What Is Reverse Social Engineering? And How Does It Work?

October 26, 2020

Under reverse social engineering attack, the target reaches out to the attacker for assistance. Consider a scenario where a target receives a virus alert with a 'call for assistance' number. On contacting the number, the target can then be asked to share their credit card or debit card details, putting the target's confidential data at stake.

What is Reverse Social Engineering?

Reverse Social Engineering (RSE) is a form of social engineering attack. It has the same aim as a typical social engineering attack but with a completely different approach. It is a person-to-person attack where the attacker makes direct contact with the target for compell them into divulging sensitive information. In most cases, the hacker establishes contact with the target through emails and social media platforms, using multiple schemes and pretending to be a benefactor or skilled security personnel to convince them to provide access to their system/network. Though this technique may seem outdated and ridiculous, it has proved highly effective, especially when the victim's system/network shows signs of being compromised.

What Is the Difference Between Social Engineering and Reverse Social Engineering?

Usually in social engineering attacks, the attackers approach their targets. While in reverse social engineering attacks, the victim goes to the attacker unknowingly.

How Does Reverse Social Engineering Work?

Let’s assume you have clicked on a phishing link (created by the hacker aiming to contact you) and have downloaded malicious software that may immediately infect your system. You are then contacted through an email by the hacker who advertises himself as a person of authority and tries to convince you that they are very well capable of fixing the issues on your system at a very reasonable price (or sometimes for free). Thus, gaining your trust and access to your system, the hacker fixes the so-called errors while simultaneously creating a back door to monitor your online activities and steal your data. In some cases, the attackers do not initiate contact with the target at the start. Instead, the target is tricked into contacting the hacker to establish a higher degree of trust between them. As the target is the one who contacts the hacker first, this minimizes the doubts of the legitimacy of the hacker's identity.

To increase the probability of being contacted by their targets, hackers create the need for assistance by sabotaging or deleting users’ important files or messing up with their system parameters during a physical intrusion. Proper advertisement or strategic placement of the offers to ensure that the target sees it without fail is an essential part of this entire process. The victims, who are now panicking, believe that their system has been compromised. Such an approach increases the contact probability tremendously. Social media is another place where the attacker could build trust with their target.


What leads to reverse social engineering?

The success of reverse social engineering depends on the following -

  • Lack of security awareness.
  • Poor planning and implementation of security controls.

The former cause is most common with individual systems and users, while the latter typically applies to small and medium business organizations that have an underdeveloped information security infrastructure or little emphasis on security awareness.

Lack of security awareness

Humans are generally known to be the weakest link in the security chain, with 94% of malware delivered through phishing and social engineering attacks. Though many organizations have basic security policies that state not to disclose sensitive information such as username, password, transaction details, OTP, account number, many users still fail to understand the importance of these security policies. Users generally avoid the implementation of key security elements such as multifactor authentication; scanning unknown devices; not opening anonymous emails, links, and attachments; and several other precautions. A recent survey found that nearly 26% of internet users have shared their OTP with others.

People give out information for multiple reasons, at times, for the sake of ease or shortening the process for which the information is required, or sometimes due to their helpful nature. In some cases, it was found that the compromised information was provided because the request was made by some authority (mistakenly assumed) such as bosses, superiors, government officials, law enforcement officials, etc. Thus, intimidating the victims into divulging sensitive information. In several other cases, users were unaware of how to deal or respond upon realizing that their system or data has been compromised and in panic, tend to fall for the predesigned lure of reverse social engineering. Hackers understand these psychological attributes very well and utilize them to their advantage.

Poor security plans

Although organizations understand the risk of a security breach, not many are ready to spend resources on advanced security solutions. Others assume that their current technology is sufficient and flawless. Even if organizations try to build and incorporate security technology and procedures into their operations, it is difficult to determine its efficacy without a proper test. Many organizations rely on internal identifiers (such as asking employees to check for issues) to test the performance of these procedures and defenses, which is considered a disaster recipe by cybersecurity experts.

Organizations that manage sensitive information run a more substantial risk of a security breach and need more robust security policies. Thus, proper authentication mechanisms and additional features that protect these mechanisms are essential. Apart from that, it's imperative to test the security plans and procedures periodically. A holistic approach to the testing of these procedures is a must. Many organizations establish security guidelines but fail to implement them effectively, as security experts assume that their employees understand the security risks and their implications, but these assumptions are unrealistic. Organizations run the risk of failing to establish or include realistic procedures for making employees aware of security procedures, risks, and mitigations.

How to Mitigate Reverse Social Engineering Attacks?

The causes of social engineering and reverse social engineering are often due to poor security awareness and a lack of operational procedures. This causes the individual to panic and react to the problem inappropriately, such as contacting non-credible tech support (who turns out to be the preparator), leading to the success of reverse social engineering. Hence, the mitigations for reverse social engineering attacks are quite similar to that of social engineering attacks:

  • Proper identification of legitimate incident handlers and computer support analysts is only possible through cybersecurity training and security awareness (Aware) among individuals and employees.
  • Individuals need to trust some of the widely known cybersecurity solutions and organizations to avoid reverse social engineering.
  • Employees should be trained on notifying the security head of an organization or associated security vendor upon noticing unusual occurrence and suspicious activities.
  • Organizations should hire a diligent analyst to alert the security team and the rest of the organization of a possible attack upon noticing suspicious activities.
  • The security team should test and confirm the safety of new software or updates before incorporating it into operations.
  • Establishing guidelines for training and spreading security awareness among employees regarding the use of external or unknown disks, drives, USBs, and other peripheral devices.
  • Incorporating complete security solutions, suites, and software from leading security solution providers satisfies your business need and prevents employees from retrieving any software or applications from the internet.