What is social engineering?

When most people hear the term “social engineering” they think of a specified agenda designed to alter society. However, in the context of cybersecurity, it has a somewhat different connotation.

The security publication, CSO, defines social engineering as: “the art of exploiting human psychology, rather than technical hacking techniques, to gain access to buildings, systems or data.” 

Kevin Mitnick, now a renowned computer security consultant, one of the most famous hackers of the 20th century, popularized the term in the 1990s. 

According to Terranova security, the nine most common categories of social engineering are:

Phishing: tactics include deceptive emails, websites, and text messages to steal information.

Spear Phishing: email is used to carry out targeted attacks against individuals or businesses.

Baiting: an online and physical social engineering attack that promises the victim a reward.

Malware: victims are tricked into believing that malware is installed on their computer and that if they pay, the malware will be removed.

Pretexting: uses a false identity to trick victims into giving up information. Artificial Intelligence has enabled criminals to clone a person’s voice and send you a message using that person’s voice.

Quid Pro Quo: relies on an exchange of information or service to convince the victim to act.

Tailgating: relies on human trust to give the criminal physical access to a secure building or area.

Vishing: urgent voicemails convince victims they need to act quickly to protect themselves from arrest or other risks.

Water-Holing: an advanced social engineering attack that infects both a website and its visitors with malware.

How to spot a social engineering attack

Email from a friend or relative—If a cybercriminal is able to hack or socially engineer one person’s email password, they then have access to that person’s contact list. Since many people use one password everywhere, they will most likely have access to that person’s social media contacts as well.

The next step is to send emails to all the person’s contacts or post messages on all their friend’s social pages, and perhaps the pages of the person’s friend’s friends.

These emails will typically contain a link or a download of media content. Since you trust the source, you click, thus infecting your device and or network.

Email from another trusted source—These messages may be an urgent plea for help asking for money due to a tragic situation. Another phishing scam entails sending an email, IM, comment, or text message that appears to come from a legitimate, popular company, bank, school, or institution. The message may ask you to donate to your favorite charitable cause. Another ruse uses fear by presenting a problem that does not exist, such as a problem with the IRS, then instructing you to fill out a legitimate-looking form or click on a link. Another version of this is to inform you that you have a problem with your computer and to ask for “verification” information before solving your problem. They will also issue a warning of the dire consequences should you fail to act promptly. One technique that capitalizes on greed is sending a message saying you have won the lottery, inherited money, etc. You will then be asked to give personal information such as bank routing number, social security number, address, and phone number. The email may appear to be from a boss or co-worker asking for proprietary information or even asking you to send money to a specified account.

Some social engineering involves creating distrust or starting conflicts; these attacks are often carried out by people you know and who are angry with you, but it is also done by people just trying to sow chaos, or by people who want to first create distrust in your mind about others so they can then purport to be the one who can fix the problem and then gain your trust, and last, but not least, by extortionists who want to manipulate information from you and then threaten you with disclosure.

This type of social engineering often starts by gaining access to an email account or another communication account on an IM client, social network, chat, forum, etc.

Some useful tips

Slow down. Spammers want you to act first and think later.

Research the facts. Be suspicious of any unsolicited messages. If the email looks like it is from a company you use, use a search engine to go to the real company’s site, or to find their phone number.

Be cautious about clicking on links—hovering over links in the email will show the actual URL at the bottom, however, a well-designed fake can still redirect you to a malicious site.

Even when the sender appears to be someone you know, if you aren’t expecting an email with a link or attachment, check with your friend before opening links or downloading attachments.

Beware of any download. If you don’t know the sender personally and aren’t expecting a file from them, you probably should not download it without verification.

Everyone is well aware of the “Nigerian Prince” scam. Remember, foreign offers are fake.

Things you can do to protect yourself

Delete any request for financial information or passwords. If you get asked to reply to a message with personal information, it’s a scam.

Reject requests for help or offers of help. Legitimate companies and organizations do not contact you to provide help. Accordingly, if you receive a request for help from a charity or organization that you do not have a relationship with, delete it. 

Set your spam filters to high. Every email program has spam filters. To find yours, look at your settings options, and set these to high. You should periodically check your spam folder to see if legitimate emails have been erroneously routed there. 

Secure your computing devices and phones. Install anti-virus software, firewalls, and email filters, and keep these up-to-date. Set your operating system to automatically update. Use an anti-phishing tool offered by your web browser or third party to alert you to potential fraud.

Shrewd cybercriminals know that social engineering works best when exploiting human emotions such as greed, fear, and curiosity. Taking advantage of human emotions is far simpler than hacking a network.