Many organizations focus on data protection from outside attacks but must realize that many threats happen from within. These insider threats can be malicious or unintentional mistakes, with social engineering being a common factor.
However, even technical staff like engineers and security personnel can become targets and, on occasion, victims. Social engineering is effective because companies rely entirely on their employees' ability to detect it. Even the most technologically adept individuals can slip up, often due to being busy, stressed, tired, or simply forgetting to pause and ask questions.
What is social engineering?
A social engineering attack involves manipulating targeted individuals to reveal sensitive information, such as usernames and passwords, for fraudulent purposes. Rather than relying on advanced technology or hacking skills, it exploits the most vulnerable aspect of security: humans.
In a social engineering attack, the attacker tricks the target into violating standard security practices. They might reveal passwords, credit card numbers, or other personal information. The attacker might pose as a trusted entity like a bank, coworker, or friend. They use phishing emails, phone calls, or in-person interactions to gain their victims' trust. The ultimate goal is to trick individuals into providing access to valuable information or systems.
How does social engineering work?
Randomized fraud attacks choose targets indiscriminately, but social engineering uses four phases. Arguably, the most crucial phase is the last one – closure – to avoid letting the victim sense that they've been tricked. Leaving the victim unaware gives the attacker more time to exfiltrate data.
The four social engineering phases:
1. Reconnaissance
A successful social engineering attack is performed only after research into the target. Various social media sites, including LinkedIn, are helpful for attackers to gain insight into the organization hierarchy and who would be a susceptible high-privilege target. Most organizations need to know the wealth of knowledge available from employees who post their interests, titles, work projects, company interests, coworkers, and events. It could take weeks for an attacker to complete surveillance, but it's effective in finding the perfect target.
2. Engagement
The next step is to contact the targeted victim. If the first target identifies the contact message as malicious, it could ruin the attack. The attacker might wait to try again later or choose a new target. Phishing is often a component in engagement to steal credentials for future account takeover.
3. Exploitation
With stolen credentials, it's time to compromise the targeted organization. It could require additional steps, as illustrated in the Uber data breach. If the first two phases are successful, an attacker will exploit the system, exfiltrate data, install malware, or monitor the network for future attack potential.
4. Closure
Again, this is arguably the most crucial phase. After contacting the target, the attacker must drop the conversation without allowing the target to realize what just happened. At this point, victims must recognize what happened to minimize damage and alert the right people to remediate the issue.
Common social engineering methods
Social engineers use psychological manipulation to exploit human emotions, vulnerabilities, and behaviors. In various industries, social engineering tactics often trick users into giving away their login credentials or sensitive information, allowing attackers to gain unauthorized access or commit fraud. Some common techniques include:
Phishing
Phishing involves sending fraudulent emails or messages that appear to come from legitimate sources. These messages often urge recipients to click on a malicious link or provide sensitive information, such as passwords or personal details, under the guise of urgent security concerns or account verification. These attacks are usually impersonal and mass-distributed, targeting a broad audience.
Vishing (Voice Phishing)
With vishing, fraudsters extract personal and sensitive information through phone calls. They pose as representatives from reputable companies, government agencies, or even family or friends, manipulating victims into revealing sensitive information or making unauthorized transactions. This technique requires persuasive speech and social cues to manipulate the target. Generative AI can make this approach even more convincing, mimicking human voices and emotions.
Pretexting
Pretexting involves creating an elaborate story to engage an individual, sometimes over multiple interactions, to build credibility. Fraudsters may research or steal information about a target to make their scenarios seem factual. This technique might involve a fraudster posing as a customer service agent, company official, or regulator seeking information such as credentials or personal data.
Baiting
Baiting exploits an individual's curiosity or greed by offering something enticing in exchange for performing an action that compromises their security. A fraudster might get a target to download malware or reveal login credentials in exchange for rewards or free services. Unlike phishing, baiting provides a tangible incentive, leading the target to believe they are receiving something desirable with minimal effort.
Quid Pro Quo
Quid pro quo offers a benefit in exchange for information or access. Instead of a product, it typically provides a service, such as tech support or a consultation. The target believes they are entering a mutual exchange addressing their need for the service, making the exchange seem legitimate.
Tailgating/Piggybacking
Tailgating occurs in various environments, especially in shared spaces, where an unauthorized person follows an authorized individual into a restricted area or exploits their lack of vigilance to gain physical access to secure systems. Unlike digital-focused tactics like phishing, tailgating requires physical presence and exploits security lapses in physical environments.
A real-life example of social engineering: Uber's 2022 social engineering attack
In September 2022, Uber's private network was breached by a teenage attacker who used social engineering methods to gain secure information from an engineer. It started with a simple text message asking an engineer to divulge their credentials. The teenager posed as a people operations employee supporting Uber's infrastructure. After deceiving the engineer into sharing this information, the attacker added their device to the two-factor authentication (2FA) system, despite most 2FA systems requiring validation before a new device can be added.
Subsequently, the attacker inundated the engineer with notifications, followed by a deceptive message instructing the engineer to accept them to stop the barrage. The engineer obliged, allowing the attacker to access Uber's private network.
The attacker scanned the network for sensitive information and found PowerShell scripts with hardcoded administrator credentials. From there, the attacker accessed various data-driven storage that held Uber's intellectual property. This incident illustrates how even tech-savvy individuals can fall victim to social engineering.
The biggest challenge in preventing social engineering: humans
The weakest link in your organization is the human element. Sometimes, the weakest link is employees who think they are invulnerable to social engineering and phishing attacks. These employees are always targets based on their high-privilege access to sensitive data. They can access code repositories, administrative controls, trade secrets, databases, and possibly customer data.
Cyber-attacks can target security researchers, network administrators, executives, and other employees. Like the Uber compromise, it only takes one employee to fall for an attack for a company to lose multiple files, large amounts of data, trade secrets, and intellectual property. Spear phishing and social engineering are more effective than most organizations realize.
Cyber-defense requires that the target identifies social engineering for what it is – an attack to gain access to the internal network. As much as organizations train for it, anyone can have a weak moment and let their guard down. This results in a successful social engineering attack that can lead to months of undetected malware, backdoors, and continual exfiltration of data.
How can you prevent a social engineering attack?
Unlike traditional hacking targeting system vulnerabilities, social engineering exploits human psychology. It's about deceiving people into breaking security procedures without realizing it until it's too late. Therefore the best approach to preventing the attacks is to approach them from both a technical and human perspective. Educated humans and robust security protocols can help prevent fraudulent activities due to social engineering at the business and individual levels.
Here are some effective social engineering prevention measures from both a personal and business perspective:
Stay Educated and Aware
Be alert when you receive requests for information or are directed to click on links from unknown sources. Email spoofing and phishing are common ways social engineering attacks are played out, double check the sender’s email, hover over links to view where they go beforehand, and be wary of messages relaying a sense of urgency. Employees and staff should also remain updated on common social engineering tactics. One way of doing this is to conduct simulated phishing scenarios to give employees hands-on experience identifying and responding to such attacks.
Understand Social Media Privacy Features
Any information publicly posted on social media can be used to gather intelligence on you, your job, and your authorizations, making you a target for social engineering. Be wary of posting anything too personal on social media, including LinkedIn. LinkedIn is one of the best ways to perform reconnaissance on your job title and function, your bosses, and any executives overseeing infrastructure to get your business information. Be sure to review the privacy and security features available to use as a user of any social media network to customize the features based on your preferences.
Include Warnings in User Communications
Adding warnings and reminders in user communications raises awareness about social engineering fraud and makes customers more aware of its risks. These techniques include sending messages with OTPs instructing users not to share the codes, emailing users when a login is attempted from a new device, or informing users of official communication methods. Remind users to only share sensitive information after verifying the authenticity of personal or protected data requests.
Require Multi-Factor Authentication
Multi-factor authentication (MFA) enhances the security of user login credentials by requiring secondary verification measures, such as biometric identification, SMS codes, or security questions. It effectively hinders social engineers from accessing accounts, even if they have obtained the login credentials through phishing or other techniques. Businesses should encourage users to enable MFA and enforce its use for high-risk transactions.
Detect Unrecognized Devices
If a fraudster obtains a user's login details through social engineering, they will likely access the account from a different device. Device history analysis can flag login attempts from devices users haven't used before, indicating a potential security breach. To prevent unauthorized access, actions performed from an unrecognized device should trigger additional authentication steps, such as sending a one-time passcode (OTP). Device intelligence can also help detect when a device has been rooted or tampered with, indicating a higher risk of fraud.
For example, store device IDs and account information and check if an account has previously used a device. If it's a new device, request additional authentication:
const db = require("./database");
// Check if the device is recognized for this account
async function checkAccountDevices(accountId, deviceId) {
let query = `SELECT * FROM account_devices WHERE accountId = $1 AND device_id = $2`;
let result = await db.query(query, [accountId, deviceId]);
if (result.rows.length == 0) {
// This device has never been used with this account before.
recordDeviceAttempt(accountId, deviceId);
return requestAdditionalAuthentication();
} else {
return allowLogin();
}
}
Assess Risk with Device Attributes
Businesses can identify patterns indicative of fraudulent activities by analyzing the unique device attributes of each visitor. For instance, visitors' use of virtual machines or Android emulators can raise red flags about potential malicious intent. Businesses can detect attempts to bypass standard security protocols by identifying tampered devices or users using tools like Frida. They can mitigate social engineering risks by integrating these device signals into their risk assessment models.
For example, if the device shows signs of tampering, reject the request:
// Check for suspicious forms of device tampering.
function checkDeviceTampering(deviceId) {
if (emulatorDetected(deviceId)) {
flagSuspiciousActivity(deviceId);
return failLoginAttempt();
}
if (clonedAppDetected(deviceId)) {
flagSuspiciousActivity(deviceId);
return failLoginAttempt();
}
if (fridaDetected(deviceId)) {
flagSuspiciousActivity(deviceId);
return failLoginAttempt();
}
return allowLogin();
}
Spot Unusual Behaviors
Regular visitors typically exhibit consistent usage patterns, which can aid in detecting potential fraud when there are deviations. These deviations may include sudden changes in activity or how the user accesses the site. Suddenly logging in at odd hours or from different cities might indicate compromised credentials. By understanding a user's typical patterns, businesses can identify unusual behavior resulting from social engineering.
For example, check if a new transaction falls outside the user's average range. If so, ask for additional information to authorize the transaction:
const db = require("./database");
// Check if a transaction is within the user's average range.
async function assessTransactionRisk(userId, currentTransactionAmount) {
let query = `SELECT avg_transaction_amount
FROM user_transactions
WHERE user_id = $1`;
let result = await db.query(query, [userId]);
let { avg_transaction_amount } = result.rows[0];
if (
currentTransactionAmount > avg_transaction_amount * 1.5 ||
currentTransactionAmount < avg_transaction_amount * 0.5
) {
// The transaction amount deviates from the average.
flagSuspiciousActivity(userId);
return requestAdditionalAuthentication();
} else {
return processTransaction(currentTransactionAmount);
}
}
Blocking Past Fraudsters
Businesses can use known blocklists of previous fraudsters to prevent them from creating new accounts or gaining access to existing ones. These lists compile information on known fraudsters, enabling companies to identify suspicious activity and take preventive measures. In addition to external lists, businesses should track their known fraudsters based on past fraudulent activity on their site. These lists help identify and stop social engineering attempts by individuals who have previously targeted the company or its users.
For example, you can use a unique device identifier and store past suspicious activity to check against in the future:
const db = require("./database");
// Check if the device has a history of suspicious activity
async function checkDeviceHistory(deviceId) {
let query = `SELECT * FROM flagged_devices WHERE device_id = $1`;
let result = await db.query(query, [deviceId]);
if (result.rows.length > 0) {
// The device has previously been used for fraudulent behavior.
flagSuspiciousActivity(deviceId);
return failLoginAttempt();
} else {
return allowLogin();
}
}
Amplifying identification accuracy with Fingerprint
Accurately identifying devices is crucial to the technical tactics for preventing social engineering. Fingerprint's Device Intelligence Platform provides robust visitor identification by combining over 70 signals with fuzzy matching algorithms and server-side techniques. These visitor identifiers are highly accurate and stable over months or years, providing unique identifiers for each visitor's device or browser interacting with your system.
Additionally, Fingerprint Smart Signals provide actionable insights into your visitors, such as privacy browser (for example, Tor) usage, device tamper detection, IP blocklist matching, and more. Together, these signals and device identifiers allow you to craft granular security policies and recognize deviations in visitor behavior. This way, businesses can better protect their customers from social engineering tactics and prevent unauthorized access, financial losses, or data breaches.
Conclusion
Social engineering has many methods, but all take advantage of human psychology. By understanding the different techniques used by fraudsters, fintech companies can better protect their users against social engineering fraud. Implementing additional security measures such as device detection and behavioral analysis can go a long way in preventing unauthorized access and protecting sensitive information.
It is also essential for users to educate themselves on identifying and preventing social engineering attacks and for businesses to train their staff on best practices regarding security measures. Combining technical security measures with knowledgeable individuals can create a more secure fintech environment and protect against social engineering fraud.
Contact our sales team if you want to learn more about how Fingerprint's Device Intelligence Platform can help protect your users from social engineering attacks.