Social engineering 🔴 Attack

Social engineering refers to the set of psychological manipulation techniques used by malicious individuals, often cybercriminals, to get people to divulge confidential information or perform actions that compromise the security of their personal data or that of their organisation.

These attacks do not directly target computer systems, but exploit human weaknesses, playing on emotions and cognitive biases such as trust (by pretending to be a trustworthy person), fear (of punishment or an urgent problem), urgency (to get a quick reaction), curiosity (with tempting lures), greed (promises of financial gain), altruism (asking for help for a cause), or ignorance.

---

Types of social engineering

1. Phishing (phishing) Fraud: Sending fraudulent e-mails or messages imitating legitimate sources (banks, social networks, government departments, energy suppliers, etc.).
2. Spear phishing A highly targeted and personalised version of phishing, using personal information to increase credibility.
3. Whaling spear phishing" attacks targeting high-level employees within an organisation.
4. Vishing Calls: attackers call their victims pretending to be representatives of official services or companies (e.g. bogus technical support).
5. SMS phishing (smishing) SMS phishing.
6. Identity theft Attackers pose as someone they trust (colleague, friend, superior).
7. Baiting offer of a benefit (e.g. free software or music, discounts) to provide their login details or to undertake other actions such as downloading an malware.
8. Pretexting The creation of a fabricated scenario to induce the victim to divulge information or perform an action. For example, a fake police officer, a fake electricity supplier's agent, a fake pollster, etc.
9. Shoulder surfing : discreet observation of a person's actions (entering passwords, reading confidential information)
10. Tailgating physical access to a secure location by following an employee, whether unknowingly or not.
11. Quid pro quo exchange of a service for data.

---

 How it works

Key stages :

1. 1. Recognition and information gathering : the attacker gathers information about the target via social networks, public databases (OSINT), company websites, etc.
   2. Creating a credible scenario : the attacker develops a plausible and personalised scenario, playing on urgency, authority, familiarity or rarity.
   3. Contact and psychological manipulation : the attacker contacts the victim and uses manipulative techniques (pressure, flattery, fear, guilt, false urgency) to persuade them to act.
   4. Operation : the victim performs the action desired by the attacker (disclosure of information, installation of malware, bank transfer).

---

💥 Consequences

• Financial : fraud, money theft, ransomware, commercial losses.
• Data security : leaks of personal or professional data, invasion of privacy.
• Reputation : loss of confidence among customers, partners and employees, damage to brand image.
• Legal : fines for non-compliance with data protection regulations (RGPD), legal proceedings.
• Operational : business interruptions, unavailability of IT systems, loss of productivity.

---

Notable examples

1. Attack on Target (2013): Massive hacking via a supplier of heating, ventilation and air conditioning (HVAC) systems, theft of 40 million bank card numbers and 70 million addresses and personal information.
2. Twitter Bitcoin Scam (2020): hacking into the Twitter accounts of famous personalities (Barack Obama, Elon Musk, Bill Gates) via a social engineering attack targeting Twitter employees, distribution of fraudulent messages encouraging people to send bitcoins.
3. RSA SecurID (2011) : data theft after a phishing attack targeting RSA employees, compromising the security of SecurID authentication tokens.
4. Clinton campaign (2016): compromise of the emails of John Podesta, Hillary Clinton's campaign manager, via a spear phishing attack.

---

💉Protection and remedies

• User training and awareness : regular training of employees and the public in social engineering techniques, simulations of phishing attacks.
• Checking sources and information : confirm the identity of contacts by alternative means (direct telephone call, consultation of the official website), never click on suspicious links.
• Robust security policies : implementation of clear security policies (password management, access control, device management), application of the principle of least privilege.
• Multi-factor authentication (MFA) : activation of two-factor authentication to strengthen the security of online accounts.
• Technical safety tools : use of anti-spam filters, anti-virus software, etc. firewallintrusion detection systems and email security solutions.
• Incident response plan : define clear procedures in the event of a security incident, and set up an incident response team.
• Be wary of offers that are too good to be true: Beware of tempting offers, easy wins and urgent requests.

---

📊Statistics and figures

• France :
  • 83 % of cyber attacks involve phishing (ANDDI, 2022)
  • 54 % of French companies have suffered an attempt at social engineering (ANSSI, 2021).
• World :
  • 82 % of data breaches use social engineering (Verizon DBIR 2022).
  • Losses of 2.4 billion dollars in the United States (FBI IC3, 2021).
  • 30 % of users click on phishing links (Proofpoint, 2022).