What is social engineering?Posted on: May 4, 2022
by Ruth Brooks
Social engineering is a malicious and manipulative type of cybercrime, one that relies on human interaction to trick people into sharing sensitive information or granting unauthorised access to systems and networks.
Cybercriminals who use social engineering tactics will typically pretend to be a trusted source – colleagues, suppliers, customers, stakeholders, and so on – in their attempts to infiltrate restricted computer systems, access confidential data and create a data breach, or disperse malware such as viruses, spyware and ransomware. They rely on people’s willingness to be helpful and on their lack of awareness about social engineering.
In fact, social engineering is popular with cybercriminals because many of them find it easier to manipulate and exploit real people than to search for cracks within a system or network’s security. And these cyberattacks are unique in that they can occur, at least in part, offline. For example, the scammer may make initial contact with their victim over the phone or even in person. But the end goal is largely the same – sabotaged systems and theft.
What are common social engineering techniques?
Social engineering takes many forms. Some common types of social engineering attacks and techniques include:
Baiting entices its victims by appealing to their natural curiosity or greed. A baiting scam may take the form of:
- an email about a free giveaway or offer.
- a USB stick or flash drive left in a public place, such as a public library, or the bathroom or car park of a targeted company.
- an online advert to download seemingly legitimate software or applications.
However, what the victim won’t know is that the email attachment they opened, the device they picked up and inserted into their computer, or the software they downloaded, has actually just infected their device with malware. And in turn, this malware – or malicious software – can disrupt networks, gain unauthorised access to data and systems, and interfere with an organisation’s privacy and security protocols.
Scareware is designed to provoke fear and alarm. It can take the form of a pop-up or similar warning message that tells its victim – falsely – that their device has been infected or that their account has been compromised. Feeling under threat, the victim is more likely to act on the warning.
While looking something up online, an individual might see a legitimate-looking pop-up that tells them their device has been infected, and that they should install the recommended cybersecurity software. What they don’t realise is that the software is riddled with malware. Or the individual might receive an email that says their account has been compromised, and they should reply with their private login credentials so that the email account provider’s support team can help secure it. This individual has just given a cybercriminal the keys to their account.
Other names for scareware include:
- Deception software
- Rogue scanner software
Pretexting occurs when a scammer assumes an identity to gain the trust of their victim. The scammer may pretend to be a:
- coworker, particularly someone from the IT department.
- supplier or vendor.
- bank or tax official.
Once the scammer has established a relationship with the victim and earned their trust, they’ll exploit this relationship to obtain sensitive information. The scammer may pretend to be a bank official who asks questions to confirm the victim’s identity, but instead has just collected important sensitive details, such as the victim’s address, bank account details, credit card information, social security number, and other personal data.
Phishing is the most common form of social engineering attack. Phishing scams attempt to trigger a sense of urgency, curiosity, greed, or fear in their victims in order to get them to reveal confidential information, click on links to malicious websites, or open malware-infected attachments.
Phishing messages can often appear legitimate – this is known as spoofing. A person may receive an email that appears to come from a trusted brand, such as Microsoft or Verizon. This message warns the individual that their account has been compromised, and that they need to reset their password. They click on a link to a fake website and find that it looks virtually identical to the site they’re expecting to see, so when asked to enter their existing account credentials and create a new password, they do so. But in reality, they’ve just handed over their login details to a cybercriminal.
There are several sub-categories of phishing attacks:
- Spam phishing. Also known as mass phishing, these campaigns target a huge number of people. Messages are non-personalised and aim to catch out as many unsuspecting people as possible.
- Spear phishing. Spear phishing is more targeted than spam phishing. Personalised information – such as name, job title, phone number, and so on – is used to target individual people, and messages are likely to seem more legitimate.
- Whaling. Similar to spear phishing, whaling targets high-value individuals such as senior managers and executives.
- Voice phishing. Also known as vishing, voice phishing happens over the phone. A recorded message might play when the victim answers the phone call, or a live person may speak to the victim, particularly to create a sense of legitimacy and urgency.
- SMS phishing. Also known as smishing, this form of phishing happens via text or mobile app messages. They’ll often include a web URL to a malicious site.
- Email phishing. Phishing email scams usually rely on malware attachments and malicious links.
- Angler phishing. This type of phishing happens on social media. On social networking sites, scammers will imitate a trusted brand’s customer service team. Attacks typically happen via private direct message, rather than in open messages that are viewable by everyone.
A watering hole attack aims to compromise a specific group of people by infecting websites they are known to visit.
If an organisation frequently visits a small supplier’s website to order stock, hackers may attempt to corrupt that supplier’s website with malware with the aim of infecting one or more of the target organisation’s employees. They can then gain access to the organisation’s network to access sensitive data, sabotage their operating systems, steal money and information, and so on.
Quid pro quo
A quid pro quo scam happens when a social engineer pretends to provide something – such as a service – in exchange for the victim’s information or help.
The scammer may pretend to be an IT professional and call different people within an organisation until they find someone who has actually been waiting for technical assistance. They’ll pretend to help this person, but during the interaction, will gather information or gain access to restricted systems.
Also known as piggybacking, tailgating happens when a social engineer gains access to a secure building by following in someone else who has authorised access. The scammer can then gain access to the organisation’s hardware systems and collect more information to help launch a cyber attack.
How to prevent social engineering attacks
With so many types and examples of social engineering attacks, it’s clear that businesses and organisations need to stay on top of cybersecurity and training in order to stay secure and protect private information.
Some important weapons in the fight against social engineering attacks include:
- Robust antivirus protection. Up-to-date antivirus software can be invaluable against social engineering attacks because it can detect malware even when someone is unaware they’ve been a victim of a cyberattack.
- Two-factor authentication. Implementing at least two levels of authentication before granting someone access to a system or network is crucial. It means that even if a social engineer has gained access to someone’s login details, they’ll be less likely to access the account.
- A strong firewall. Monitoring and controlling network traffic is an important barrier against suspicious and criminal activity.
- Spam filters. Spam filters can help deflect phishing emails and prevent trusting individuals from falling victim to scams and tricks.
- Security awareness training. The weakest link in any cybersecurity system is people – and this is what social engineers prey on. Ensuring that all individuals within an organisation are aware of what social engineering is, and how to recognise a social engineering scam, should be the first line of defence against this cybercrime.
- Penetration testing. Simulating a cyberattack against its own systems is a fantastic way for an organisation to see where it’s most vulnerable. This testing can include sending phoney spam emails to all staff to see who falls for them. Security teams can then work to plug any gaps with relevant security enhancements and training.
Help fight social engineering scams
Cybercrime continues to evolve and grow, which is why employer demand for skilled cybersecurity experts continues to grow, too.
You can future-proof your career with the MBA Cyber Security at North Wales Management School. This flexible degree has been developed for professionals – with or without a computer science background – who want to enhance their prospects. And since your studies are 100% online, you can study around your current commitments and earn while you learn.