The Definitive Guide to Social Engineering and Phishing

Written by Robert Best

Read up on what social engineering and phishing are and how they've become a threat to UK businesses. Our guide includes how to spot social engineering and how to prevent it from hurting your business

Social engineering and phishing guide

Social engineering has grown into a massive threat to businesses. That is because social engineering is designed to work around even the most advanced security setups by targeting the people inside of a company. 

UK Businesses are still not taking seriously the threat that comes from social engineering. Considering how reliant we are becoming on technology it is essential to protect that technology from malicious attacks. The danger of social engineering is that it targets the individuals in a business and preys on human error.

So, what social engineering? How can you recognise social engineering? And how can your business protect itself? Our definitive guide to social engineering and phishing will tell you everything you need to know.

What is social engineering?

Social engineering impact on business

Types of social engineering

How does social engineering work?

How to recognise social engineering

Social engineering examples

How to prevent social engineering

Social engineering awareness training

What is phishing?

Social engineering - what do I do next?

What is social engineering?

Social engineering is a form of deception that aims to trick people into giving access to data, information, networks and even money. While the approaches of the criminals behind social engineering may vary, their motivations are often similar. Social engineering preys on human nature and is designed to manipulate our behaviour to help achieve the aim of the fraudster.

This form of fraud has become more popular because it is easier to manipulate you into giving you access or information than it is to hack into your software. Even a lazy hacker, who has done minimal research into their targets, can send hundreds of emails out and still have success.

A report by security awareness training company KnowBe4, states that only 3 per cent of malware tries to exploit a solely technical vulnerability. The other 97 per cent targets users by using social engineering.

Instead of trying to find a vulnerability in a technical system a hacker might phone a member of staff posing as IT company and try to trick them into giving away the information they want.

Social engineering impact on business

Social engineering is already a significant threat to UK  businesses. Last year phishing emails (a form of social engineering) affected 1.3 million businesses. That cost UK businesses a staggering £6.91 billion.

The threat of social engineering comes from how effective it is. Research by Callcredit Information Group shows that 70% of businesses felt more vulnerable to a human-based attack where employees were exploited. 

Despite this increase in vulnerability, 73% of small businesses don't have a separate IT security function. This lack of action is encouraging an increase in social engineering activity.

Types of social engineering attacks

different types of social engineering

Social engineering is a term that covers a whole range of activities. They all have the same goal, but they each use different approaches to achieve it. Below is a list of types of social engineering attacks and a brief description of how they work.

  • Phishing

Phishing is by far the most common form of social engineering attack and is carried out by email. A phishing email aims to trick the target into revealing sensitive information or taking an action that then compromises security.

Because its such a common form of social engineering there is a whole section on phishing further down.  

  • Spear phishing

Spear phishing is a more targeted form of phishing. Whereas a phishing email might pretend to be a well-known organisation and is sent to thousands, spear phishing emails are much more tailored to a specific person or business. 

Whilst spear phishing will take more effort and research the chances of fooling for a spear phishing email are greater because the email is more believable and appears to be a genuine email. 

  • Baiting

Baiting differs from phishing by trying to entice the target with an offer or exploit their curiosity. A common form of baiting is to offer free music downloads (or other forms of media). The aim is to get the target to click on the link and enter their login details.

A physical form of baiting preys on human curiosity. The fraudsters can leave virus infected USB sticks lying around in a car park on a business's premises. If someone gets curious and picks up the USB and plugs into a computer than the fraudster can gain access to the whole business network.

  • Vishing

Social engineering doesn't have to happen on the internet. Vishing is a form of social engineering carried out over the phone. Vishing was extremely popular and effective during the rise of telephone banking. The fraudster would set up a number and send you an email pretending to be a business or service such as a bank asking you to contact them urgently. Alternatively, they could even call you directly pretending to be a business and ask for your personal information. 

Vishing is similar to quid pro quo, an approach that involves phoning a company's employees and pretending to be a service and contacting them regarding an issue the business is having. Its known a quid pro quo because the attacker uses the exchange of pretending to help with their problem as a way to gather sensitive information.

  • Tailgating

Tailgating is another form of offline social engineering. Simply this type of attack is a person without authorisation following an employee into a restricted area. For example, tailgating will see a person pose as a delivery driver and follow an employee through a security protected door. 

Tailgating preys on basic human manners. Think of how many times you enter a security code for building and then hold the door open for the person behind you. It happens so often it's almost second nature to hold that door open. 

  • Pretexting

Pretexting relies on forming a false sense of trust with the victim. The attacker creates a believable pretext or scenario in which to trick the target into giving them information or even direct access to their systems.

Successful pretexting involves coming up with situations that help us lower our guard. A famous form of pretexting involved the fraudsters pretending to be a modelling agency and tricking hopeful models into giving away personal information.  

How does social engineering work?

You have just read about the different types of social engineering but how do all these techniques help social engineering work?

The real threat of social engineering comes when the fraudsters use more than one technique. They might perform many different types of social engineering that slowly gather more and more information to help them create more believable or detailed fabrications to increase their chances of success in causing real damage to a person or business.

You have probably seen many lazy attempts of social engineering that rely on phishing emails and are sent to a wide pool of targets. They are usually generic and easy to spot. The more successful fraudsters spend weeks and even months planning their social engineering attacks.  

A widespread form of a spear phishing email is known as CEO fraud. In a CEO fraud email the fraudsters will pose as the head of the company and will email an employee, usually in finance, to carry out a request.

These emails are usually very realistic because they use very similar domains to the business (usually only one letter off, or even exact clones of the domain). The language used in them mimics the language and behaviour used by the supposed sender.

what is social engineering

These emails don't happen by chance; usually, the fraudster has already gained access to information from that business, or even their actual emails, by using one of the techniques explained above. 

The more information they can gather about a specific employee or the business itself the more realistic their social engineering becomes. This then makes it more likely to trick their target and achieve their goals.

Remember social engineering isn't just done digitally. Fraudsters are still using the telephone to trick information out of people. It can also be done in person; social engineering can get a fraudster through security and into the offices of a business. From there, depending on their cover, they can access all sorts of sensitive material.   

How to recognise social engineering 

To recognise social engineering attacks you and your entire staff will need to be vigilant in the workplace. While some social engineering can be tough to spot there will be certain signs you should be aware of.

  • Check the URL

If you receive an email that asks you to click on a link, make sure you check the URL for the link. You can do that by hovering over the link, and it will show you where that link goes.

  • Check the sender address

You should also check the sender name and sender address at the top of the email. It's very common for social engineers to set up phoney email accounts that mimic a domain name. Check carefully because the difference might be very subtle, like one letter missing or changed, or an extra full stop.

  • Is the offer to good to be true?

If an offer or free gift seems too good to be true, then it usually is. Fraudsters have come a long way since the fake Nigerian Prince scams, but the tempting offer is still a favourite tactic. Their attempts will be less obvious than the fake prince scam so be wary of freebies and tempting offers.

  • Watch out for unscheduled inspections

Social engineering is not restricted to the internet; it can happen in person as well. A common tactic is to pose as an engineer there to carry out an inspection. If the inspection is unscheduled or unexpected and you don't recognise the engineer then be on your guard. Request to see identification and if you are still not convinced phone the company to confirm.

  • Don't give out sensitive details over the phone

Today every bank will advise you that they never ask for your bank details over the phone. Watch out for anyone phoning up and asking for details, such as bank details or other sensitive information. If you're unsure if it's genuine or not, tell them you'll call them back. By making the call yourself, you can be sure you are talking to the right people.  

Social engineering examples

To help give you a better idea of how social engineering works and how simple the attacks can be, here are a few examples of a social engineering attack.

RSA SecurID

RSA SecurID is a cybersecurity solutions company, but in 2011 they were the victim of a social engineering attack. RSA employees were sent two different phishing emails which claimed to describe the recruitment plan of another company. Both emails contained an Excel document. When the attachment was clicked a vulnerability with Flash was exploited and a backdoor was installed, giving the attackers access to the system.

Despite being a cybersecurity company, they were still victim to human behaviour. By a couple of employees clicking on an attachment, it is thought to have cost the company $66 million.

Yahoo  

Yahoo has been victim to a few hacks in recent years. In 2014 a spear phishing attack compromised over 6,500 Yahoo user accounts. An email was sent to "semi-privileged" staff, and one employee was tricked by the email and granted the fraudster access to the Yahoo network. The attacker was able to download the Yahoo user database.

It is not just large and high profile companies that are targeted by social engineers. Small businesses are regularly targeted because attackers feel they have fewer resources available to defend themselves. Also, many small businesses think they are not a target because of their size.

Before they become one of our customers, a company told us how they had been the victim of social engineering. The Managing Director was out of the office, and an email was sent to the finance department. It was spoofed to look exactly like it had come from the MD. The language had been tailored to sound like the MD, and they had used a very similar sender address. The email requested the finance department to pay a £50,000 invoice, which they duly did. Only when the Managing Director returned to the office did they realise that had been scammed.

For more examples of social engineering attacks check out these previous successful attacks

How to prevent social engineering

how to prevent social engineering

I wrote earlier about ways to spot to social engineering. They will help you to detect potential attacks but to protect your business from the threat of social engineering we recommend these actions to prevent social engineering affecting your business.

  • Educate your staff

In the RSA example earlier, you can see how even the most security conscious company can still be victim to social engineering. The whole point of social engineering is to prey on human nature or try to force human error. If you don't educate your staff about the dangers of social engineering, then anything else you do will be for nothing.

No matter what antispam or spam filter software you use some phishing emails will get through, the attackers are so sophisticated now that it is impossible to stop 100 per cent of phishing emails. So you will need to educate your staff on what emails they should look out for and how to avoid clicking on malicious links or attachments.

Make them aware of social engineering and all the different techniques the attackers can use. It's not just emails; social engineering can happen over the phone or in person.

  • Install a spam filter

Although, as I just said, it's impossible for a spam filter to stop every single phishing email they can still minimise how many make it into your inbox. There are plenty of excellent anti-spam products to choose from, and we recommend to every business we speak to use a robust anti-spam and email security product.

  • Get Cyber Essentials certified

Cyber Essentials is a Government-backed scheme to help businesses improve their cybersecurity. The scheme addresses the most common internet-based attacks including phishing emails. It sets a baseline for technical controls to help a company have more confidence and understanding of their cybersecurity.

As we are Cyber Essentials certified, we can help other businesses through the process to help bring their cybersecurity up to speed. The less opportunity there is for attackers to get into your system the more secure you will be. 

Social engineering awareness training

There are many excellent training services you can find online to help train your employees on social engineering awareness. We recommend a company called KnowBe4. They offer a wide range of products, including security awareness training for businesses. They also have free tools that can help test your employees with simulated phishing tests. 

If you're unsure on what training your staff needs, or how best to teach them then speak to your IT support provider. They will either recommend a product or help you take your employees through training. 

Social engineering vs phishing - what is the difference

Social engineering is a broad term used to describe a range of techniques to trick people into giving fraudsters what they want. Phishing is a specific technique designed to gain personal information, usually via email.

What is phishing? 

what is phishing

Phishing is most commonly carried out over email and is designed to trick an individual into clicking a malicious link or giving out personal information. The term phishing is a play on fishing because the fraudsters are fishing for information.

Phishing emails are the most common form of social engineering because it is very effective. A study by Keepnet Labs found that the target opens 48 per cent of phishing emails. Of those opened emails 31 per cent of the targets went on to click on the link or attachment in the mail.  

How phishing works

Phishing aims to exploit a weakness or vulnerability in software or security. However, the first step involves tricking someone into clicking a link or an attachment that can give them access to your system. 

Phishing emails are usually sent in mass, as the fraudster sets a wide net and hopes to catch someone in it. More targeted phishing is known as spear phishing. It takes more research to launch a spear phishing attack because you need more details about the target(s) you are emailing too. Most spear phishing attacks will target a specific business or group of people.

Phishing attacks statistics

It is likely you see a phishing email daily because such a large volume is being sent out because it's an effective form of cybercrime. The 2018 Cyber Security Breaches Survey found that 40 per cent of UK businesses have been subject to cybercrime in the last year. On average that is costing each business £3,000 per attack.

2018 saw increases in the rate of phishing attacks against businesses. That is because this form of cybercrime is so successful. Over 65 per cent of the companies that were targeted in the first three months of 2018 had the identities of at least five employees spoofed.

The Anti-Phishing Working Group released a report that shows the number of phishing attacks increased by 46 per cent from Q4 in 2017 to Q1 2018.

How to prevent phishing

Phishing is a specific form of social engineering, so the prevention tips are valid for phishing emails. Further steps you can take to prevent phishing emails costing your business include:

  • Stay up to date with phishing attempts

Because phishing and social engineering have been so successful criminals are going to continue to carry them out and try to find new ways to become more effective. Try to stay up to date with the latest phishing trends, so speak to your IT provider to stay informed and look into awareness training.

  • Keep your browser up to date

A lot of the browser updates your computer installs are fixing security loopholes that hackers have found. Make sure you install updates as soon as they become available.

  • Use a firewall

A firewall acts as a security buffer between your computer and the outside world. If your business uses a network, it should have its own firewall. Speak to your IT provider about getting firewalls for your networks and individual computers if they are needed. If you don't know where to begin with firewalls, they can manage the whole process for you. 

  • Never use a link to get to your bank's website

If you get an email from your bank, don't click on the link to get to the website. If the email is a phishing email, you might be directed to a fraudulent site designed to get your log-in details. Close the email and enter the URL for your bank's website.  

Social engineering - what do I do next?

The first thing your business should do is speak to an expert. Call your IT provider to discuss your businesses security and to ask about training for your employees. If you don't have an IT provider or qualified in house staff, then give InfoTech a call on 01634 52 52 52 or email sales@infotech.co.uk, and we can discuss your security concerns.

Use the tips in this guide and make sure you set some rules in your business. It's imperative your staff are educated about the threat of social engineering, and you set some clear guidelines and regulations around social engineering. Remember one wrong click on an email can undo all the security you have in place, so educating your staff is vital.

Conclusion

The most worrying aspect of social engineering is that just one click can end up costing a business £1,000's, even £10,000's and more. However, there are steps your business can take to ensure it doesn't fall victim. Get professional advice and make sure your staff well aware of social engineering and the damage it can cause.

contact us about social engineering

Please remember to share this post!