EXPERT OPINION: Social Engineering Attacks: Understanding OSINT to mitigate risk

Over the last decade, OSINT (open-source intelligence) became a buzzword across many industries and lines of work, particularly in the context of intelligence research. OSINT has made its way into more technical domains of cybersecurity, such as threat hunting and threat intelligence. Yet, from the governance and organisational risk perspective, it remains terra incognita for senior executives and managers, compliance and risk teams, as well as regular employees. This is something of a missed opportunity: increased OSINT awareness across different levels of organisational hierarchy and multiple job functions can help an organisation significantly decrease its vulnerabilities.

This paper focuses on social engineering attacks to demonstrate how the accessibility of information about companies and their employees can be exploited by threat actors. It goes beyond one-step inferences and shows how one bit of information can lead to another, and so on, thereby helping bad actors to fully profile their targets. Additionally, it suggests some of the ways in which organisations can prevent social engineering from succeeding.

The rise of social engineering

The term ‘social engineering’ is used both by the cybersecurity community and the wider public rather loosely, and its conceptual boundaries are often vague.[1] In cybersecurity literature, it appeared for the first time in an article ‘More on Trashing’ published in a September 1984 issue of 2600: The Hacker’s Quarterly, one of the earliest hacker magazines. The article maintained that the study of corporate documents and equipment disposals can be useful for surveillance purposes.[2] An October 1984 issue of the same magazine discussed social engineering again in an article titled ‘Switching Centres and Operators’; it was used to refer to obtaining information from phone directory operators.[3] The abundance of tools brought about by technological advancement significantly increased the number of the employed methodologies; nonetheless, these early usages already indicate that both malicious intent and misuse of sensitive information lie at the core of social engineering.

This paper uses ‘social engineering’ to refer to a broad range of malicious activities accomplished by psychological manipulation to trick users into making security mistakes or giving away sensitive information. It should be noted that social engineering is neither restricted to a set range of cyber-attack types nor is it resorted to at the same level across one attack type. For example, some phishing attempts exhibit little to no prior intelligence gathering and tend to appeal to fundamental human impulses, such as the sense of urgency, curiosity, or fear. In these instances, targets’ names might be missing, misspelled, or incorrect, and references might be made to products, services, or places they have never been affiliated with. In contrast, some phishing attempts are very adroitly crafted, and not only get personal identifiers, such as names, titles, or professional phone numbers correct but also the tone of the organisational parlance, as well as references to future or past corporate events. In addition to phishing, social engineering attempts can include techniques such as baiting, scareware, pretexting, and watering holes, as well as physical access to sensitive locations.

Social engineering attacks have been on the rise in recent years. According to ISACA’s 2022 State of Cybersecurity Report, social engineering is the predominant cyberattack method accounting for 13% of incidents; the trajectory is upward.[4] Additionally, social engineering attacks are growing more effective.[5] One of the main underlying reasons is the availability of open-source information, allowing threat actors to obtain critical information about organisations, their systems, and employees, as well as, in certain instances, successfully impersonate individuals with privileged access.