Understanding Social Engineering: The Ins and Outs
Not all sophisticated cybersecurity attacks have to include malware or coding. Sometimes it’s enough to play with basic human emotions such as fear, greed, trust, or a sense of urgency. Learn how hackers use social engineering techniques to trick you into giving away your sensitive information.
What is social engineering?
Social engineering is a set of different types of attacks, which exploit human psychology to get sensitive information out of them. Such attacks usually play with the victim's emotions such as fear, trust, greed, stress, and a sense of urgency. Strong feelings cloud their judgment, and they become more willing to give away the information they normally wouldn’t.
Hackers can use various social engineering techniques to get personal information, such as login credentials, passwords, bank account numbers, social security numbers, etc. These details may help them gain access to your network, steal your money, or your identity. This data can also be used in future attacks.
Hackers love social engineering attacks because they are simpler to execute compared to malware attacks, and they also have a higher success rate. In fact, with some social engineering tactics, hackers don’t even need to know how to code!
Types of social engineering attacks
Phishing is probably the most common social hacking technique. Phishing scams can appear on many platforms - email, chat, web ads, or websites. However, most often, hackers will use phishing emails to trick you into downloading malware or clicking on a malicious link that will extract your data. They are designed to entice you with a hard-to-resist deal, frighten you with security threats or manipulate your trust.
Such social engineering examples could be:
Getting an email from a lottery telling that you won a million and asking you to click on a link to claim it;
A bank contacting you about a loan you’ve never taken and asking you to confirm your payment details;
Or a delivery company emailing you an invoice and asking it to cover it immediately.
Spear phishing is similar to phishing; however, it requires more work and as a result, has a higher success rate. Phishing emails and scams can target thousands of people a hacker knows nothing about. With spear phishing, a hacker chooses a specific target: a person or a company. Then they do their research to understand the victim and create a foolproof strategy to extract the data.
For example, a new accountant might get an email from a CEO who wants a big sum of money to be sent to an international partner's account. The email says that it has to be done immediately. If the new employee doesn’t know the usual company procedures or what to expect from their boss, they will likely transfer the funds to the hacker.
If phishing mostly plays on human fear and the sense of urgency, then pretexting is the opposite - it plays with human trust. As the name suggests, pretexting uses a believable pretext or a story that helps to build rapport with a victim and leaves no room for doubt. Pretexting can be used online as well as offline. For example, a hacker can pretend to be an auditor and convince you to let him or her into the server room. Or they can act as your bank manager and call you asking to confirm your payment details.
In baiting, hackers use an object or a deal you cannot resist infecting your device or a whole network. Back in the day, they might have dropped a USB in the parking lot labeled as ‘Executive salaries Q4,’ which would’ve caught anyone’s eye. Nowadays, you are more likely to come across baiting on P2P platforms. Want to download a high-quality Game of Thrones episode? But can you be sure that it’s not a Trojan?
Quid Pro Quo
In a quid pro quo attack, a hacker gives you an enticing offer but asks for something in return, most often to give away your personal data. It can be your “uncle” you’ve never known off who wants to transfer you a lump sum; all you need to do is tell him your bank details. Or it can be an “IT specialist” you’ve never contacted, who out of his or her goodwill is offering to fix your laptop. However, all they need is remote access to your device.
If you visit websites that are not secure (HTTP rather than HTTPS websites), you may come across ads or pop-up banners notifying you of malware infection. It’s not a pop-up from your antivirus, but it’s urging you to download the only software that will get rid of this nasty virus. The problem is that the software you are prompted to download is actually malware itself; this is why it’s called scareware.
The tailgating method can be somewhat compared to pretexting. However, the former’s primary goal is usually to get into a secured building, and it doesn’t require much research. A hacker can tailgate or, in other words, ‘piggyback’ by pretending to be a delivery driver and getting into a building. They can also simply follow an employee who doesn’t question an unfamiliar face.
How can you protect yourself from social engineering
It may seem difficult to protect yourself from social hackers - anyone can fall for a scam. However, there are a few simple things you can do to prevent, recognize, and put a stop to such attacks when and where they happen.
Use a good antivirus and keep it up to date.
Take everything with a pinch of salt. If the deal sounds too good to be true, it probably is.
Don’t rush — research the facts before you act. If you are not sure whether it’s a real deal or a legitimate request, contact the company or your boss directly.
Don’t open suspicious emails, click on suspicious links, or download suspicious attachments.
Familiarize yourself with your company’s privacy and security policies. Don’t let strangers into secure areas - question them.
Don’t share your computer with others and lock it when not in use.
Set your spam filters high.
Use multi-factor authentication. Even if hackers get hold of your login credentials, they won’t be able to get into your accounts because they will need to pass an additional confirmation step.
Educate your employees and coworkers on how to recognize social engineering attacks.
Avoid sharing names of your kids, pets, place or date of birth, or other personal details online.
Be cautious of online-only friendships.
Use strong, unique passwords and a password manager to keep them safe.
Learn more about cybersecurity and how to keep your passwords safe by subscribing to our free monthly newsletter below.