WHAT IS SOCIAL ENGINEERING?
Social engineering is a manipulation technique that exploits human error to gain private
information, access, or valuables. In cybercrime, these “human hacking” scams tend to
lure unsuspecting users into exposing data, spreading malware infections, or giving
access to restricted systems. Attacks can happen online, in-person, and via other
interactions.
Scams based on social engineering are built around how people think and act. As such,
social engineering attacks are especially useful for manipulating a user’s behavior.
Once an attacker understands what motivates a user’s actions, they can deceive and
manipulate the user effectively.
How Does Social Engineering Work?
Most social engineering attacks rely on actual communication between attackers and
victims. The attacker tends to motivate the user into compromising themselves, rather
than using brute force methods to breach your data.
The attack cycle gives these criminals a reliable process for deceiving you. Steps for the
social engineering attack cycle are usually as follows:
1. Prepare by gathering background information on you or a larger group you are a
part of.
2. Infiltrate by establishing a relationship or initiating an interaction, started by
building trust.
3. Exploit the victim once trust and a weakness are established to advance the
attack.
4. Disengage once the user has taken the desired action.
This process can take place in a single email or over months in a series of social media
chats. It could even be a face-to-face interaction. But it ultimately concludes with an
action you take, like sharing your information or exposing yourself to malware.
It's important to beware of social engineering as a means of confusion. Many
employees and consumers don't realize that just a few pieces of information can give
hackers access to multiple networks and accounts.
By masquerading as legitimate users to IT support personnel, they grab your private
details — like name, date of birth or address. From there, it's a simple matter to reset
passwords and gain almost unlimited access. They can steal money, disperse social
engineering malware, and more.
TYPES OF SOCIAL ENGINEERING ATTACKS
Social engineering encompasses a range of tactics, each exploiting human psychology
and behavior. Below, we outline various social engineering attack types:
1. Phishing: This involves sending deceptive emails, messages, or websites that mimic
trusted sources, like banks or colleagues, with the aim of tricking recipients into
revealing sensitive information such as login credentials or personal data.
2. Spear Phishing: A more targeted form, where attackers tailor messages for specific
individuals or organizations, often using personal information from social media to make
them appear more convincing.
3. Vishing (Voice Phishing): Attackers employ phone calls to impersonate legitimate
entities, coercing victims into disclosing information or taking specific actions.
4. Pretexting: This entails fabricating scenarios to extract information, such as posing as
an executive or IT technician to gain trust and access sensitive data.
5. Baiting: Victims are lured with enticing offers, such as free downloads or physical
devices, which often contain malware or other malicious software.
6. Impersonation: Attackers pretend to be trusted individuals, like colleagues or friends,
to request sensitive data or actions like fund transfers
7. Tailgating and Piggybacking: Physical security attacks involve following authorized
persons into secure areas, whether closely or by asking for assistance in entry.
8. Quid Pro Quo: Attackers promise something in exchange for sensitive data or
access, such as tech support for login credentials.
9. Watering Hole Attacks: Attackers compromise websites frequented by targets,
potentially leading victims to unwittingly download malware.
10. Bait and Switch: This tactic deceives victims by initially offering something benign
but swapping it for something malicious, like a software download containing malware.
11. Scareware: Fake warnings or alerts are presented to users, pressuring them into
actions like purchasing fake security software or revealing personal information.
12. Reverse Social Engineering: Here, attackers manipulate victims into seeking help or
information from them, making victims believe they initiated the interaction, rendering
them more susceptible.
Six Principles Social Engineers Exploit
Social engineers manipulate individuals by capitalizing on various psychological
principles. These principles serve as their tools to extract information or prompt specific
actions. Here are the six key principles commonly exploited by social engineers:
1. Reciprocity: People often feel obliged to reciprocate when someone does them a
favor or offers something valuable. Social engineers extend seemingly helpful gestures,
such as aiding with computer issues, expecting that recipients will reciprocate with
sensitive information or system access.
2. Authority: Humans have a natural inclination to follow those who exhibit authority or
expertise. Social engineers assume roles of trust, impersonating IT experts or company
executives to gain the trust and compliance of their targets.
3. Scarcity: The fear of missing out on something valuable can lead individuals to act
hastily. Social engineers instill urgency or create the illusion of scarcity, coercing
individuals into quick decisions, including revealing sensitive data to avoid perceived
losses.
4. Commitment and Consistency: Once individuals commit or adopt a specific stance,
they strive to maintain a consistent self-image. Social engineers exploit this by coaxing
small commitments, gradually encouraging individuals to divulge more information or
engage in larger actions.
5. Social Proof: People often mirror the actions of others, especially in uncertain
situations. Social engineers employ fabricated testimonials or references to persuade
individuals that their requests have already been embraced by others.
6. Liking: Individuals tend to trust and cooperate with those they like or share a
connection with. Social engineers build rapport, emulate the interests and behavior of
their targets, or employ flattery to cultivate a sense of liking and trust.
Five Emotions that Social Engineers use against you
Social engineers manipulate individuals by tapping into a variety of emotions to achieve
their objectives. Here are five commonly exploited emotions:
Fear: Instilling fear or anxiety is a potent strategy. Social engineers may employ threats,
warnings, or false alarms to create a sense of urgency, driving individuals to hastily
provide sensitive information or comply with their demands to avert perceived harm.
Trust: Establishing trust is a fundamental aspect of social engineering. Techniques such
as building rapport, mirroring the behavior and interests of their targets, or assuming the
roles of trusted figures or authorities enable social engineers to gain the confidence of
their victims. Once trust is established, manipulation becomes more seamless.
Curiosity: Curiosity often leads individuals to take risks they wouldn't otherwise
consider. Social engineers may dangle intriguing information or offers, arousing
curiosity and compelling victims to interact with malicious links, download files, or
engage in other risky actions.
Empathy: Appealing to the empathy of their targets is a common ploy. Social engineers
may share fabricated personal stories or portray themselves as individuals in need,
triggering a desire to assist. This inclination to help can lead individuals to share
information or provide assistance without questioning the request.
Greed or Desire: Exploiting the desire for gain or reward is another prevalent tactic.
Social engineers may present financial incentives, exclusive offers, or promises of
wealth to entice individuals into disclosing confidential information or undertaking
actions that ultimately benefit the attacker.