Social Engineering: Latest tactics & defence strategies
James Bore CSyP from the Security Institute explores the origins of social engineering, how the defensive tools used against it are evolving, but how the most effective methods and fixes are timeless.
The vast majority of headline breaches, and many which don’t hit them, are down to someone trusting the wrong persona – whether that’s responding to the wrong email or answering the wrong call. In the last few years, the defensive tools used to protect against social engineering have dramatically changed. But their purpose remains the same.
A short history of social engineering
The term social engineering was coined at the turn of the 20th century. It was co-opted by a nascent cyber security industry in the 1970s and 1980s. In fact, the earliest recorded example is in the Epic of Gilgamesh, around 2100 BCE (possibly earlier in oral form, but we don’t have any recordings).
Moving to more recent history and something more recognisable, Vidocq (the famous French detective) documented the Spanish Prisoner scheme in the late 1820s. That will be a familiar con to many: a letter is sent about a wealthy person imprisoned in Spain; secrecy is vital for their reputation, and funds are needed urgently for their release; but after release they will reward the recipient generously.
That pattern will be familiar to anyone who takes a moment to glimpse at their junk email. All that’s changed is the medium to contact the victim.
Even looking at superficially different cons, such as the now well-known gift card scam (the CEO, or another authority, contacts a staff member to buy some gift cards as a secret surprise for the staff) the same principles are there: urgency, assumed authority, secrecy, and the promise of a reward.
While the success rate of these attempts is low, the fact that they are free to deploy in huge quantities makes them incredibly popular with modern fraudsters.
Cialdini and Influence
In 1993, Robert Cialdini published a book called Influence, covering six principles used by everyone from car salesmen to con artists. These are at the core of social engineering: reciprocity, commitment and consistency, social proof, authority, liking, and scarcity.
Even the laziest phishing email ticks a few of these boxes. The classic 419 scam sets a time limit (scarcity), praises the recipient for their intelligence and trustworthiness (liking – flattery is very effective), and often makes an attempt at authority. After the first message, other levers get pulled. Reciprocity (thank you for responding – the favours reciprocated don’t need to be significant), commitment and consistency (you’ve already come this far, just a little more…).
Given this powerful approach, training in defensive tools against social engineering lets us down. Looking for spoofed domain names, or bad grammar and typos, was doomed to failure in the first place. Homograph (or lookalike) attacks use alternate alphabets which are visually identical, and perfect AI-written and personalised messages make the teaching of these niche techniques pointless.
The limitations of the new tools
Teaching tool-oriented techniques to defeat deception attacks is always going to be behind the curve. In 2019 when I first wrote about voice deepfakes for fraud, it sounded like science fiction. Within a few months, the first such attack happened, and now anyone with a publicly listed phone number is receiving convincing AI-generated calls on a regular basis. Interviews are carried out with AI-generated sound and video, and you can guarantee where there are legitimate uses, the criminals were there long before.
Where the tools do change is in their level of sophistication. At one point, insisting on a phone call would be enough to beat most social engineering attempts that came in by email. If they didn’t have a convincing voice on the phone for the pretext (the fictional scenario at the basis of the fraud), it was a clear giveaway.
Now it’s trivial to create that convincing recipient, and only slightly more effort for a video one. Phone calls are still a great defence, but only when it’s to a number that’s known from outside the fraud – and the rise of dark SEO (Search Engine Optimisation) and AI-poisoning techniques means searching for websites won’t always bring in the right results.
Add in the sheer volume of public data and the assistance AI tools can provide in collating and processing it to make an attack more convincing and the picture is bleak. It is the work of minutes to compile a dossier on an organisation that will make an attacker sound like the most convincing of insiders when calling the helpdesk, or impersonating an executive.
Even attacks against individuals can be well-targeted with a little research, fortunately not something that fraudsters have bothered overmuch with as the opportunistic but high-volume techniques still work fine.
Finally, modern tools mean that multi-channel orchestration is no longer a hurdle. For a competent attacker, switching between phone calls, video, text messages, and emails is perfectly possible, as is maintaining a consistent pretext across all of these channels. Switching medium is still an effective defence against the average attack, but it’s a hurdle which is rapidly lowering.
While there’s a lot of excitement about AI-driven vulnerability research and exploitation, we need to be realistic – the overwhelming majority of attacks rely on pretexting (creating a fictional scenario, usually some form of impersonation) rather than malware. There are technical controls that can be applied against these, but they usually require re-engineering the way that people communicate, which can be described as challenging, or more accurately described as nigh-impossible.
Defences that create friction
We have to accept that trying to secure the attack surface has failed. The best defences now are about introducing friction, making detection faster, and ensuring we have rapid communication when attacks are detected.
- Verification culture above all. Out-of-band communication (a different one to the original contact) to trusted contacts is the single best technique to prevent attacks. It needs to be made safe for individuals to push back without risk to their career, and exceptions for people inauthority turn a secure organisational culture into Swiss cheese riddled with loopholes.
- Train people on psychology and influence rather than technical playbooks. Knowing why and how the gift card scam works is far more effective than being taught to look for typos which no longer occur (and before anyone suggests that too-perfect emails are another alarm bell, there are tools which can introduce human-seeming mistakes).
- Technical controls do exist, such as DMARC and phishing-resistant MFA (Multi-Factor Authentication). They aren’t perfect, but they raise the bar for attacks and many organisations still haven’t implemented these basics
- Help desk controls. The highest-profile recent attacks could have been prevented by simple, procedural controls which have been well-known since the 70s and 80s. Callbacks to verified numbers, time delays and authorisations on sensitive changes. Given the impact manipulation of a help-desk can have, failure to put these in place can only be described as negligence.
- Leadership. Every time an exception is made because of seniority or authority, every defence is weakened. Every time someone fails to confirm with their CEO for fear of negative consequences, the attackers gain an advantage. If people don’t feel safe to question requests, it makes the job of a fraudster that much easier.
The tools change
We spend billions on technical controls while the oldest attacks keep working. Wax seals didn’t prevent the Spanish Prisoner scheme. Clay envelopes didn’t stop Ea-Näșir selling poor quality copper.
The oldest recorded use of manufactured trust to neutralise a target is in the Epic of Gilgamesh, around 2100 BC. It may be fictional, but fiction is built on real events.
The medium, the tools, have changed beyond any recognition of a Bronze Age merchant, or a Napoleonic private detective (Vidocq), but the methods are still the same.
The good news is that the defences are just as old as the attacks. Verify before acting. Make it safe for people to slow down and question requests. Help people understand the psychological levers being pulled, not just what the latest phishing email looks like.
The tools are going to keep changing, but the methods and the fixes are timeless.
James Bore CSyP
