What is Social Engineering?
Social Engineering Meaning
Cybercriminal “social engineering” is a tactic that, at its core, lies to a user by creating a false narrative that exploits the victim’s credulity, greed, curiosity or any other very human characteristics. The end result is that the victim willingly gives away private information to the attacker — whether personal (e.g., name, email), financial (e.g., credit card number, crypto wallet), or by inadvertently installing malware /backdoors on their own system.
We can classify modern attacks in two very broad categories according to the target: They either attack the machine or they attack the user. “Attacking the machine” started with vulnerability exploitation attacks back in 1996 with the seminal article, “Smashing the Stack for Fun and Profit.” However, “attacking the human” (social engineering) has been — and still is — overwhelmingly more prevalent. All known nonvulnerability-based attacks have a social engineering element where the attacker is trying to convince the victim to do something that will end up being pernicious to them.
Types of Social Engineering Attacks
While not an exhaustive list, the following are the key social engineering attacks to be aware of:
Phishing
Phishing is one of the most common types of social engineering attacks. It uses email and text messages to entice victims into clicking on malicious attachments or links to harmful websites.
Baiting
This attack uses a false promise to entice a victim via greed or interest. Victims are lured into a trap that compromises their sensitive information or infects their devices. One example would be to leave a malware-infected flash drive in a public place. The victim may be interested in its contents and insert it into their device — unwittingly installing the malware.
Pretexting
In this attack, one actor lies to another to gain access to data. For example, an attacker may pretend to need financial or personal data to confirm the identity of the recipient.
Scareware
Scareware involves victims being scared with false alarms and threats. Users might be deceived into thinking that their system is infected with malware. They then install the suggested software fix — but this software may be the malware itself, for example, a virus or spyware. Common examples are pop-up banners appearing in your browser, displaying text like “Your computer may be infected.” It will offer to install the fix or will direct you to a malicious website.
Spear phishing and whaling
In a spear phishing the attack is specifically targeted at a particular individual or organization. Similarly, whaling attacks target high-profile employees, such as CEOs and directors.
Tailgating
Also known as piggybacking, tailgating is when an attacker walks into a secure building or office department by following someone with an access card. This attack presumes others will assume the attacker is allowed to be there.
AI-Based Scams
AI-based scams leverage artificial intelligence technology to deceive victims. Here are the common types:
AI-Text Scam: Deceptive text messages generated by AI to phish information or spread malware.
AI-Image Scam: Fake images created using AI to manipulate and deceive individuals.
AI-Voice Scam: Fraudulent voice messages generated by AI to impersonate trusted entities and trick victims.
AI-Video Scam: Manipulated videos created using AI, known as deepfakes, used for spreading misinformation or targeting individuals.
How to Recognize Social Engineering Attacks
Because these attacks come in many different shapes and sizes — and rely on human fallibility — it can be very hard to identify social engineering attacks. Nonetheless, if you encounter any of the below be warned that these are major red flags, and suggest a social engineering attack is commencing:
An unsolicited email or text message from someone you don’t know.
The message is supposedly very urgent.
The message requires you to click on a link or open an attachment.
The message contains many typos and grammatical errors.
Alternatively, you receive a call from someone you don’t know.
The caller tries to obtain personal information from you.
The caller is attempting to get you to download something.
The caller similarly speaks with a great sense of urgency and/or aggression.
How to prevent Social Engineering Scams?
The biggest armor one can use against social engineering tactics employed by online crooks nowadays is to be well-informed of the many ways a cybercriminal could take advantage of your social media vulnerability. More than the usual consequences of falling prey to spamming, phishing attacks, and malware infections, the challenge posed by cybercriminals is having a firm grasp and understanding on keeping your data private.
Aside from keeping an eye out for the above warning signs, the following are good best practices to follow:
Keep your operating system and cybersecurity software updated.
Use multifactor authentication and/or a Password Manager.
Don’t open emails and attachments from unknown sources.
Set your spam filters too high.
Delete and ignore any requests for financial information or passwords.
If you suspect something during an interaction, be calm and take things slowly.
Do your research when it comes to websites, companies, and individuals.
Be careful about what you share on social media — utilize your privacy settings.
If you are an employee of a company, make sure that you know the security policies.
Examples of Social Engineering Attacks
Motivated hugely by profit, cybercriminals have significantly upped their methods to draw sensitive information from online users for monetary gain.
January is when most countries kick off the tax season, which makes it a favorite cybercriminal target to make money. Thanks to social engineering, a popular tactic wherein an attack is tailored to coincide with widely celebrated occasions, observed holidays, and popular news, cybercriminals earn a lot from their victims. US citizens received spam samples that attempted to pass themselves off as a message from the U.S. Internal Revenue Service (IRS).
Learn more about here.
The news about the untimely death of Robin Williams on August 12, 2014 came as a shock to people around the world. While news about his death spread like wildfire among netizens, spammers and cybercriminals deployed spammed emails which mention the actor’s name in the email subject. The spam mail asks the recipients to download a “shocking” video about William’s death, but clicking on the video link downloads an executable file that was detected as as WORM_GAMARUE.WSTQ instead.
Learn more about it here.
When news about the Ebola pandemic flooded the Internet, cybercriminals seized the opportunity to use the widespread reports as bait to lure unsuspecting victims to open fake emails. These emails ultimately lead to phishing attempts, where the victim's information and credentials are stolen.
Learn more about it here.
2008 was the breakout of social attacks generated by cybercriminals for sabotage and profit. With identified targets, platform-based attacks were directed at home users, small businesses and large-scale organizations affecting intellectual property theft a major financial loss. Largely, online crooks have devised ways to attack web users with the use of social networking sites like Facebook and Twitter.
In 2008, Facebook users became the target to worm-type malware attack KOOBFACE. Twitter then became a goldmine for cybercriminals in 2009 spreading malicious links that were found to carry Trojan.
The Future of Social Engineering Attacks
We can deconstruct any social engineering interaction and strip it down to the following elements:
- A “medium” to make the connection with the victim, which can be done via telephone, email, social network, or direct message, to name a few.
- A “lie,” where the attacker builds a falsehood to convince the victim to take action within a given time. The lie often also has a built-in sense of urgency, such as a time limitation.
- An “ask,” that is, the action to be taken by the victim, such as giving credentials, executing a malicious file, investing in a certain crypto scheme, or sending money.
Let us use a common example you are probably familiar with — the stereotypical email scam:
Figure 1. A social engineering attack’s medium, lie, and ask
As of 2024, criminals reach their victims through all manners of networking capabilities. They also use made-up stories as part of their social engineering tricks. Their objectives are typically the same, such as disclosing the password, installing malware, or sharing personal information.
Over the years, we have seen a multitude of different plots in the social engineering space, and you would be forgiven for thinking that all ideas seem to have already been used. Yet, attackers keep coming up with new social engineering tricks every year. In this piece, we will explore new social engineering improvements that attackers might utilize in the future to con users. By changing the medium, the lie, or the ask, attackers can easily come up with new and innovative ploys to fool their victims.
What new elements can we expect to see? What new changes to the old scheme can we foresee? How will new technologies affect any of these?
Changes in the Medium
As new technologies emerge, attackers gain more ways to reach their potential victims. This includes AI tools, VR devices like Apple Vision Pro, the Humane pin, Ray-Ban glasses, or any new device users might start using in the future.
Utilizing wearables as a medium
New devices enter the market every year, and this expands the attack surface to cybercriminals. Wearables are particularly interesting because they are always on and are fully trusted by their user. Any ploy involving a wearable has a higher chance of being believed and trusted. There is a possibility of the attacker gaining access to the wearable device. They are often not designed to deploy security tools or even authenticate themselves regularly, often bypassing normal security controls.
Figure 2. A potential scenario of wearables as medium for social engineering attacks
Chatbots as a medium
AI chatbots could also be used as a vehicle to reach the user. The idea of this attack is to feed false information to the chatbot in order to manipulate the user into taking action. Poisoning the chatbot data can be accomplished in several ways, including feeding it bad information, hijacking training data, or injecting new commands.
New email-based attacks
A new way to use the classic email and instant message (IM) medium would be to utilize a bot powered by a large language model (LLM) to increase the effectiveness of a BEC attack. The threat actor could use the LLM bot to compile all previous message history between the victim and the CEO. Then, the bot could continue a thread in this trusted channel as if it was the CEO using the CEO’s writing style to convince the victim to wire the money. This is already happening manually, but the potential for this attack to be automated with AI cannot be ignored.
Improving the Lies
The main innovation driving socially engineered lies is AI. The actual lie in a social engineering story will vary based on season, country, and demographic group, to name a few, but this can change very quickly due to the scalability and flexibility that AI provides. Generative AI (GenAI) excels in image, audio and video generation. For text, it excels at both creating believable content and quickly processing large amounts of text. This new scalability opens many new developments to the “lie” aspect of social engineering.
A new theme attackers can use to craft lies is AI technology itself. For example, crafting lies about ChatGPT or VR can be effective due to the interest they generate. Additionally, attackers can create fake AI-related tools that are actually malware. Graphic designers are generally curious about the creation of deepfake images and videos. A tool that the attacker can offer to facilitate this would probably be downloaded and run instead. Similarly, incorporating deepfake images and videos to existing successful scams can add more believability to them. This strategy is clearly on the rise in the current threat landscape. We believe that deepfakes have the potential to be highly disruptive in social engineering scams and that attackers will be using them extensively in the near future.
Figure 3. How call and voice scams can be enhanced by deepfakes