What is Social Engineering?
Social Engineering Meaning
Social engineering is a type of attack that uses human interaction and manipulation to achieve the attacker’s aims. It often involves persuading victims to compromise their security or break security best practices for the attacker’s financial or informational gain. Threat actors use social engineering to disguise themselves and their motives, often by acting as trusted individuals.
Ultimately, the key aim is to influence, to hack the mind — rather than a system. Many such exploits rely on people’s good nature or fear of negative situations. Social engineering is popular among attackers because it is easier to exploit people rather than network and software vulnerabilities.
Types of Social Engineering Attacks
While not an exhaustive list, the following are the key social engineering attacks to be aware of:
Phishing
This is one of the most common types of social engineering attacks. It uses email and text messages to entice victims into clicking on malicious attachments or links to harmful websites.
Baiting
This attack uses a false promise to entice a victim via greed or interest. Victims are lured into a trap that compromises their sensitive information or infects their devices. One example would be to leave a malware-infected flash drive in a public place. The victim may be interested in its contents and insert it into their device — unwittingly installing the malware.
Pretexting
In this attack, one actor lies to another to gain access to data. For example, an attacker may pretend to need financial or personal data to confirm the identity of the recipient.
Scareware
Scareware involves victims being scared with false alarms and threats. Users might be deceived into thinking that their system is infected with malware. They then install the suggested software fix — but this software may be the malware itself, for example, a virus or spyware. Common examples are pop-up banners appearing in your browser, displaying text like “Your computer may be infected.” It will offer to install the fix or will direct you to a malicious website.
Spear phishing and whaling
Tailgating
Also known as piggybacking, tailgating is when an attacker walks into a secure building or office department by following someone with an access card. This attack presumes others will assume the attacker is allowed to be there.
AI-Based Scams
AI-based scams leverage artificial intelligence technology to deceive victims. Here are the common types:
AI-Text Scam: Deceptive text messages generated by AI to phish information or spread malware.
AI-Image Scam: Fake images created using AI to manipulate and deceive individuals.
AI-Voice Scam: Fraudulent voice messages generated by AI to impersonate trusted entities and trick victims.
AI-Video Scam: Manipulated videos created using AI, known as deepfakes, used for spreading misinformation or targeting individuals.
How to Recognize Social Engineering Attacks
Because these attacks come in many different shapes and sizes — and rely on human fallibility — it can be very hard to identify social engineering attacks. Nonetheless, if you encounter any of the below be warned that these are major red flags, and suggest a social engineering attack is commencing:
An unsolicited email or text message from someone you don’t know.
The message is supposedly very urgent.
The message requires you to click on a link or open an attachment.
The message contains many typos and grammatical errors.
Alternatively, you receive a call from someone you don’t know.
The caller tries to obtain personal information from you.
The caller is attempting to get you to download something.
The caller similarly speaks with a great sense of urgency and/or aggression.
How to prevent Social Engineering Scams?
The biggest armor one can use against social engineering tactics employed by online crooks nowadays is to be well-informed of the many ways a cybercriminal could take advantage of your social media vulnerability. More than the usual consequences of falling prey to spamming, phishing attacks, and malware infections, the challenge posed by cybercriminals is having a firm grasp and understanding on keeping your data private.
Aside from keeping an eye out for the above warning signs, the following are good best practices to follow:
Keep your operating system and cybersecurity software updated.
Use multifactor authentication and/or a Password Manager.
Don’t open emails and attachments from unknown sources.
Set your spam filters too high.
Delete and ignore any requests for financial information or passwords.
If you suspect something during an interaction, be calm and take things slowly.
Do your research when it comes to websites, companies, and individuals.
Be careful about what you share on social media — utilize your privacy settings.
If you are an employee of a company, make sure that you know the security policies.
Examples of Social Engineering Attacks
Motivated hugely by profit, cybercriminals have significantly upped their methods to draw sensitive information from online users for monetary gain.
January is when most countries kick off the tax season, which makes it a favorite cybercriminal target to make money. Thanks to social engineering, a popular tactic wherein an attack is tailored to coincide with widely celebrated occasions, observed holidays, and popular news, cybercriminals earn a lot from their victims. US citizens received spam samples that attempted to pass themselves off as a message from the U.S. Internal Revenue Service (IRS).
Learn more about here.
The news about the untimely death of Robin Williams on August 12, 2014 came as a shock to people around the world. While news about his death spread like wildfire among netizens, spammers and cybercriminals deployed spammed emails which mention the actor’s name in the email subject. The spam mail asks the recipients to download a “shocking” video about William’s death, but clicking on the video link downloads an executable file that was detected as as WORM_GAMARUE.WSTQ instead.
Learn more about it here.
When news about the Ebola pandemic flooded the Internet, cybercriminals seized the opportunity to use the widespread reports as bait to lure unsuspecting victims to open fake emails. These emails ultimately lead to phishing attempts, where the victim's information and credentials are stolen.
Learn more about it here.
2008 was the breakout of social attacks generated by cybercriminals for sabotage and profit. With identified targets, platform-based attacks were directed at home users, small businesses and large-scale organizations affecting intellectual property theft a major financial loss. Largely, online crooks have devised ways to attack web users with the use of social networking sites like Facebook and Twitter.
In 2008, Facebook users became the target to worm-type malware attack KOOBFACE. Twitter then became a goldmine for cybercriminals in 2009 spreading malicious links that were found to carry Trojan.
The Evolution of Social Engineering Attacks
Social Engineering threats are, in fact, harder to protect yourself against as these mainly target you, the online user, and not just the vulnerabilities of your system. The simplest, and yet, most effective way to protect yourself from threats as such is to be well-informed on what to stay away from and what to be careful of.
Driven by its goals to gain profit from online users, digital threats have essentially evolved and developed through the years. Cybercriminals placed importance on crafting more sophisticated ways to lure online users into trusting them with their sensitive data. Socially- engineered attacks have gone leaps and bounds in terms of the sophistication of technologies employed.