What is Social Hacking, and How to Thwart It

Key Points:

• Social hacking works by exploiting our human weaknesses, with a variety of techniques including phishing, scareware and pretexting.
• Technology including web application firewalls and advanced filters are effective at stopping most social hack attempts before they ever make their way to users’ email inboxes.
• For those malicious emails that get through, one of the most critical tools to prevent successful social engineering attacks is awareness training.

The CEO of your company sends you an email with a request to wire a large sum of money. This is an unusual ask, given that you rarely if ever interact with the CEO. But you work in the finance department, the email is from the CEO’s email address, and it uses a familiar company email template. Plus, it explains the money is for the trade show that the CEO is keynoting this week. It looks real. Not responding, delaying or questioning the CEO would make you look bad and might get you fired. So, you go ahead and comply with the request.

Unfortunately, you’ve been hacked.      

Or, more specifically, you’ve become the victim of social hacking — a form of attack that often makes use of technology to exploit our human vulnerabilities.    

Differences Between Social Hacking and Social Engineering

Social hacking is a form of social engineering. While social hacking often makes use of technology and is usually designed to breach technology systems, social engineering is the general term for the process of using deception to manipulate people.

Social engineering has been around for as long as humans have. Today, it often involves social media and email, but one of the earliest social engineering scams involved a Trojan horse — the original malicious Trojan. During the Trojan War, the Greeks gained entry into Troy by hiding in a huge hollowed-out wooden horse and convincing the Trojans that the horse was an offering to their goddess of war, Athena. The Trojans let the horse filled with Greek soldiers through the gate, and the rest is history.^[1]

How Does Social Hacking Work?

Social hacks — or social engineering attacks — can take many forms. In general, in today’s digital world, social hacking is the process of identifying our human weaknesses and exploiting them to gain access to valuable assets (such as personally identifiable information) or to plant some sort of malicious code.  

The CEO email story that introduced this article is a classic example of a social hack — in this case, using “spear phishing” (see below). An attacker crafted an authentic-looking message and sent it to a person within the target company who works in the department most likely to receive an email about managing budget (information the attacker could have gleaned from the company website or the victim’s LinkedIn account). Social media or perhaps the company website could have promoted the CEO’s presence at a trade show, which may have provided the attacker with timely and specific details to further convince the email recipient that the message was valid. The attacker also preyed on the typical employee’s desire to please or comply (and fear of retribution if they don’t) with a request from someone with authority at the company.

Social Engineering Hacking Techniques and Examples

Here are some of the most common techniques and examples of social hacks.

• Phishing: Phishing scams are social hacks that most often rely on email to target and convince a victim to disclose sensitive data or click on a malicious link. There are several subcategories of phishing, including spear phishing, in which the attacker assumes the identity of a trusted individual, and whaling, in which a high-level target, such as a company CEO, is targeted.
• Baiting: Baiting attacks lure victims into disclosing sensitive information or clicking on malicious links with the promise of something in return, such as free music or a gift card.
• Scareware: This social engineering hack preys on victims with fictitious threats. For example, attackers might manipulate victims by alerting them through a pop-up that their system is infected with malware and prompting them to install software or visit a site that ultimately infects their device.
• Pretexting: Closely tied to phishing, pretexting is a social engineering hack in which an attacker obtains information through a series of lies and impersonation. For example, an attacker might pose as a company executive or a law enforcement official to gain access to financial accounts and personal data.
• Watering hole: In a watering hole social hack, attackers target websites that specific groups of users are known (or assumed) to visit. Attackers inject malicious code into the website, with the goal of infecting the targeted users’ computers to gain access to their workplace networks.

Preventing Social Hacking

There are several ways to stop social hacking attempts in their tracks. To prevent social hacks individuals should:

• Treat unsolicited messages and phone calls with caution, especially those asking for personally identifiable and business-specific information.
• Double-check the authenticity of any suspicious emails and phone calls by directly (and separately) contacting the company that the communication is allegedly coming from.
• Check the security of a web page before inputting any personal information.

IT security teams in organizations should do the following to protect against social hacks:

• Provide security awareness training to employees.
• Deploy email filters to detect scams and fake messages — before they hit employees’ inboxes.
• Implement network segmentation as well as multifactor authentication to limit potential damage if an attacker gets inside your network.
• Install and maintain antivirus software and firewalls.
• Keep all software up to date.

Protecting Your Organization

Today, most social hacking attempts are made via email. In turn, seven out of 10 security professionals believe that employee behaviors such as inadvertent data leaks are putting their companies at risk, according to Mimecast’s 2021 State of Email Security report. Furthermore, only one out of four can say for certain that their organization has not been hit by an attack that was spread from a compromised user to other employees.

The report also notes that the swell in digital activity brought on by the pandemic has presented cybercriminals with numerous new openings for social engineering attacks. In 2020, for example, the Mimecast Threat Center detected a 64% rise in threat volume compared to 2019.

There isn’t one solution to prevent this influx of social engineering attacks from succeeding. In fact, the best defense is a strategy built around cyber resilience: combining prevention, user training and efficient responses.

Companies including Mimecast provide a variety of email security tools to fight social engineering hacking, including web email gateways, advanced filters and vast threat databases built on years of experience in helping companies battle cyberthreats. Mimecast also provides end user training to spot and report social engineering.

The Bottom Line

Social engineering attacks trick employees into exposing their organizations to theft of funds, data breaches and other risks. Your organization can reduce its exposure by following basic cybersecurity best practices and increasing employees’ knowledge through security awareness training.

^[1] Trojan Horse, Brittanica