Social engineering: our advice for successful awareness-raising

Theorized by Kevin Mitnick, a hacker from the United States who became a computer security consultant, and popularized in the early 2000s, social engineering aims to exploit human flaws to bypass defined processes for personal gain. In most cases, it involves money. It can take different forms, more or less intrusive.

Social engineering methods are diverse and increasingly sophisticated. They can exploit very different vectors, but what they have in common is that the “malicious” action is performed by an innocent third party. Among the most known, we can distinguish:

Spear-phishing: a specific email is sent to a target, including attractive and targeted elements that maximize the chances that the third party will perform the desired action. Unlike mass phishing campaigns, a previously identified group of people is targeted and analyzed before the attack.

Fake President fraud: through phone calls and/or e-mails, a cybercriminal impersonates a high-ranking person to obtain money, often by transferring it to a bank account. Note that the techniques of presidential fraud are evolving, especially thanks to deepfake, a technique that allows realistically imitating an individual thanks to artificial intelligence. In September 2019, the French newspaper Le Monde reported the story of a British company in the energy sector having “been robbed of 220,000 euros because of a synthetic voice, generated by an artificial intelligence system.” With the ease of access to these technologies and their rapid progress, we can expect this modus operandi to become more and more frequent.

Phoning is one of the many techniques used in social engineering. It is the use of the telephone as an attack vector.

All companies and all individuals can be victims of this fraud: the majority of the companies we support have already been confronted with attacks directly targeting their employees (via phishing in particular). Hackers try to exploit the mechanisms inherent to human psychology. The objective is therefore to put in place technical and organizational means to avoid such exploitations and to limit their consequences. As with any system, the procedures and tools put in place, the awareness sessions, and the training weeks must be tested to evaluate the relevance of the actions undertaken and the effective protection provided by these investments.

We carry out social engineering missions on behalf of our clients. The objective of these missions is to test, via simulated phoning exercises, the robustness of structures in the face of this type of attack and to raise awareness among employees by showing them that they can be victims.

Setting up the framework

The preparation of a social engineering mission is an important phase that should not be neglected. Indeed, unlike a penetration test or a physical audit that will only focus on technical aspects, the ultimate goal of this mission is to deceive the trust of a third party by using psychological concepts to make him perform actions that are harmful to his company.

This mission must therefore be approached with finesse in order not to create any negative reaction or loss of trust from employees towards their management. We will detail here several points to be dealt with before launching into the phoning activity.

Involve human resources and even employee representatives

A poorly conducted exercise of this type can be seen as a desire to push employees to the brink. It is essential to involve all the players who can defuse possible tensions, to give them time to prepare appropriate means of communication, and to provide contextual elements that will allow a healthy perimeter to be defined.

Promote anonymity

Except in special cases, it is preferable to create non-nominal results analyses.

Prepare a communication

At the end of the awareness campaign, employees are bound to ask questions. It is therefore important to prepare a communication to reassure them.

Define target populations

It goes without saying that a phoning mission cannot be carried out without obtaining a certain volume of numbers to contact. However, the relevance of this set can be thought of in order to stick as well as possible to the fixed objectives. The sample will have to be constituted according to:

• The objective of the campaign: Are we looking to test the robustness of a newly acquired subsidiary? Consolidate management indicators?

• What we want to protect: Do we want to protect ourselves from an attack on our intellectual property (R&D)? Do we want to prevent an attacker from recovering too much information?

• The social environment: At which physical sites will the exercise be conducted? With which teams?

Define the success factors

Within the framework of a social engineering mission, defining and recovering the proof that the attack has worked is not an easy task. It is, therefore, necessary to identify the expected proofs of success, but also which limits must not be crossed: not to impersonate a real person, not to request modifications on software in production, etc.

Define the deactivation process

If there is one thing that must be prepared with the utmost care, it is defusing. It will be a matter of defining the process allowing to limit (in emergency and in classic cases) the impacts on the employees and the production. This process will be used:

• if an employee suspects that the call is an attempt at bribery and may blow the whistle; 
• whether the scenario triggers an emergency or crisis procedure; 
• if the target is likely to report the call while other colleagues close to him/her are also to be tested; 
• whether the call may unintentionally impact production or activity; 
• if an employee has personally experienced the call badly; 
• if the auditor identifies a risk to the engagement, the client or the individual.

This procedure must include at a minimum:

• a contact to call directly, and if possible a second number; 
• a way to track the action; 
• a means of communicating the information necessary for deactivation (identity of the target, potential impact, etc.).

The realization of these different types of missions can allow us to identify the flaws to be corrected as well as to guide the advice to be given to employees likely to be targets of this type of attack. We distinguish two main types of protection to be implemented. First, strengthening existing procedures.

The implementation of procedures allows us to guide the responses of operators and thus block the cognitive biases to which they would normally be subjected. An action plan must then be implemented to correct the identified vulnerabilities or points of weakness. Then, raising awareness of the populations at risk and giving them elements of protection helps to thwart this type of attack. In particular by:

• being wary of urgent requests and not giving a free pass (follow the usual procedure);

• verifying the identities of the interlocutors;

• using only the usual communication channels (phone numbers, e-mail addresses);

• checking the technical elements (domain names in particular).

Anyone can be a victim, whether in the public or private sphere. Being fooled by phishing is not proof of weakness, but as for any system, even an advanced one, a conscientious and determined attacker will achieve his goals. It is therefore essential for companies to take this threat into account as a separate element, and to regularly organize awareness sessions or even missions like those described above to continuously improve the level of security.