Social fraud is not something new. It has been happening for a long time in the form of con artists, marketing ploys or, indeed, through cyber crime. Technology has presented us with many advantages and ‘disruptive technologies’, such as the internet, and this has driven society and the corporate world into an age where life without it has become almost impossible. We can also say that technology has largely been a net, if not to say ‘fantastic’, contributor for everyone.

However, we have to admit that technology has presented us with a lot of challenges, only some of which come with a warning. It has made it easier for cyber criminals to gain access to information systems by applying social engineering. Social engineering is a term used when people are psychologically manipulated to perform certain tasks, for better or for worse, though mostly for the latter.

The ways and methods used for this manipulation are open to the imagination of cyber criminals. A clever social engineer will take his time and persist until he’s successful in penetrating a secure system. The impact can be huge and vary from financial loss to a loss of reputation, privacy and theft of identity. In Malta we have had our fair share of these; small cases were publicised, while others, never surfaced anywhere.

The exploitation stage is usually so fast that it is hard to believe, leaving the victim in disarray and disbelief

This article will attempt to give the reader a non-exhaustive awareness of the types of social engineering methods that are usually used.

Phases of social engineering

First of all a social engineer with an objective to gain access to a system goes through a number of phases until successful penetration. The phases can be identified as being research, victim identification, relationship initiation and exploitation.

The research stage involves the gathering of information of the target organisation, gathering as much information as possible and will include using various methods, from extensive internet searches to various technical tools necessary, most of them found in open source libraries.

The victim identification stage involves identifying someone who is easy to lure. Disgruntled employees are an easy target, as are naive personalities. Very often, it is also a matter of the attacker persisting and trying and it’s only a matter of time until someone’s a target.

Once the victim is identified, the attacker will start a relationship; this is why it’s called the relationship stage. Sometimes this is brief; at other times it takes much longer and is more intricate. This will usually depend on potential damage or payload and possible options of attack.

The exploitation stage is usually so fast that it is hard to believe, leaving the victim in disarray and disbelief. At times this stage comes with grave repercussions for the victim and targeted organisation and, while organisations will usually survive, even at a terrible loss, individuals can be left with a number of serious personal and health issues.

Potential victim

The most common targets for a social engineer are reception and help desk staff, technical support staff, systems administrators, in-house staff or even clients.

Reception and help desk staff are prey because these people are so used to routine calls that they stop their human elements of thinking and engaging their brain. An attacker would earn their trust and then lure them indirectly into revealing the information they are after.

Technical support staff can be tricked by the attacker by pretending, for example, to be someone from management, client or vendor, coercing them to reset their passwords or obtaining sensitive information which can be used in another planned attack. Although this is seen to be difficult to achieve, the social engineer can use mannerisms, charm or threats to achieve the aim.

Systems administrators are usually more difficult to trick but the attacker will try any entry prone to breach. This may mean that the attacker can try to get more familiar with the system’s jargon to trick an administrator into thinking the attacker is a vendor or a new experienced colleague. Breaching through this route is usually devastating.

Staff or clients usually take much longer to be deceived or manipulated. Although the damage here is limited to loss of credibility, identity theft and loss of privacy, sometimes this target is a preparation for a deeper attack.

Social engineering methods

Social engineers can use many methods to achieve what they set out to do. The method is usually synonymous with the attacker’s capability, although social engineers can group up and take advantage of each other’s devious competence. The methods can be divided into face-to-face, phone-based and computer-based social engineering.

Human interaction attacks need human intervention of some sort – in any form or manner. For instance, it may or may not involve a conversation and sweet talking to an official or stealing documents. In effect, human interaction attacks may involve eavesdropping, shoulder surfing, tailgating (following employees to gain access), piggybacking (convincing another employee that they forgot their ID), looking into trash bins, stealing of documents or memory sticks or even posing as someone of authority to gain access.

Phone-based attacks are a piece of work and involve the use of telephones or mobile apps. We have mentioned examples of this earlier, where the attacker pretends to be someone from higher management. This can be simply asking for documents to be e-mailed or resetting of passwords.

The attacker may access social media to get contacts, their personalities and their failures or needs. These are then are targeted using their frailty, incapacity, debt or imposition or easily pretend to be the IT support through getting familiar in calling them by first name to gain trust.

Organisations must take this threat more seriously

Some social engineering includes the development of apps with specific features enticing a target group, convincing them to download the app and once run, the valuable, sensitive or confidential information found in the mobile can be stolen.

Computer-based attacks are the ones widely practised and known. This involves various forms of viruses, Trojans and spyware. Some of these steal what may seem as harmless information so it can then be used for marketing purposes. Hoax letters and e-mails are not uncommon. This is called phishing and spear-phishing if targeted to specific individuals or groups.

Can we avoid social engineering?

Definitely not! Social engineers are usually very clever, experienced and can work together to achieve such an effect that can topple governments. They are always 10 steps ahead. However, we can surely minimise the possibility of an attack. In most cases, humans are the weakest links and this is where social engineers work best.

Minimising social engineering attacks at a personal level involves more education to the citizens and making subject awareness by governments a top priority. In the end, this will benefit not just the citizens but the organisations they work for because we will be creating the right culture to combat this threat.

From a corporate point of view, organisations must take this threat more seriously. This means investing more in smart security awareness campaigns, tools and regular education for their employees. Regular employee screening is something that is not readily done due to privacy laws and the ill-feeling it creates.

However, social media has become so powerful that it is common nowadays for organisations to regularly screen their employees’ Facebook, Twitter and other social media accounts. And, talking about social media, the corporate investment in social media governance will go a long way in managing the behaviour of employees. Although this is not as yet a common practice in Malta, it comes with high recommendations.

The eSkills Malta Foundation is a partnership of representatives from government, industry and education that aims to advise government and stakeholders on matters related to the national eSkills policy and contribute to the expansion of ICT educational programmes and related initiatives.

Carm Cachia is executive co-ordinator, eSkills Malta Foundation.

Sign up to our free newsletters

Get the best updates straight to your inbox:
Please select at least one mailing list.

You can unsubscribe at any time by clicking the link in the footer of our emails. We use Mailchimp as our marketing platform. By subscribing, you acknowledge that your information will be transferred to Mailchimp for processing.