A month in the life of a social engineer – part one

With social engineering set to plague 2022, understanding cyber criminals’ tactics, and the mistakes they make, might help us defend against their efforts. The third in our four-part series, published weekly, navigates the exploitation phase and how cyber criminals embark on betraying our trust.

Exploitation is at the heart of a social engineering attack. Using a carefully-chosen employee, and based on extensive research, the social engineer now takes advantage of their target’s human flaws and best professional intentions.

The most common way to do this is by sending a phishing email. Once the preserve of rookie hackers who couldn't spell 'Nigeria', phishing in today’s age is considered a sophisticated form of social engineering, designed to glean credentials or trick the target into downloading remote-access malware. Phishing instances rose nearly one-third (32%) during 2021, according to PhishLabs, while F-Secure reported that email is now the most common method used to spread malware.

Long and short phishing trips

If they're in a hurry, the social engineer could fire off an email immediately. "A pretty common technique would be for me to send you an email that appears to be from Microsoft," says Simon Edwards, founder of SE Labs. "There are a number of ways I could do that, and if it works, then job done."

A more sophisticated attacker might stage a number of social engineering steps. For instance, they could hijack an email account, research its owner, and then pose as that person when contacting the employee they want to exploit.

Numerous tools help social engineers craft their phishing bait. From software that makes emails appear to come from anywhere, to AI algorithms that work out which sender would be the most convincing, these tools can be acquired in custom bundles. "There's an entire ecosystem of tools for this," says Freeform Dynamics analyst Tony Lock. "On the dark web you can buy a pre-packaged bunch of components, right down to tools that let you process the Bitcoin you extract in a ransomware attack. It's a mix and match."

Hooking human flaws

Emotions such as eagerness to please – and fear of being found out – are gold dust for social engineers, because they motivate the target to take the bait. The attacker must, therefore, make sure their pretext presses emotional buttons.

In a recent sextortion scam, whose attempted targets included at least two of our work contacts, fraudsters conned victims out of their passwords by threatening to release a video captured-by-webcam of them watching porn. No such video existed, but the victims were so terrified that they gave out their passwords anyway.

Greed is a powerful phishing lure. Kevin Curran, senior IEEE member and professor of cybersecurity at Ulster University, discovered this during a white-hat hacking job for a law firm. Asked to catch a Twitter troll, Curran tried to lure the perpetrator with assorted social media traps, but the only thing that worked was a fake email from a fake café, saying "we've found this iPad, is it yours?". Lo and behold, the troll got in touch. "He fell for it; he gave me his address," says Curran. "His greed got to him in the end."

Unpatchable human flaws are even easier to exploit in the workplace. Greed, nosiness and fear are common ingredients of corporate life. "We want to keep our bosses happy, because our livelihood depends on it," says Edwards. "If you don't want to lose your job, it's quite hard to ignore that text that appears to come from the CEO, saying you've got to pay this invoice now, otherwise we're going to lose £100,000."

If the phish doesn't bite

A successful social engineer will have backup targets in case the first attempt doesn't work, such as a supplier with less sophisticated security measures. A bill, spreadsheet, or PDF from that supplier could forge a backdoor into the target system – from where it may then move on up through the supply chain.

Other methods the criminal might consider include business process compromise (BPC), for example, posing as cleaning staff, or 'pharming' (aka watering hole), whereby they lure users to a bogus website or Wi-Fi hotspot then harvest sensitive information, such as system passwords or banking transactions.

The tactic of leaving malware-laced USB sticks lying around may be old hat, but devices are still useful lures. Curran recalls a Canadian cybercrime police team who treated a suspect to a gift to help them gather intel. "Inevitably, they give him a really good phone," says Curran, "and, of course, this phone was already compromised with a backdoor."


Outlook 2022: Five priorities for boards, management & governance professionals

What’s driving the future of governance


There are also deepfakes to contend with. This may sound like the stuff of TikTok, but Curran adds deepfake audio is "one of the biggest things we've seen in phishing over the last year". He recalls the case of a secretary transferring money to a criminal's account after a deepfake phone call that used her CEO's sampled voice. "She heard what she thought was her boss, so she did it without hesitation." Deepfakes are such a real and present danger that banks are now developing biometric authentication systems aimed at beating them. It’s simply the latest evolution in this long-running saga as the cyber security industry attempts to keep on top of the innovation in the social engineering space.

In the final part of our series, we reveal how an ambitious social engineer continues to manipulate their victim for months or years before – and after – the big attack.

Jane Hoskyn

Jane Hoskyn has been a journalist for over 25 years, with bylines in Men's Health, the Mail on Sunday, BBC Radio and more. In between freelancing, her roles have included features editor for Computeractive and technology editor for Broadcast, and she was named IPC Media Commissioning Editor of the Year for her work at Web User. Today, she specialises in writing features about user experience (UX), security and accessibility in B2B and consumer tech. You can follow Jane's personal Twitter account at @janeskyn.