What Is Reverse Social Engineering?

Reverse social engineering is a type of social engineering attack that aims to steal money or information through psychological manipulation. While the end-goal is the same as in traditional social engineering attacks, the tactics vary. Here’s a closer look into the differences between these attacks, how reverse social engineering attacks are carried out, and what organizations can to do to protect against them. 

What Is Reverse Social Engineering?

Reverse social engineering is a person-to-person cybersecurity attack in which a bad actor advertises support services to targets. These exploits are a persistent, evolving problem, according to a 2021 study by Microsoft.[1]

“Tech support fraud has evolved from pure cold calling to a more sophisticated infrastructure that leverages affiliate marketers to deliver professional-looking pop-ups to consumers, prompting them to contact fraudulent call centers,” Microsoft reported. “We also see scammers using email, search engine optimization (SEO) and social engineering tactics to lure victims.”

Sometimes the attacker might create a false need for technical support by remotely deleting a critical file, resetting system parameters or infecting a computer with malware. Once the target realizes the problem, scammers use a variety of tactics to get the victim to ask for their help.

A reverse social engineering attack succeeds when the target ultimately pays money or divulges sensitive information, such as a password that gives the hacker entree to a remote employee’s organization and systems.

What Is the Difference Between Social Engineering and Reverse Social Engineering?

In traditional social engineering attacks, the scammer coaxes victims into sharing sensitive information in order to gain access to systems, data, funds or physical spaces. The pretense of reverse social engineering attacks is similar, but the execution is different. In a traditional social engineering attack, the scammer approaches the target. In a reverse social engineering attack, hackers usually get the target to approach them.

How Does Reverse Social Engineering Work?

Most social engineering attacks begin with a phishing link created by the attacker, which contains malware that infects a device or system. Many reverse social engineering attacks start the same way.

Once the target has been infected, the attacker creates a ruse to encourage the victim to reach out for help — sometimes through a fake support email or a pop-up — and poses as a person of authority who can solve the problem. After making contact and gaining the target’s trust, the scammer accesses the device and “fixes” the purported problem. Hackers might ask for payment for this service, if attacking average consumers. Or, if the target is a remote worker, these scams can yield passwords and other access to an employer’s systems and data.

What Leads to Reverse Social Engineering Attacks?

Successful reverse social engineering attacks happen for a few reasons. These include:

• A lack of security awareness: Most organizations have basic security policies that state best practices such as not disclosing passwords, usernames, account information and other sensitive information. However, not all employees fully understand the importance of these policies and the consequences of not following them. Without fundamental security awareness, employees can put organizations at risk of reverse social engineering and other cyberattacks.
• Human weaknesses: People disclose sensitive information for a variety of reasons. Hackers are experts at exploiting these human weaknesses, leading to successful reverse social engineering attacks. Ironically, one such weakness is fear of being hacked. Some tech support scammers tell victims that they’ve been hacked (by someone else) and then offer to fix the problem.[2]
• Untested plans and procedures: Most organizations understand cybersecurity risk, and many have programs and procedures to address them. Not all organizations, however, test the entirety of their programs or do so on a regular basis. Creating advanced security procedures but failing to implement them is another way organizations put themselves at risk of a reverse social engineering attack.

Reverse Social Engineering Attack Examples

Reverse social engineering attacks typically involve technical support, but may also be carried out by fake “support agents” from banks and other companies offering help with issues like billing. Here are three examples of how a reverse social engineering attack could play out:

• After work hours, an employee posts in a public forum that he is having problems with a particular application and needs help. One person replies that the fix typically requires significant downtime, but that she can solve the problem quickly. The employee connects with the person via the phone, over which he discloses login credentials. Ultimately, the hacker who is pretending to help steals those credentials and gains access to corporate accounts, stealing valuable data.
• An accounting executive falls victim to a phishing scam launched by an attacker looking to carry out a reverse social engineering attack. With the victim’s computer now infected, he calls the help desk number listed in a pop-up window, mistakenly believing that this is the company’s tech support number. The scammer asks for the executive’s passwords, uses them to gain access to the organization’s accounting system and wires a large sum of money from the company to his own account.
• A hacker spoofs the corporate email address of a company’s systems administrator and emails targets with instructions to call a particular number if they ever encounter technical problems. In this example, the hacker then baits targets with phishing emails that install malware on their computers. With their system down, the targets call the fake number for support, ultimately revealing login credentials and other sensitive information to the scammer.

How to Prevent Reverse Social Engineering Attacks

Security systems that filter out phishing emails can reduce reverse social engineering attacks. But more is needed. Organizations must raise employees’ awareness of this specific type of attack and put in place proper operational procedures. Three ways to do this include:

• Identifying computer support specialists: Employees should be told who to contact when they need technical support and know how to contact them. If employees encounter a social engineering attempt, cross-referencing tech support information with the fake information they were provided will allow them to identify suspicious behavior and relay this information to security teams, who can then perform the proper due diligence to address a possible attack.
• Using separate internal identifiers: Many reverse social engineering attackers are asked to authenticate themselves as legitimate employees by providing employee numbers. Sometimes this number is the employee’s Social Security number, which can be illicitly obtained by a hacker through outside sources. To improve security, organizations should use separate internal identifiers.
• Providing regular security awareness training: Organizations should provide regular training opportunities for employees so they can fully understand the risks that reverse social engineering and other cyberattacks pose to organizations. Security awareness training can also help individuals identify the signs of a potential attack, learn good cyber hygiene, and understand the appropriate steps to take if they believe they have been targeted or notice suspicious activity.

Awareness training solutions such as Mimecast’s address social engineering and other cybersecurity issues in short modules to ensure that employees aren’t burdened by a big time commitment and can remain productive. Not only does training help employees understand the role they play in helping to combat social engineering attacks, it acquaints them with best practices and behaviors to protect themselves and the organization in the future.

The Bottom Line

Reverse social engineering attacks can be detrimental to business. Companies can protect themselves by understanding how these attacks occur, putting precautions in place and educating employees on how to spot attacks.

[1] “Tech support scams adapt and persist in 2021, per new Microsoft research,” Microsoft

[2] “Tech Support Scammers? Not So, Organized Criminals,” NortonLifeLock