Social Engineering vs Phishing

Social engineering and phishing are both attacks used by malicious actors with the goal of compromising critical systems or data. Social engineering is a broad term used to characterize a set of tactics and techniques used to manipulate individuals into divulging confidential information or performing sensitive actions. Phishing leverages a set of tactics and techniques used to compromise a user’s credentials (such as passwords) or sensitive information (such as credit card numbers). It’s imperative to understand both of these cyber threats as, combined, they are a leading cause of data breaches and exfiltration of sensitive data for organizations.

Understanding Social Engineering

Social engineering is a technique as old as time and depends on a simple tactic: manipulation. The goal of this type of attack is to manipulate an individual into divulging confidential information, performing sensitive actions, or compromising system security (by installing ransomware or malware). Although social engineering is typically associated with cybersecurity attacks, it does not have to be used in cyber attacks. Unlike technical hacking, which relies on exploiting software vulnerabilities, social engineering exploits human psychology.

Common Social Engineering Techniques

1. Pretexting: involves creating a fabricated scenario or pretext to gain a victim’s trust and obtain sensitive information. For example, a scammer might pose as a bank representative asking for account details to “verify” suspicious activity.
2. Baiting: Entices victims with a promise of something desirable. This could be free software downloads, USB drives left in public places, or even job offers, which, when accessed, deliver malware.
3. Tailgating: Also known as “piggybacking,” this technique involves an unauthorized person following an authorized individual into a restricted area. For instance, an attacker might pretend to be a delivery person to gain access to a secure building.
4. Quid Pro Quo: Offers a service or benefit in exchange for information. An attacker might pose as IT support, offering to fix a computer issue in return for login credentials.
5. Impersonation: an attacker might impersonate someone trustworthy, such as a maintenance worker, IT technician, or vendor, to gain physical access to secure areas. By wearing a uniform or presenting fake identification, they can blend in and gain trust, allowing them to access restricted areas or information.

Here’s a great clip from the movie “Hackers”:

Social engineering does not need to be sophisticated, but rather, relies on “vulnerabilities” in processes and psychological manipulation to attack the security of a system.

AI making social engineering more sophisticated

As if security wasn’t hard enough, AI has the potential to completely step up the level of sophistication used in social engineering attacks. High profile attacks have already been executed using deep fake and audio. A British engineering firm, Arup, was duped into paying $25 million USD to fraudsters after a video call with a deep fake chief financial officer. In May, 2024, the FBI issued an advisory warning on the increased use of AI and deepfake technology to spoof audio and video for calls, messages, and voicemails. These attacks will only proliferate as the tools used by attackers get substantially better. Mitigation of these attacks will require enhanced use of identity proofing and verification tooling, employee training, and vigilance.

Understanding Phishing

Phishing is a specific type of social engineering attack that seeks to compromise an end user’s credentials or sensitive information, such as password, OTP codes, or credit card numbers. Most commonly for organizations, phishing scams seek to gain access to secrets such as passwords or codes that are used to gain access to systems or data. Phishing is most commonly executed using email, however, there is a large variation in the type of phishing attacks that range from text messages (smishing), phone calls (vishing), or even social media.

Common Phishing Tactics

1. Email Phishing: The most prevalent form of phishing, where attackers send emails that appear to be from reputable sources like banks, social media platforms, or government agencies. These emails often contain a sense of urgency, prompting recipients to click on malicious links or download attachments.
2. Spear Phishing: A more targeted approach, where attackers customize their messages to a specific individual or organization. Spear phishing often involves extensive research on the victim to increase the likelihood of success.
3. Whaling: A subtype of spear phishing that targets high-profile individuals such as executives or government officials. These attacks are highly sophisticated and can have severe consequences if successful.
4. Clone Phishing: Involves duplicating a legitimate email that the victim has previously received but modifying the attachment or link to include malware. The cybercriminal then sends the cloned email from a spoofed address that resembles the original sender.
5. Vishing (Voice Phishing): phishing conducted over the phone where attacks may call a victim. Generally attacks use the pretext of a trusted organization or individual (“Hello, this is Jon calling from citicard. We’ve noticed suspicious activity on your account.”) The attacks relies on the pretext of a trusted source to extract sensitive information.
6. Smishing (SMS Phishing): conducted via text messages. Attacks send SMS messages that appear to come from legitimate sources. “Hi, this is Alex. I’m in a meeting and can’t call. Can you do something for me quickly?”
7. Pharming: can be used in conjunction with other techniques, Pharming uses a webpage that looks like an authentic website. Generally these websites use domains that closely resemble the legitimate website. The malicious website gathers credentials or sensitive information.
8. Man-in-the-MIddle (MitM) attacks: are a technical attack where an attack can inspect traffic and extract sensitive information from that traffic.
9. Social Media Phishing: relies on social media through fake or compromised accounts to build trust and extract personal or confidential information.

Phishing and Authentication

According to the Verizon 2024 DBIR report, phishing and credentials based attacks are the two of the most prolific methods for systems compromise. Different methods for authentication have different properties as it relates to phishing resistance and can be fundamentally more “secure” than other methods. It’s important to recognize that multi-factor authentication (MFA) is one of the most effective methods for preventing phishing, and within MFA, there are various different choices for authenticators that have very different security properties.

Key Differences Between Social Engineering and Phishing

While both social engineering and phishing rely on deception and manipulation, there are several key differences between the two:

1. Scope: Social engineering is an umbrella term that includes a variety of techniques, whereas phishing is a specific type of social engineering focused on obtaining information through electronic communication.
2. Methods: Social engineering can involve direct interaction (e.g., pretexting, tailgating), while phishing typically involves indirect interaction through digital means (e.g., email, text messages).
3. Targets: Social engineering often requires personalized tactics tailored to individual victims, whereas phishing can be broad (email phishing) or targeted (spear phishing, whaling).
4. Complexity: Phishing attacks are generally simpler and quicker to execute compared to the more complex and varied strategies employed in social engineering.

Protection Strategies

Protecting against social engineering and phishing requires a multi-faceted approach that combines technology, education, and vigilance.

For Individuals

1. Education and Awareness: Regularly educate yourself about the latest social engineering and phishing tactics. Be wary of unsolicited communications and verify the identity of the sender before providing any information.
2. Strong Passwords: Use complex passwords and change them regularly. Avoid using the same password across multiple accounts.
3. Multi-Factor Authentication (MFA): Enable MFA on all accounts to add an extra layer of security. This can prevent unauthorized access even if your credentials are compromised.
4. Be Skeptical: Always be cautious of urgent requests for information or actions. Verify the source through independent channels before responding.

For Organizations

1. Employee Training: Conduct regular training sessions to educate employees about social engineering and phishing. Use simulated phishing attacks to test and reinforce their knowledge.
2. Email Filtering: Implement robust email filtering solutions to detect and block phishing emails before they reach employees’ inboxes.
3. Security tools: antivirus, endpoint protection, and firewalls are common tools used by organizations to detect malicious software and/or data exfiltration that may be used in various forms of social engineering or phishing.
4. Incident Response Plan: Develop and maintain an incident response plan that outlines the steps to be taken in the event of a social engineering or phishing attack.
5. Access Controls: Limit access to sensitive information (such as customer and financial information) based on the principle of least privilege. Regularly review and update access permissions.

Security Policies: Establish and enforce comprehensive security policies that address social engineering and phishing. Ensure that employees are aware of these policies and understand their importance.