SC Congress Toronto: Social engineering exploits 'hardwired' human behaviors
Fincher said the three main vectors of social engineering are phishing, vishing and onsite attacks.
Social engineering takes advantage of the fact that we are human beings, Michele Fincher, chief influencing agent with Social-Engineer and co-author of Phishing Dark Waters: The Offensive and Defensive Sides of Malicious Emails, said during Wednesday's closing keynote at SC Congress Toronto.
People carrying out social engineering attacks will exploit the fact that, as humans, we behave in ways that are very hardwired, Fincher said. Those behaviors include following authority, doing things because other people are doing them, and acting fast when we believe something might be for a limited time only.
Attackers conducting social engineering will also not hesitate to manipulate us, Fincher added. They will take advantage of uncertainty within hours of big and tragic events, and will also attempt to intimidate and frighten targets into believing they did something wrong.
“Social engineering is any act that influences a person to take an action that may or may not be in their best interests,” Fincher said, explaining that the three main vectors for social engineering are phishing; onsite attacks, or impersonation; and vishing, or phone elicitation.
Phishing involves sending emails, while spearphishing involves conducting research and sending highly targeted emails with personal messages, Fincher said. She noted how phishing exploits our natural curiosity, our bad decision-making, and the simple fact that many of us are often too busy to be paying close attention.
Vishing is essentially making phone calls – primarily for information gathering – and it could involve phone spoofing to enhance the attack, Fincher said. Impersonation and onsite attacks involve showing up at the location and could create an opportunity to steal things or plug in a malicious USB drive.
“When used together they can create a very powerful influence,” Fincher said, adding sarcastically, “If we hear it from more than one source [then] it has to be true.”
For organizations, technology and policy can help prevent social engineering attacks, but regular and realistic tests are pivotal for bringing awareness and education to employees, Fincher said. She noted that tests should be frequent and consistent, and should enforce good habits.