Social engineering is the act of convincing or tricking someone into divulging information or taking action based on natural human behavioral or cognitive biases. Social Engineering has existed in analog form for a long time. With the advent of digital communications and the internet, it has become a favorite cybercrime tool.
The idea behind social engineering is to exploit a victim’s natural tendencies and emotional reactions to give up personal or confidential information. Cybercriminals use the stolen information to commit fraud, steal identities, and access computer networks or digital devices.
Cybercriminals looking to extract confidential information will use social engineering techniques, such as pretending to be a technical support person, to trick an employee into divulging their login credentials.
With users growing increasingly sophisticated online, social engineering requires finesse. Typically, the process involves multiple steps. First, the Cybercriminals attempt to gain a user’s trust, and once established, they execute additional steps to access the targeted information.
The process exploits humans trusting nature, which increases their likelihood of being manipulated. Social engineering attacks target sensitive information like login credentials, social
So how does it work?
Social engineering scams can be analog (such as in-person or over the
In the physical world, our interactions with people can give off many signs about the legitimacy of the engagement making it more difficult and requiring greater skill to execute than in the digital world. People’s mannerisms and listening to their tone of voice can give us clues about whether something is fishy or not. So, it’s harder to pull off, but cons in the analog world but it happens regularly.
In the online world, we communicate with faceless companies that process our payments and send us messages. It’s easier for fraudsters to create a fake experience because they know humans rely on familiar imagery, branding, and a recognizable pattern of clicks. These common traits and standard patterns suggest that everything seems normal.
The social engineering process usually works as a cycle:
- The bad actors start by gathering background information — known as profiling — and then chooses a point of entry.
- Then the bad actor initiates contact with the victim and establishes a connection.
- Once the connection is created, and the victim perceives the cybercriminal as a trusted source, the scammer exploits the target.
- The scammer obtains the sensitive information, then they disengage and disappear.
The scammers use additional social engineering techniques to accelerate the cycle, like engaging and heightening your emotions. They know when your emotions are running high, you’re less likely to think logically and more likely to be manipulated.
Here is an example. The bad actor obtains a list of people who gamble online. They believe these people will respond to a message that arouses their excitement, curiosity, or fear. The scammers impersonate an online gambling site, imitating its font, logo, and colors. The message congratulates the victims and invites them to accept their limited-time prize — by sending personal information to claim it.
Unfortunately, the prize is really for the scammers – the victim’s sensitive personal information, which they now sell on the dark web or use to gain access to victim’s online and financial accounts.
The most common types of social engineering attacks
Scammers and fraudsters are highly creative. They continually develop new types of social engineering attacks, using different techniques and entry points, to gain access to their target’s information. Unfortunately, these scamming techniques are on the rise, so learning about the types of social engineering methods should help you recognize an attempt and prepare you for how to mitigate these threats and protect yourself.
Baiting
This method depends upon a victim taking the bait, not unlike a fish reacting to a worm on a hook. The cybercriminal dangling the bait wants to lure the target to take action.
Example
The fraudster leaves a USB stick, loaded with malware, in a place where the target will see it. They label the device in a compelling way — “Confidential” or “Bonuses.” The target takes the bait, picks up the USB stick, and then plugs it into their computer to see what’s on it. The malware will then automatically inject itself onto their computer.
Phishing
Phishing is a well-known and one of the most successful ways bad actors obtain information from an unwitting victim. The scammer sends an email or text (smishing) to the target, seeking information that might help with a more significant crime.
Example
A fraudster’s emails appear to come from a trusted source to victims. That source could be a credit card company asking email recipients to click on a link to log in to their accounts. Victims who click on the link go to a fake website that appears to be legitimate. When they log in to the fake website, they’re essentially handing over their login credentials and giving the fraudster access to their credit card account.
In another form of phishing, known as spear phishing, the fraudster tries to target — or “spear” — a specific person.
Email hacking and contact spamming
Human nature is to pay attention to messages from people we know. Fraudsters can take advantage of this by commandeering individuals’ email accounts and spamming the email account holder’s contact lists.
Example
If your friend sends you an email with a cool subject line – “Check this out, it’s totally cool,” you might not think twice before opening it. Commandeering an email account enables fraudsters access to the victim’s contact list, which allows them to send malicious emails to those contacts as if the victim is sending them.
Pretexting
Pretexting attacks involve manufacturing a scenario, or pretext, to target the victim. The scammer usually impersonates an authority (tax man, IT department) who can request information. An effective pretexting attack requires background research and preparation on the scammer’s end. They need to answer the victim’s questions and appear legitimate accurately.
Example
You receive an email indicating you as the beneficiary of a will. The email asks for some personal information to prove you’re the actual beneficiary and speed the transfer of your inheritance. The fraudster uses that information to access your bank account and withdraw your funds.
Quid pro quo
Quid pro quo suggests trading something for something else. Fraudsters are happy to offer you something in a quid pro quo attack because, in return, they hope to get your login credentials or access to your device.
Help is also commonly offered in quid pro quo attacks, be it technical assistance, access to a particular document, or solving a problem you didn’t even know you had.
Example
The fraudster may call a victim, pretending to be an IT support technician. The victim hands over their login credentials to their computer, thinking they’re receiving technical support in return. But in reality, the bad actor takes control of the victim’s device, loading it with malware or, perhaps, stealing personal information from the device to commit
Vishing
Vishing is the voice version of phishing. The criminal uses the
Example
A scammer calls an employee, posing as a co-worker. The scammer may pressure the victim to provide login credentials or other information they use to target the company or its employees.
By entering your email address you agree to receive emails from EveryDayCyber. We'll respect your privacy and you can unsubscribe at any time.
How to avoid being a social engineering victim
- Always consider the source. A text or email from your bank isn’t necessarily from your bank. Spoofing a trusted source is relatively easy. DON’T click on links or open attachments from suspicious sources — and in this day and age, you may want to consider all sources suspicious.
- Take your time and slow down. Scammers count on their targets to move quickly, without considering the possibility that a bad actor may be behind the email,
phone call, or face-to-face request. Stop and think about the ask and whether it makes sense or seems a bit fishy – it could save you a lot of pain and maybe a lot of money. - Don’t click – type the URL – No matter how legitimate that email appears, it’s safer to type a URL into your browser instead of clicking on a link.
- “Too odd to be true”, most likely is – Investigate any requests for money, personal information, or any item of value before handing it over. It highly likely that it’s a scam — and even if it’s not, always better to be safe than sorry.
- Use your email program’s junk filter. Your email software can help you. Most email programs can help filter out junk mail, including scams.
- Use a quality
antivirus /antimalware tool — Ultimately, we are all human and make mistakes. Protect yourself with quality antivirus/antimalware tools. They provide additional insurance against the bad actors.
Social engineering is used everywhere both online and offline. The best defense against many of these attacks is education, which we hope this site helps provide. Stay alert and stay safe.
By entering your email address you agree to receive emails from EveryDayCyber. We'll respect your privacy and you can unsubscribe at any time.
Recommended Reading
What is a Firewall?
A firewall blocks outsiders from gaining unauthorized access to your computer and helps stop malicious software from infecting your computer.
A Step-by-Step Process for Creating an SMB Cybersecurity Plan
Failing to plan is a plan to fail. The vulnerability of your small business's digital infrastructure is dramatically increased without a sound cyber security plan. Business plans help achieve desirable outcomes. You don't want to be a cyber attack victim, so build a plan.
How to protect yourself from identity theft
Identity fraud is all over. Almost every day, we see news reports describing new techniques for crooks to steal your personal information, as well as warnings about big data breaches that expose your sensitive data to hackers on the Dark Web.
What is a Potentially Unwanted Program (PUP)?
PUPs refer to programs, applications and other software downloaded onto computers or mobile devices that may have an adverse impact on user privacy or security. The term “potentially unwanted program” was coined by McAfee to distinguish the program from malware.
The #1 Cyber Threat Small Businesses are Facing
Phishing attacks are the most widespread and most damaging threat to small businesses, accounting for 90% of all cyber security breaches.
What is Spear Phishing?
Spear phishing is a targeted cyberattack to steal your information. You should be aware of the dangers of this and how to address them.