What Is Social Engineering?
By Tobias Geisler Mesevage
Social Engineering Definition
Social engineering is a type of crime that manipulates people into giving up their confidential information to bad actors. Masters of social engineering work to acquire sensitive information through means of trust, as opposed to hacking someone’s account. The theory behind social engineering is that humans have a natural tendency to trust others, which makes it easier to trick someone into divulging personal information than it is to hack an account.
How is a social engineering attack designed?
To build trust, and then exploit it, social engineers follow a lifecycle to victimize their targets:
Investing: This phase allows the attacker to identify victims and determine the best method of attack
Hooking: Is when an attacker actually starts to engage with their victim and begins to create trust through messaging
Attacking: This is when an attacker finally deploys their method of attack and begins to collect the targeted data
Exiting: When the attacker has what they want, they will remove traces of malware and cover their tracks so they can move to the next victim
Because a social engineer’s strategy is built on trust, victims often don’t recognize they’ve been attacked until it’s too late.
Types of social engineering attacks
Social engineering is a broad term that covers numerous malicious actions. The following are several types of social engineering tactics to be aware of.
1. Phishing and vishing attacks
Phishing is the most common type of social engineering attack. In a phishing scheme, an attacker will pose as a real system or organization — like a financial institution — and request personally identifiable information. Victims that believe the correspondence is legitimate, will then send back the requested information.
Phishing attacks are usually typically delivered to a victim in the form of:
However, these attacks can also be attempted over the phone, which is called vishing — the ‘V’ stands for voice in this case.
This type of social engineering attack is similar to a phishing scheme but is more narrowly targeted. With pretexting, the attacker will build trust between themselves and the end user by posing as an authority figure or co-worker to access information.
For example, a scammer may send an email that appears to be from the Chief Financial Officer of their organization requesting sensitive information. And the victim, thinking they are sending information to an internal source, will give a hacker access to their data.
Scareware is a tactic that attackers use to scare their victims into buying unwanted software.
During a scareware attack, victims are tricked into thinking their computer is infected by malware. The most common technique is a legitimate-looking banner that will pop up when a victim is surfing the internet and will display a notification like “Your computer may be infected with harmful spyware.”
Then a victim is prompted to install software to rectify the situation. Often, the software installed is either non-functioning or is malware itself.
4. Email hacking and contact spamming
Social engineers who have gained access to someone’s email account will send additional malicious emails to contacts saved within the compromised account.
Because human nature is to respond to or open emails from people we know, email hacking and contact spamming can easily perpetuate the cycle of malware. That’s because emails sent in this form of an attack may contain links or downloadable media that contain malware. And, anyone in your contact list who clicks these links will become infected.
The cycle will then continue through the new victim’s contact list.
5. Quid pro quo
In a quid pro quo attack, a victim is offered a service in exchange for critical data or login credentials.
For example, a hacker may pose as an IT technician. The victim believes they are receiving technical support, so they provide the hacker login credentials to their computer. Then rather than receiving support, the scammer now has full ability to overtake the victim’s computer and either steal information or infect the computer with malware.
6. Baiting scenarios
Attackers know if they dangle an attractive offer in front of people, many will take the bait.
The “bait” will take many shapes. It may look like a movie download on a peer-to-peer site or even an irresistible sale advertised on social media. It may also take a physical form like a flash drive with an enticing label. The end result will always be the same.
Once a victim takes the bait and downloads, clicks a link, or accesses the flash drive, malicious software is delivered directly into the end user’s system.
While it may seem like social engineering is a digital game only, there are attackers who work in physical space, too.
For instance, if you’re in the office and someone asks if you can hold the door open because they’ve forgotten their access key or RFID card, can you be sure they are an employee? Or are they trying to gain access into a restricted area or system?
Piggybacking is the attempt to gain unauthorized access to restricted areas through employees that don’t check references and automatically trust those around them.
The Bottom Line
Social engineering attacks are both sneaky and prevalent. That makes it critical for everyone to stay aware of the threat.
Never respond to a request for financial information or passwords. Legitimate organizations will never send a message asking for personal information.
Adjust your spam filters. Every email program has spam filters, make sure yours is set to high to block out potential threats.
Secure your computing devices and accessories. This means protecting your digital space with anti-virus software, firewalls, and email filters. It also means securing flash drives, external hard drives, and other pieces of equipment that could be compromised.
Lastly, in the event you or your organization falls victim of a social engineering scheme, it’s important to backup your data. A solid backup and recovery solution will allow business continuity and minimize the cost and risk associated with an attack.