Social Engineering, in the context of security, refers to manipulating people into performing actions or divulging confidential information. It is popular because, in theory, it is easier to trick someone into giving you their information, than hacking a network to do so.
In this digital age, traditional security attacks are leveraging social engineering tactics to be even more effective. It’s a tactic used often in real life and in the movies.
The more you know about social engineering tactics, the better you can protect yourself, your personal information, and your company’s security.
Here we break down some common examples of social engineering with some of our favourite movies.
A convincing email asking for your bank information
Phishing is the most common type of social engineering attack. The attacker recreates the website or support page of a renowned company and sends their targets the link via emails or social media. The intent is that the target ends up compromising personal data (such as credit card information).
In 2015’s Blackhat, hackers send a phishing email to their target organization asking employees to change their password and download a PDF, which installs a keylogger in the process. While some movie “hacks” can be a stretch from reality, experts agree this attack is entirely plausible.
You can prevent damage from phishing emails by using spam filters in your email accounts, and not opening any emails from an untrusted or suspicious source.
A unique email from your boss asking for money
Similar to Phishing, Spear Phishing requires extra effort from the attackers. They need to pay attention to the degree of uniqueness for the limited number of users they will target.
Hard work pays off as the chances of users falling for the false emails are considerably higher in the case of spear phishing (an average of 4 emails sent per stolen credential).
It comes in the form of an email, often from your domain name making it very convincing. Prevent this by not replying, but forwarding the email to your boss to verify it isn’t them.
A convincing call from the bank that asks you to verify your identity
Many imposters prefer to reach their targets the old fashioned way – by telephone. This type of social engineering attack is known as Vishing.
More than just manual calls, attackers have been known to recreate the IVR (Interactive Voice Response) system of a company, attach it to a toll-free number, and trick people into calling the phone number to enter their details.
Prevent damages by fact-checking the bank number the IVR tells you to call; make sure it is your bank. But likely, you won’t be getting these calls from your bank, anyway.
You probably remember in Ferris Bueller’s Day Off, when Cameron convinces Principal Rooney to release Sloane from school by pretending to be her angry father on the phone.
Like Cameron’s phone call, not all vishing scams are automated. Sometimes the human element of a convincing conversation makes us drop our guard to give up important information.
An unexpected e-mail saying that a maintenance worker will be swinging by
Pretexting is when an attacker presents a fabricated scenario and impersonates a company or service.
Think of Home Alone when Harry & Marv impersonate first a police officer to perform reconnaissance of the property, and later impersonate a plumbing and heating company to try to gain access into the home.
Another example of pretexting could be fake emails from your distant friend in need of money. Someone may have hacked their account or created a fake one.
A USB drive found in your office bathroom – or in 2019, software links
In the past, Baiting attackers leave infected USB drives in public places with the hope of someone picking it up and using it on their own devices.
A modern example of baiting can be found on the web when various download links containing malicious software are shown to random users in hopes that someone will click them.
Don’t fall for the old tricks, a found USB probably isn’t worth the money saved! And as for software links, exit your browser to avoid any pop-ups
A delivery driver asks you to hold the security door for them
Another social engineering technique known as Tailgating is when an unauthorized person takes advantage of an authorized person to gain access to restricted areas where physical or electronic authentications are required.
Be mindful of your perimeters and simply refer the unauthorized individual to security if they try to tailgate.
You’ve probably seen tailgating attacks carried out by Hollywood action heroes like in movies such as “Sneakers”. When Bishop (played by Robert Redford) works with a delivery man to rush past security without proper identification.
IT calls for an issue that you may (or may not) have
Quid Pro Quo social engineering method involves people posing as support or as a service. They make random calls to a company’s employees claiming that they are calling regarding a known (or unknown) issue.
Sometimes, attackers get the chance to make the victim carry out actions for them. Quid pro quo usually involves an exchange of something with the target, such as access to a discount or solving a victim’s problem.
Hey, what’s your password?
You’re likely to say “um, no” to this question at first. But if someone follows it up with a question about what makes up your passwords, and you answer with “my favourite color and my dogs name”. Later in the conversation, you may give away your favourite color and your dog’s name without realizing they now have all the information they need.
Here’s a great video clip from a Jimmy Kimmel show where they surprisingly convince many people to give away their passwords…
A small percentage of the population is likely to experience this, but it is something to be aware of. Especially those with access to sensitive company of financial information.
Anyone with a social footprint (social media, blog, reddit account) is exposing themselves to social engineering – so it’s important to be aware of what you’re saying and where you’re posting.
Want more?! We did a podcast about how this impacts companies and how they are exposed to social engineering, if you want to hear some more stories.
We’re also doing an info series on social engineering, send us a note to firstname.lastname@example.org & we’ll get you on the distribution list.