Posted by on | Featured

The Human Hack: Defending Against Social Engineering

The foundational pillars of any organisation’s performance and resilience are people, processes, and technology. These elements are emphasised in the ISO 27001 framework, which underscores the importance of a holistic approach to information security management.

Despite robust technological defences and well-defined processes, it is often the human element that remains the most vulnerable. Social engineering usually involves manipulating or deceiving individuals into divulging credentials or granting some form of unauthorised access to malicious actors.

This article explores the pervasive threat of social engineering, exploring its techniques, real-world impacts, and strategies to fortify your defences against these sophisticated attacks. 

What is Social Engineering?

Social engineering is a manipulation technique that exploits human psychology to gain access to confidential information or systems. Unlike technical hacking, social engineering relies on human interaction and often involves tricking people into breaking normal security procedures with the goal of obtaining sensitive information or unauthorised access.

Social engineering tactics are diverse and continually evolving. Some of the most common techniques include:

  • Phishing: Deceptive emails or messages designed to trick recipients into providing sensitive information.
  • Baiting: Offering something enticing to lure victims into a trap.
  • Pretexting: Creating a fabricated scenario to steal victims’ personal information.
  • Tailgating: Gaining physical access to restricted areas by following someone with legitimate access.
  • Vishing: Using phone calls to trick victims into divulging information.

How Common is Social Engineering?

Social engineering is alarmingly common in cyber-attacks. According to findings from American-based Software and Cyber Security company Splunk, in 2023, 98% of all reported cyber-attacks involved some form of social-engineering, making it one of, if not the most prevalent methods used by cybercriminals and other threat actors. An average organisation can face over 700 social engineering attacks annually. [source: Splunk]

Phishing remains the most common social engineering technique, with millions of phishing emails sent daily around the globe. In the UK the 2024 Cyber Breaches Survey indicated that 84% of businesses and 83% charities have been targeted by phishing attacks this year already, with some cyber criminals impersonating other organisations in emails or online. [source: UK Government]

Real World Story - CyberLab Red Team

Tailgating into a Client's Office

During a Red Team engagement, the team conducted thorough reconnaissance to understand staff reactions to access requests and building entry protocols. Exploiting this knowledge, a team member, posing as an employee on a phone call, approached a side entrance used primarily for Cycle to Work traffic. Waiting for an employee to open the door, the team member tailgated inside. When questioned by a security guard, he flashed a fake pass from his pocket. The presence of this card, combined with the confident demeanour was enough to convince the guard to allow the team member access.

Inside, the team member followed an employee into a lift that required keycard access. By closely shadowing the employee and engaging in light conversation, he gained access to the lift and descended to the basement. Here, most lifts required keycard activation, but one lift did not. Testing it, he found it led directly to the main lobby beyond the security barriers. Coordinating with a colleague, they both used this lift to bypass the barriers.

At the main lobby, they noticed another lift with the desired floor selected. Joining an employee in this lift, they engaged in friendly conversation, further establishing their legitimacy. On reaching the floor, they followed the employee to an office door requiring keycard access. Mentioning the company name, they tricked the employee into letting them in. Inside, they found a coffee machine and various unlocked meeting rooms. Booking a meeting room for an hour provided them with a secure space to operate.

This exercise demonstrated how effective social engineering techniques, such as tailgating, confident interaction, and exploiting human trust, can bypass robust security measures and gain unauthorised access to sensitive areas. The client was subsequently informed of the successful infiltration, highlighting vulnerabilities in their security protocols so that they could take remedial action to harden the physical security protocols and policies and also educate their staff to be more vigilant.

Learn More About Red Teaming

Social Engineering Examples

Notably, recently reported threat actor behaviours have highlighted the significant role of social engineering in cyber-attacks. For example, Microsoft have recently reported how a threat actor group known as Storm-1811 are using Microsoft Teams as a vector to target users. The threat actors contact the targeted users via Teams impersonating IT or help desk personnel. This would then lead to the threat actors exploiting Quick Assist, followed by credential theft using EvilProxy, then executing batch scripts, and using SystemBC for persistence and command and control. [source: Microsoft]

In another example, Checkpoint Software Technologies have recently identified 1,200 new domains associated with Amazon, 85% of which were flagged as malicious or suspicious. Some examples of theses discovered domains include:

  • amazon-onboarding[.]com: a brand-new domain designed to steal carrier-related credentials
  • amazonmxc[.]shop: This domain masquerades as Amazon Mexico and even has a similar layout. However, it reveals user login credentials to cybercriminals when entering them in
  • amazonindo[.]com: Like the fake Amazon Mexico domain above, it also reveals user credentials to cybercriminals when entered

Amazon Prime day is very popular event where Amazon give away huge discounts and offers, attracting millions of users globally. This makes it a popular target for cyber criminals and combined with increasingly sophisticated phishing techniques and convincing malicious websites, there is a much higher potential for customers to be scammed. [source: Cyber News]

AI-Driven Social Engineering

Looking to the future, the integration of AI into social engineering is likely to result in even more sophisticated and automated attacks. As we have touched on in previous blog posts, we have already seen how AI and deepfake technology is being used offensively by malicious actors for social engineering purposes, whether to convey misinformation and create social unrest or to assist threat actors in obtaining unauthorised access or sensitive information.

One particular example involved cyber criminals using deepfake AI to extract millions of dollars from a multi-national company based in Hong-Kong. The cyber criminals achieved this by using deepfake generated images and audio of the company’s Chief Financial Officer, and other employees, to stage a conference call where they convinced and instructed another employee to transfer funds equivalent to almost £20 million. [source: Ars Technica]

As AI continues to evolve, we can expect to see the following developments:

  • Hyper-Personalisation: AI will enhance the ability to tailor attacks to individual targets, making phishing emails and other forms of communication indistinguishable from legitimate ones.
  • Real-Time Adaptation: AI-driven attacks will be able to adapt in real-time based on the target’s responses, increasing the likelihood of success.
  • Scalability: AI will enable attackers to conduct large-scale social engineering campaigns with minimal human intervention, increasing the reach and impact of these attacks.
  • Deepfakes: AI-generated audio and video deepfakes could be used to impersonate trusted individuals, further enhancing the credibility of social engineering attempts.
  • AI-Powered Fraud: According to a report by Onfido, deepfake/AI fraud attempts in the US surged 3000% in 2023 from the previous year. These fraud attempts can range from face-swapping or ‘morphing’ apps to bypass facial recognition and verification, AI generated voice replication to impersonate an intended victim or authority figure, to AI generated fabricated images or video of a damaged vehicle or property as evidence in support of fraudulent insurance claims. [source: TNW]

Protecting Against Social Engineering

To best defend against social engineering attacks, organisations and individuals must adopt a multi-faceted approach that addresses various aspects of cyber and physical security. Here are some key strategies to enhance your defences:

Robust Policies

Establishing and enforcing strict security policies and procedures is crucial. These policies should include:

  • Access Controls: Limiting access to sensitive information and systems based on the principle of least privilege.
  • Password Management: Enforcing strong password policies and regular password changes.
  • Data Classification: Categorising data based on its sensitivity and implementing appropriate handling procedures.

Multi-Factor Authentication (MFA)

Implementing Multi-Factor Authentication (MFA) adds an extra layer of security beyond just passwords. MFA can significantly reduce the risk of account compromise by requiring additional verification methods, such as:

  • One-Time Passwords (OTPs): OTPs sent to a user’s mobile device or email.
  • Biometric Verification: Using fingerprints, facial recognition, or voice authentication.
  • Hardware Tokens: Physical devices that generate a secure code required for login.

Training and Awareness

Regular training programs are essential to educate employees about the latest social engineering tactics and how to recognise them. Training should cover:

  • Phishing Simulations: Conducting regular simulated phishing attacks to test and improve employees’ ability to identify and respond to phishing attempts.
  • Incident Reporting: Implementing a policy and dedicated channel for reporting incidents, encouraging employees to report suspicious activities promptly can help mitigate the damage caused by a social engineering attack, or even prevent them from being successfully executed.
  • Role-Specific Training: Tailoring training to the specific roles and responsibilities of employees. For example, executives and finance staff may be targeted differently than IT personnel.

Reduce Human Error in Your Cyber Security

Despite 90% of cyber breaches being down to human error¹, fewer than 10% of UK businesses provide their non-cyber staff with security awareness training.²

The interactive training courses within CyberLab Control empower your workforce to work safely and efficiently by improving their security awareness.

Discover CyberLab Control

¹Cyber Playbook | Aviva
²Cyber security skills in the UK | Gov UK

Regular Security Testing

Conducting regular phishing simulations and security audits helps identify and address vulnerabilities. These tests should include:

  • Red Team Exercises: Simulating real-world attack scenarios to test the effectiveness of your organisation’s people, processes and technology at identifying, detecting and responding to various threats.
  • Penetration Testing: Identifying and remediating vulnerabilities before they can be exploited by attackers.
  • Vulnerability Assessments: Continuously scanning for and addressing potential security gaps in your systems.

Incident Response Planning

Having a well-defined incident response plan ensures that your organisation can quickly and effectively respond to social engineering attacks. Key components include:

  • Incident Response Team: Establishing a dedicated team to handle security incidents. Building and maintaining an in-house incident response team can be costly and resource intensive. Outsourcing to a dedicated team of incident response experts on retainer, such as Sophos, is a practical alternative to alleviate some of these cost and resource burdens associated with maintaining IR forensic expertise and capabilities in-house, and provides peace of mind that a competent team of experts is ready to respond to a security incident should one occur.
  • Communication Protocols: Outlining how to communicate internally and externally during a security incident. This should involve establishing clear guidelines for informing all relevant internal and external stakeholders, creating a crisis communications plan, and regular drills.
  • Post-Incident Reviews: Conducting a thorough analysis of the incident to identify lessons learned so that you can harden your organisation’s cyber security posture and mitigate future attacks.

You can also download Sophos’ free Incident Response Planning Guide here.

Additional Recommended Resources:

By understanding the tactics used in social engineering and implementing these protective measures to counter them, organisations can significantly reduce their risk of falling victim to these deceptive attacks.

Detect. Protect. Support.

Free Posture Assessment

Understand your security risks and how to fix them.

Take the first step to improving your cyber security posture, looking at ten key areas you and your organisation should focus on, backed by NCSC guidance.

Claim your free 30-minute guided posture assessment with a CyberLab expert.

Comments are closed.