Understanding social engineering is vital in our technology-driven world, where individuals are manipulated into compromising security through tactics like phishing emails and impersonation.

Awareness of these methods enables better protection against cyberthreats, empowering individuals and organisations to recognise suspicious behaviour and implement security measures.

Educating oneself about social engineering is not only about personal security but also societal responsibility, essential for safeguarding sensitive information, assets and trust in the digital age, making it a necessity to combat evolving cyberthreats.

For an individual user, a social engineering attack can look like a fraudulent e-mail with a malicious link. For a company, it can look like a ransomware group convincing an IT helpdesk to hand over access to internal systems.

The four stages

While each social engineering attack may appear to differ in terms of techniques and goals, they all follow the same cycle made up of four stages:

Information gathering

Social engineering often begins with extensive research to gather information about the target, which can be a person or an organisation. This information might include personal details, such as their name, job title, e-mail address, phone number, interests, social media activity and any other publicly available information.

Attackers might also use techniques such as phishing e-mails, pretexting (inventing a scenario to extract information) or even dumpster diving (going through the garbage) to gather sensitive data like passwords, account numbers or internal procedures.

Establishing a relationship

Once the attacker has collected enough information, they use it to establish a rapport or relationship with the target. This could involve impersonating someone the target knows and trusts, such as a colleague, friend or authority figure. By using the information gathered in the first stage, the attacker can appear credible and trustworthy, making it easier to manipulate the target into providing further information or access.

Exploitation

With the relationship established, the malefactor exploits the trust they’ve built to manipulate the target into performing actions that benefit the criminals. This could involve tricking the target into revealing sensitive information, like passwords or account details, or persuading them to take actions that compromise security, such as clicking on a malicious link or downloading malware.

Execution

Finally, the attacker carries out their malicious objectives, which could range from stealing sensitive data or financial information to gaining unauthorised access to systems or networks. This stage often involves using the information and access obtained through the previous stages to achieve the attacker’s goals, whether it’s financial gain, data theft, espionage or other nefarious activities.

People have always been the weakest link and are a critical element of the attack surface. They often have access to endpoints, assets and legitimate credentials, and are usually untrained on how to spot or respond to a social engineering attack.

Popular attack methods

BEC attacks have proven to be one of the more popular kinds of social engineering methods and are a quick and easy payday for hackers. According to Arctic Wolf data, the attack vector was responsible for 30% of all attacks in 2023 and according to the FBI caused more than US$2.7-billion in losses in 2022 alone.

And that’s just one kind of social engineering attack.

Phishing is the most prevalent form of social engineering attack and involves hackers impersonating trusted entities to deceive targets into providing access to sensitive data. According to the 2023 Verizon Data Breach Investigation Report, phishing made up a staggering 44% of all social engineering attacks.

While the stereotype often involves seniors falling victim or distant relatives soliciting money, phishing tactics have evolved to be highly sophisticated. Attackers may replicate legitimate e-mail addresses, messaging platforms or URLs. For instance, a recipient might receive a fraudulent message appearing to be from HR, prompting them to click a link and verify their holiday schedule.

Although “phishing” originally referred expressly to e-mail-based attacks, the term now encompasses any form of impersonation communication. This broad definition has led to the development of numerous subtactics, many of which are equally challenging to detect. These include various types of phishing attacks, each designed to exploit specific vulnerabilities and behaviours of targets.

A range of lures

Spam (or mass) phishing: The most common type, where generic emails are sent to a large number of recipients, impersonating legitimate sources and typically requesting sensitive information or directing recipients to fake websites.
Spear phishing: A more targeted approach wherein attackers research and customise emails to specific individuals or organisations, often using personal details to increase credibility and likelihood of success.
Whaling: Similar to spear phishing but targeting high-profile individuals, such as executives or key decision makers within organisations, aiming to extract valuable information or gain access to sensitive systems.
Vishing (voice phishing): Involves phone calls instead of e-mails, where attackers impersonate trusted entities, like banks or government agencies, to manipulate victims into revealing sensitive information or performing specific
Smishing (SMS phishing): Utilises text messages to deceive recipients into clicking on malicious links or providing sensitive information, often posing as banks, delivery services or other trusted sources.
Angler phishing: Targets users on social media platforms, exploiting their trust in comments or messages containing malicious links or requests for personal information.
URL phishing: Involves the creation of deceptive URLs resembling legitimate websites, aiming to trick users into entering their credentials or other sensitive data.
In-session phishing: This occurs when attackers hijack active web sessions to inject malicious content or redirect users to fraudulent sites without their knowledge.
Quid pro quo phishing: Involves enticing victims with a promised benefit in exchange for their sensitive information, often under the guise of a survey, prize or service.
Mobile payment app phishing: Targets users of mobile payment apps through fake notifications or messages, prompting them to provide login credentials or financial details.
Business e-mail compromise (BEC): Focuses on compromising business email accounts to deceive employees, partners or customers into transferring funds, disclosing sensitive information or executing fraudulent transactions.
Baiting: Lures victims with promises of free downloads or services, such as movies or software, which are malware-infected, compromising the victim’s device or data.
Scareware: Uses fear tactics, like fake virus alerts or security warnings, to trick users into purchasing unnecessary or malicious software.
Tailgating: Involves unauthorised individuals physically following an authorised person into a restricted area, exploiting trust and lax security measures.
Shoulder surfing: Attackers observe or record sensitive information, such as passwords or Pins, by watching over the shoulder of unsuspecting individuals as they enter credentials.
DNS spoofing: Manipulates DNS resolution to redirect users from legitimate websites to fraudulent ones, allowing attackers to intercept and manipulate communication between users and servers.

Understanding these various phishing techniques is crucial for individuals and organisations to implement adequate security measures and protect against cyberthreats.

Preventing social engineering

To counter social engineering, South African businesses must invest in robust cybersecurity measures and employee education. Ongoing awareness campaigns empower employees to detect and thwart social engineering attempts. Deploying multi-factor authentication, encryption and secure communication channels significantly bolster the security posture of businesses.

Fighting social engineering attacks requires a multi-pronged approach. This means using tools to prevent credential theft, making use of e-mail filters and e-mail security, and ensuring workforces receive thorough and ongoing training to equip them with the skills and knowledge they need to combat these attacks.

Because social engineering targets the human element that needs to be protected first, detecting and stopping a social engineering attack before it turns into an incident can make all the difference. Every user has a role to play.