Social engineering attacks rely on psychological tricks to exploit people’s errors of judgement or cognitive biases in social interactions; for instance, convincing a security guard to grant access to the building by pretending to be an employee of the company. The goal usually is to get access to a system or exploit the trust they have established to commit fraud.

Typical social engineering mechanisms involve the impersonation of a trusted person, manipulating the victim’s emotions, or putting pressure on the victim with the argument of urgency. 

Complex social engineering attacks often involve four stages:  

  1. A reconnaissance stage to obtain knowledge of the people and the environment 
  2. An initial contact stage to establish familiarity with the target 
  3. An exploitation stage (to deliver malware, steal data, etc.) 
  4. A conclusion stage to remove potential traces of malicious behaviour. 

What’s phishing?  

Most cyber-attacks rely on social engineering to trick the user, usually by clicking on a link, opening a malicious attachment or following a procedure that will eventually lead to fraud, a security breach or a data leak. This is the case of phishing, where users are incentivised with “important” emails to click on a malicious link.

What’s spear phishing? 

Whereas classic phishing relies on indiscriminate large-scale campaigns, spear phishing is a custom-designed operation targeting specific - often high-profile - individuals. For instance, the Democratic National Committee (DNC) Chairman, John Podesta, received a spear-phishing email in 2016 purporting to originate from Google Security, which requested he reset his password. This led to the DNC data leak.

What’s a business email compromise?  

Business Email Compromise (BEC) is a specific type of spear phishing. Sometimes better known as President fraud, it is spear phishing where an “urgent” email or phone call pressures a CEO, senior executive or another representative with access to company funds to transmit sensitive data or wire money. The pressure of time is often justified by the need to close a deal or risk missing a big business opportunity. Variants of BEC include attorney impersonation and HR targeting to obtain personnel information. 

The UK National Cyber Security Centre considers BEC a threat “to all organisations of all sizes and across all sectors, including non-profit organisations and government”. According to the FBI, BEC attacks cost nearly 180 million USD to United States victims in 2013. 

What’s a whaling attack? 

A whaling attack is when a BEC attack leverages open-source information on the targets, such as their social media posts, to better trick employees and take advantage of a manager on vacation, for example. The messages often appear as if they originated from a senior leader at the organisation. 

Anti-phishing: Informing employees of typical tactics 

There are a few simple steps to increase awareness of phishing risks among employees. First, always double-check the sender’s email address. Cybercriminals will often mimic official addresses but with subtle differences (name-company@pm.com instead of name@company.com). In more advanced attacks, they might also forge email headers (the “from” and “to” information). This is known as email spoofing. It is not possible for a typical user to detect email spoofing, but the encryption of emails, with the widely supported SSL/TLS or S/MIME protocols, for instance, can help mitigate it. Second, be mindful of urgent or important requests from unusual contacts or unknown managers. Time or hierarchy pressure is a typical tell-tale of targeted phishing. Third, in case of doubt, ask the IT department for help and contact the usual contact with a known or trusted email address or phone number. This will allow you to corroborate the request from a trusted source. 

Though phishing attempts might appear obvious to cyber experts, it is important not to undermine the role of education in defending an organisation. Beyond training on the typical tactics, inform employees about the damage someone can do if they access your system through a phishing email (or whatever technique they are using). Understanding the magnitude of a threat can help encourage users to heed caution.