclaimer

Please note that parts of this post were assisted by an Artificial Intelligence (AI) tool. The AI has been used to generate certain content and provide information synthesis. While every effort has been made to ensure accuracy, the AI's contributions are based on its training data and algorithms and should be considered as supplementary information.

We Are Only Human - Why Social Engineering is Critical to the Hackers

News & Blog