#33 – Social Engineering
Social engineering is a manipulative tactic cybercriminals use to exploit human psychology and trust to gain unauthorized access to personal information or sensitive systems. It plays a significant role in the context of identity theft, as it often involves deceiving individuals into revealing confidential details or performing actions that compromise their identities or personal information.
Social engineering attacks are relatively involved compared to other forms of fraud, with bad actors implementing several steps to achieve their intended outcome. Background information is often collected as a first step to providing the necessary data a criminal need to gain the trust or confidence of a victim. This could be personal details, weak security protocols, or potential entry points into a system if the target is a business or organization. From there, the threat actor implements social engineering tactics to gain confidence with the target, effectively conning them into revealing personal information, breaking security protocols, or granting access to critical systems or resources.
The direct-to-the-source nature of social engineering attacks highlights how human nature is often the weakest point in modern cybersecurity measures. Despite vast resources being spent and directed on cybersecurity, one targeted social engineering scam can bring down the defensive walls in minutes if an employee or victim reveals the information needed to do so.
Social Engineering Examples
Social engineering attacks come in various forms, each designed to manipulate human psychology and trust. Here are several examples:
- Phishing: Phishing is one of the most common social engineering attacks. Attackers send deceptive emails or messages that appear to come from legitimate sources, such as banks or social media platforms. These messages often contain urgent requests for personal information or ask recipients to click on malicious links. Once victims provide their data or interact with the link, the attacker gains access to their accounts or personal information.
- Vishing: Vishing, or voice phishing, involves attackers making phone calls, often impersonating trusted entities like government agencies or technical support. They use persuasive tactics to convince victims to disclose sensitive information or perform actions, such as transferring money to fraudulent accounts.
Phishing and vishing social engineering attacks often employ the use of AI-developed deepfakes to increase the chances of success. AI and social engineering used together are proving very effective in committing identity theft and other fraud.
- Tailgating/Piggybacking: This physical social engineering attack involves an attacker gaining unauthorized access to a secured area by following an authorized person through the secure entry point, like a keycard-protected door. The attacker can infiltrate a building or restricted area without detection by pretending to be a colleague or acting as if they belong.
- Quid Pro Quo: In a quid pro quo attack, the attacker offers something of value in exchange for information or access. For instance, they might pose as an IT technician and offer to help a user with a computer issue to gain access to login credentials. The victim provides the information in exchange for the promised help, not realizing it’s a fraudulent exchange.
- Reverse Social Engineering: In this version, the attacker persuades the victim to initiate contact or take actions that compromise their own security. They might send a convincing email requesting assistance, prompting the victim to respond with sensitive information or execute malicious actions, thinking they are helping a family member, colleague, or superior. Reverse social engineering attacks are often assisted by AI-created deepfake elements.
- Pharming: Pharming attacks manipulate the Doman Name System (DNS) to redirect users from legitimate websites to fraudulent ones. Victims may enter sensitive information, such as login credentials, on these counterfeit websites, unknowingly providing it to the attacker.
- Pretexting: Pretexting involves creating a fabricated scenario or pretext to manipulate individuals into disclosing sensitive information. An attacker might impersonate a coworker or service technician, claiming they need specific information to complete a task. By exploiting trust and authority, pretexting can lead individuals to divulge personal or company data.
Recent Attacks Ring Alarm
A few recent social engineering attacks demonstrate how widespread the problem is and how effective this type of attack can be, even on organizations with seemingly robust cybersecurity protocols.
Ransomware attacks at Caesars and MGM Resorts were highly effective and instigated by social engineering tactics. These are two of the largest casinos in the world and have vast security protocols in place. Both seem to have been targeted by the same criminal group, known as Black Cat. The group claimed to have accessed MGM’s system in minutes by “identifying an MGM tech employee on LinkedIn and then calling the company’s support desk.” The situation at Caesars was eerily similar, with an employee unknowingly granting access to the organization’s entire system through a third-party vendor.
And it doesn’t take a sophisticated cybercriminal network to breach multi-million dollar organizations with social engineering, as evidenced by an 18-year-old amateur hacker infiltrating Uber and Rockstar games over several weeks in 2022. The threat actor tricked an employee at Uber into revealing login information. He used a similar approach days later to leak a release of a widely popular video game at Rockstar.
Credit monitoring will not alert you to this type of fraud.
LibertyID will take the following steps for/with their members:
- Place fraud alerts at all three credit reporting agencies
- Place credit freezes at all three credit reporting agencies, if appropriate
- File report with FTC
- Review credit reports with the victim to ensure there is no other types of fraud
- Provide single bureau credit monitoring with alerts for 12 months
- Periodically contact the member throughout the 12 months following resolution of their ID theft recovery case, if warranted