2022's best place for Cybersecurity Insights and Advice for Everyone

#1 - Signup to our list and get regular insights and advice on how to be cyber safe.

By entering your email address you agree to receive emails from EveryDayCyber. We'll respect your privacy and you can unsubscribe at any time.

What is Social Engineering?

by Cyberguy | Last Updated | October 9, 2021
Cyber Dictionary|CyberSecurity - Consumer|CyberSecurity - SMB

Social engineering is the act of convincing or tricking someone into divulging information or taking action based on natural human behavioral or cognitive biases. Social Engineering has existed in analog form for a long time. With the advent of digital communications and the internet, it has become a favorite cybercrime tool.

The idea behind social engineering is to exploit a victim’s natural tendencies and emotional reactions to give up personal or confidential information. Cybercriminals use the stolen information to commit fraud, steal identities, and access computer networks or digital devices.

Cybercriminals looking to extract confidential information will use social engineering techniques, such as pretending to be a technical support person, to trick an employee into divulging their login credentials.

Social Engineering - Attack Lifecycle

With users growing increasingly sophisticated online, social engineering requires finesse. Typically, the process involves multiple steps. First, the Cybercriminals attempt to gain a user’s trust, and once established, they execute additional steps to access the targeted information.

The process exploits humans trusting nature, which increases their likelihood of being manipulated. Social engineering attacks target sensitive information like login credentials, social security numbers, bank details, or other personal information.

So how does it work?

Social engineering scams can be analog (such as in-person or over the phone) but primarily they occur online. Digital forms of social engineering in fact underpin a large number of cyberattacks, primarily because it’s easier to pull off online.

Social Engineering - Attack Scenario

In the physical world, our interactions with people can give off many signs about the legitimacy of the engagement making it more difficult and requiring greater skill to execute than in the digital world. People’s mannerisms and listening to their tone of voice can give us clues about whether something is fishy or not. So, it’s harder to pull off, but cons in the analog world but it happens regularly.

In the online world, we communicate with faceless companies that process our payments and send us messages. It’s easier for fraudsters to create a fake experience because they know humans rely on familiar imagery, branding, and a recognizable pattern of clicks. These common traits and standard patterns suggest that everything seems normal.

The social engineering process usually works as a cycle:

  1. The bad actors start by gathering background information — known as profiling — and then chooses a point of entry.
  2. Then the bad actor initiates contact with the victim and establishes a connection.
  3. Once the connection is created, and the victim perceives the cybercriminal as a trusted source, the scammer exploits the target.
  4. The scammer obtains the sensitive information, then they disengage and disappear.

The scammers use additional social engineering techniques to accelerate the cycle, like engaging and heightening your emotions. They know when your emotions are running high, you’re less likely to think logically and more likely to be manipulated.

Here is an example. The bad actor obtains a list of people who gamble online. They believe these people will respond to a message that arouses their excitement, curiosity, or fear. The scammers impersonate an online gambling site, imitating its font, logo, and colors. The message congratulates the victims and invites them to accept their limited-time prize — by sending personal information to claim it.

Unfortunately, the prize is really for the scammers – the victim’s sensitive personal information, which they now sell on the dark web or use to gain access to victim’s online and financial accounts.

The most common types of social engineering attacks

Scammers and fraudsters are highly creative. They continually develop new types of social engineering attacks, using different techniques and entry points, to gain access to their target’s information. Unfortunately, these scamming techniques are on the rise, so learning about the types of social engineering methods should help you recognize an attempt and prepare you for how to mitigate these threats and protect yourself.

Social Engineering - Tactics

Baiting

This method depends upon a victim taking the bait, not unlike a fish reacting to a worm on a hook. The cybercriminal dangling the bait wants to lure the target to take action.

Example
The fraudster leaves a USB stick, loaded with malware, in a place where the target will see it. They label the device in a compelling way — “Confidential” or “Bonuses.” The target takes the bait, picks up the USB stick, and then plugs it into their computer to see what’s on it. The malware will then automatically inject itself onto their computer.

Social Engineering - In Person Tactics

Phishing

Phishing is a well-known and one of the most successful ways bad actors obtain information from an unwitting victim. The scammer sends an email or text (smishing) to the target, seeking information that might help with a more significant crime.

Example
A fraudster’s emails appear to come from a trusted source to victims. That source could be a credit card company asking email recipients to click on a link to log in to their accounts. Victims who click on the link go to a fake website that appears to be legitimate. When they log in to the fake website, they’re essentially handing over their login credentials and giving the fraudster access to their credit card account.

In another form of phishing, known as spear phishing, the fraudster tries to target — or “spear” — a specific person.

Email hacking and contact spamming

Human nature is to pay attention to messages from people we know. Fraudsters can take advantage of this by commandeering individuals’ email accounts and spamming the email account holder’s contact lists.

Example
If your friend sends you an email with a cool subject line – “Check this out, it’s totally cool,” you might not think twice before opening it. Commandeering an email account enables fraudsters access to the victim’s contact list, which allows them to send malicious emails to those contacts as if the victim is sending them.

Pretexting

Pretexting attacks involve manufacturing a scenario, or pretext, to target the victim. The scammer usually impersonates an authority (tax man, IT department) who can request information. An effective pretexting attack requires background research and preparation on the scammer’s end. They need to answer the victim’s questions and appear legitimate accurately.

Example
You receive an email indicating you as the beneficiary of a will. The email asks for some personal information to prove you’re the actual beneficiary and speed the transfer of your inheritance. The fraudster uses that information to access your bank account and withdraw your funds.

Social Engineering - Digital Tactics

Quid pro quo

Quid pro quo suggests trading something for something else. Fraudsters are happy to offer you something in a quid pro quo attack because, in return, they hope to get your login credentials or access to your device.

Help is also commonly offered in quid pro quo attacks, be it technical assistance, access to a particular document, or solving a problem you didn’t even know you had.

Example
The fraudster may call a victim, pretending to be an IT support technician. The victim hands over their login credentials to their computer, thinking they’re receiving technical support in return. But in reality, the bad actor takes control of the victim’s device, loading it with malware or, perhaps, stealing personal information from the device to commit identity theft.

Vishing

Vishing is the voice version of phishing. The criminal uses the phone to trick a victim into handing over valuable information.

Example
A scammer calls an employee, posing as a co-worker. The scammer may pressure the victim to provide login credentials or other information they use to target the company or its employees.

Social Engineering - Phone Tactics

#2 So here we are at the middle of the post. We still think it's a good idea to signup.

By entering your email address you agree to receive emails from EveryDayCyber. We'll respect your privacy and you can unsubscribe at any time.

How to avoid being a social engineering victim

Social Engineering - Red Flags

Social engineering is used everywhere both online and offline. The best defense against many of these attacks is education, which we hope this site helps provide. Stay alert and stay safe.

#3 You really should sign up. "Scouts Promise" ... it really will help you stay cyber safe.

By entering your email address you agree to receive emails from EveryDayCyber. We'll respect your privacy and you can unsubscribe at any time.