In other previous publications we have already commented on the huge problem that social engineering represents today, both for organizations and for individuals. This is one of the main attack methods used by cybercriminals, and it does not seem to be stopping.
Let’s remember that social engineers seek to exploit people’s vulnerabilities in order to manipulate them and get them to act according to their interests. To do this, they contact the victim through any channel (e-mail, text message, phone call and even face to face), often impersonating a known entity to generate greater credibility.
Thanks to a high state of alert resulting from good awareness, it is possible to identify these types of attacks, although some are more sophisticated than others. But what if it was the victim who needed the attacker? It would definitely be much more difficult to identify.
Yes, it may sound implausible that it is the victim who needs the attacker. And no, you don’t have to be a particularly naive person to fall into this trap. In fact, it is a technique with its own name: reverse social engineering.
Photo by Elisa Ventur on Unsplash
Reverse social engineering: what is it?
First of all, it should be clarified that, as its name indicates, a reverse social engineering attack is, in effect, a variant of a social engineering attack. Therefore, it will also seek to manipulate the target person to act in a certain way. The reason why it is called “reverse” is because, as mentioned in the previous paragraph, it is not the attacker who is looking for the victim, but the other way around. And how can this be?
Just as humans tend to help other people when they are in trouble, there are also times when we are the ones who need help. And this is what this type of technique takes advantage of.
For this reason, the first step in reverse social engineering is to generate a need in the victim. In general, it is done through a phone call in which the supposed problem is exposed, although, in the most sophisticated cases, it all starts with a first phishing e-mail that causes the system to stop working correctly. In this way, the attackers present themselves as the solution to this problem.
Photo by Austin Distel on Unsplash
Some data may have been previously manipulated that makes the target think that the phone they are contacting is from a legitimate technical service or, on other occasions, it is the attackers themselves who identify themselves as an assistant to solve the supposed problem. In any case, it is the victim who believes that they are receiving help when, in reality, they are providing sensitive data and even giving up remote control to the social engineer.
It is precisely for this reason that it is such a dangerous technique: because it is the victim who thinks they need the attacker’s help and, therefore, the chances of suspicion are drastically reduced.
How to protect employees from this type of attack?
The answer is obvious: with awareness. Employees need to know what social engineering is, how it works, and the different forms it can take. Only in this way is it possible to maintain an adequate state of alert to identify an attack.
Kymatio® has an awareness module, personalized for each user based on their needs. In addition, with Kymatio® Trickster you can carry out phishing and smishing simulations (among other functionalities) to corroborate the reaction of employees to these realistic situations.
