The art of deception: unveiling the secrets of social engineering

Social engineering is a tactic cybercriminals use to manipulate individuals into divulging confidential information or performing actions that compromise security. This can involve a range of methods, such as deceptive e-mails, fraudulent phone calls or the impersonation of trusted websites. The primary goals are often credential theft or financial gain.

Social engineering exploits human emotions – fear, urgency, sympathy – making it an effective and recurring threat. It preys on human fallibility, leveraging psychological manipulation rather than relying solely on technical vulnerabilities. Also, people are often less equipped to recognise or respond to these threats. Employees frequently lack proper training to identify and thwart these attacks, making them a prime target.

Business e-mail compromise (BEC) attacks illustrate this point. According to Arctic Wolf data, BEC attacks increased by 29% from 2021 to 2022, resulting in more than US$2.7-billion in losses last year. Such attacks exploit the ease with which users can be deceived, providing a quick and lucrative return for cybercriminals.

Part of elaborate schemes

While social engineering attacks can target an individual with a specific aim, such as tricking someone into sharing banking details via a deceptive text message, they are increasingly part of more elaborate schemes. For instance, Scattered Spider, in collaboration with the notorious ALPHV, also known as BlackCat, executed a breach into MGM’s network using a sophisticated social engineering tactic. They exploited details of an MGM employee, meticulously gathered from LinkedIn, to deceive the MGM helpdesk and gain initial access to the network.

This breach highlights the severe impact of social engineering and the risks associated with an exposed digital footprint. It shows how easily malicious actors can exploit personal information for nefarious purposes.

Social engineering can also be used midway through an attack to secure privileged access or to gather data and financial information as a secondary objective. Often, multiple social engineering tactics are employed simultaneously. For example, a BEC attack, a form of phishing, might be complemented by a vishing attack that leads to a mobile payment app scam, or baiting might be integrated into a phishing attempt. Combining these techniques enhances their effectiveness and sophistication.

The author, Arctic Wolf’s Jason Oehley

The anatomy of manipulation

Despite the diversity in social engineering tactics, they typically follow a four-stage cycle:

• Information gathering: The attacker researches the target to identify the most effective weaknesses and attack vectors.
• Establishing a relationship: The attacker formulates and executes the attack plan. This might involve sending a phishing e-mail or impersonating a trusted figure within an organisation.
• Exploitation: This is the core attack phase, where the attacker implements their scheme, such as calling an IT helpdesk to gain unauthorised access.
• Execution: The final phase is when the attacker achieves their objective, whether accessing sensitive information or executing a ransomware attack.

This cycle can be iterative, with multiple stages occurring repeatedly. For example, an attacker might use a spam phishing campaign, iterating through multiple e-mails until they achieve their goal.

Preventing social engineering attacks

Effective prevention of social engineering attacks demands a comprehensive strategy encompassing human and technological defences. Security awareness training is vital in this approach, equipping employees to identify and react to potential threats. An effective training programme should feature up-to-date and relevant content, use empowering language that emphasises the role of employees as a critical defence line and include phishing simulations to test and monitor progress. Microlearning techniques can enhance retention and ensure employees are well-prepared to handle real-world threats. Additionally, fostering a robust security culture throughout the organisation reinforces the importance of vigilance and continuous learning.

On the technological front, several defences can boost security. Multi-factor authentication (MFA) provides an additional layer of protection by requiring multiple verification forms, thus reducing the risk associated with compromised login credentials. Identity and access management (IAM) systems, particularly those employing a zero-trust framework, are essential for preventing unauthorised access by ensuring that verification is required for every access request. Managed detection and response (MDR) services also enhance security by continuously monitoring anomalous account activities and responding rapidly to suspicious behaviour.

Together, these measures create a robust defence against social engineering attacks.

A look to the future

The role of artificial intelligence in cybersecurity is undeniably transformative. It offers powerful tools for automating threat detection and analysing vast amounts of data for suspicious activity. However, adversaries are using this same technology to craft increasingly convincing and targeted social engineering attacks.

Look at deep fake technology, for instance: it can create highly realistic audio and video content, enabling impersonation with remarkable accuracy. This innovation is being exploited in various scams and misinformation campaigns, posing severe threats to individuals and businesses.

In a striking real-world example from February 2024, deepfake technology was used in an unprecedented AI-driven heist. A finance worker at a multinational firm was duped into transferring $25-million to fraudsters who used deepfake technology to impersonate the company’s chief financial officer during a video call. Despite initial suspicions about a potential phishing e-mail, the worker was convinced by the realistic appearance and voices of individuals who turned out to be deepfake recreations.

The rise of AI-driven phishing attacks, particularly those incorporating deepfakes, illustrates the increasing sophistication and difficulty of detecting these threats. It highlights the need for advanced security measures and updated training to combat this evolving menace.

• The author, Jason Oehley, is regional sales manager for South Africa at Arctic Wolf
• Read more articles by Arctic Wolf on TechCentral
• This promoted content was paid for by the party concerned