Why is Social Engineering so Effective?

Kieran Roberts Headshot
Written by Kieran Roberts
Head of Penetration Testing
15/11/2021

We’ve previously discussed what social engineering attacks are and what you can do to prevent them. Here, we’re going to review the reasons why threat actors persist with these types of attacks and why every single employee is potentially susceptible to a social engineering attack.

According to the CSO, in 2020, 6.95 million new phishing and scam pages were created, with the highest number of new phishing and scam sites in one month of 206,310.

  • Key themes: COVID, gift cards, and gaming hacks.
  • The three most targeted industries: technology, retail and finance.
  • The top three countries hosting scams: US, Russia and British Virgin Isles.
  • Gmail was the most popular email service used for phishing kits.
Common types of cyberattacks pie charts

Sources: https://www.csoonline.com/article/3634869/top-cybersecurity-statistics-trends-and-facts.html, https://cobalt.io/blog/cybersecurity-statistics-2021, https://www.proofpoint.com/us/resources/threat-reports/state-of-phish

What is social engineering?

Social engineering attacks aim to manipulate and mislead employees to disclose information or sensitive data which can then be used for the benefit of the cyber criminal. These threat actors use psychological techniques to obtain information and then use it in many different ways. Companies have even been held ransom and had to pay sums of money to retrieve control of sensitive information. This type of cyber attack is also known as ransomware. Among other things, hackers are understood to sell customer data on the dark web.

Social engineering attackers understand that the primary vulnerabilities are not the cyber security tools, rather the human beings using the systems to carry out their day jobs. Human vulnerability cannot be completely eliminated from any system. Employees are typically the first line of defence for businesses, therefore, it’s vital companies educate themselves and their staff about social engineering to mitigate the risks.

Why are social engineering attacks so successful?

Social engineering is reliant on the cyber criminal gaining the trust of the victim. The uniquely human aspect of these cyber attacks means that anyone and any company, regardless of the size, could potentially lose big. Aside from the fact that you can always rely on human fallibility, to really understand the answer to this question, we need to review the psychology of these social engineering attacks.

The six principles of influence

  • 1. Reciprocity - If someone does a favour or gives you something, even if by accident, you feel inclined to return the favour or give them something back. Reciprocity is the universal understanding of repaying a favour or treating others the way they treat you. In social engineering, reciprocity would be a threat actor requesting sensitive data in return for a freebie.
  • 2. Commitment and Consistency - To maintain a consistent sense of self, we may choose to stick with our decisions even if we know they are wrong. In social engineering, an employee would be committed to revealing sensitive data and portraying consistent behaviour when requested to do so, even though they understand the risks.
  • 3. Social Proof - Human behaviour shows we are heavily influenced by what others do, including forming an opinion or decision-making. In social engineering, an employee could be influenced by a threat actor who provides false evidence that a colleague has complied with a request.
  • 4. Liking - People will more likely do something for someone if they like them. Spear phishing is a type of social engineering attack whereby a hacker will take on the guise of a genuine person or organisation to lure victims into gaining their trust with the goal of stealing sensitive data.
  • 5. Scarcity - People want things that are scarce as it makes them feel more special. An offer is more appealing when there are limited quantities available because of this principle. In social engineering, a threat actor may provide a potential victim with a persuasive reason to reveal sensitive information with urgency.
  • 6. Authority - People usually submit to authority and will generally follow their lead. In social engineering, any demands from what someone deems to be an authoritative figure such as a CEO can influence an employee into taking actions which will be harmful to the business such as sharing business-critical data. Spear phishers will use a principle like authority to their benefit.

Social engineering attacks are underpinned by the six principles of influence, the principles identified by psychologist Robert Cialdini in his book ‘Influence: The Psychology of Persuasion’. Threat actors understand these principles and employ them through numerous forms, but most follow these four formats:

  • Pretexting: Impersonating another person or employer
  • Luring: Tempting employees with personal gain
  • Bribery: Manipulating employees to disclose information with threats to reveal or expose them personally
  • Dealing: Providing an employee with an incentive to disclose sensitive information

What does a social engineering attack look like?

Whilst there are numerous means by which threat actors can target your business critical data, all social engineering attacks tend to follow a four-phase pattern.

1. Pre-attack - Research

The initial stage of any cyber attack commonly involves gathering information whilst looking to remain unidentified. Organisational charts and website bios can provide details of employees who may have high-level access.

2. Engagement

This involves contacting the target within an organisation, either face-to-face or via email.

3. Attack

Social engineers will use phishing attacks, spear-phishing (targeted, individualised phishing attacks), fraudulent websites, voice over IP (VoIP) and many other means to conduct these cyber attacks.

4. Escape

Following a successful attack, the cyber criminal will break off all communication with targets and cover their tracks.

How we can help

There are several ways you can look to limit the opportunities for social engineering to cause harm to your business. Ensuring your employees have an understanding of the psychology behind why human error proves to be so lucrative for the threat actors is key. The more informed your employees are of the threats and why they are being targeted, the better they will be at spotting potential attacks. Cyber awareness training is a proactive way of highlighting the threat landscape to staff as well as shining the spotlight on their own vulnerabilities.

Simulating social engineering attacks is a risk-free way you can test your company’s cyber reliance. Learning your vulnerabilities now and addressing weaknesses in your staff and protocols could save you £1000s in losses and time in the future.

Bulletproof also offers penetration testing, designed to securely test the security and safety of an organisation's cyber security systems. The objective for penetration testers is to detect potential vulnerabilities and provide companies with the opportunity to strengthen them before breaches occur. As well as technical analysis, pen testers will employ social engineering tactics to find susceptibilities within the workforce. These tests help determine whether employees still click on unknown links and open potentially risky files that could harm your network.

With advancements in technology, the regularity of these types of attacks is increasing significantly along with the sophistication threat actors are employing. Human beings are both naturally trusting and curious. Cyber criminals use these traits to create flashpoints for intrigue to overcome critical thinking. Educate your staff and stress test your systems to ensure you are best placed to prevent human error undermining your cyber security.

Keep your business safe from social engineering schemes.

Simulate social engineering attacks to keep your staff & data secure. Learn more about Bulletproof's social engineering services.

Learn more

Related resources

Our experts are the ones to trust when it comes to your cyber security

CREST approvedCREST approvedCREST approved
Payment card industry data security standardPayment card industry data security standardPayment card industry data security standard
ISO 27001 certifiedISO 27001 certifiedISO 27001 certified
ISO 9001 certifiedISO 9001 certifiedISO 9001 certified
Government G-Cloud supplierGovernment G-Cloud supplierGovernment G-Cloud supplier
Crown commercial service supplierCrown commercial service supplierCrown commercial service supplier
Cyber EssentialsCyber EssentialsCyber Essentials
Cyber Essentials PlusCyber Essentials PlusCyber Essentials Plus

Get a quote today

If you are interested in our services, get a free, no obligation quote today by filling out the form below.

For more information about how we collect, process and retain your personal data, please see our privacy policy.