Most cybercriminals are master manipulators, but that doesn’t meanthey’re all manipulators of technology — some cybercriminals favor the art ofhuman manipulation.
In other words, they favor social engineering, meaning exploiting humanerrors and behaviors to conduct a cyberattack. For a simple social engineeringexample, this could occur in the event a cybercriminal impersonates an ITprofessional and requests your login information to patch up a security flaw onyour device. If you provide the information, you’ve just handed a maliciousindividual the keys to your account and they didn’t even have to go to thetrouble of hacking your email or computer to do it.
As with most cyber threats, social engineering can come in many formsand they’re ever-evolving. Here, we’re overviewing what social engineeringlooks like today, attack types to know, and red flags to watch for so you don’tbecome a victim.
Social engineering defined
For a social engineering definition, it’s the art of manipulatingsomeone to divulge sensitive or confidential information, usually through digitalcommunication, that can be used for fraudulent purposes.
Unlike traditional cyberattacks that rely on security vulnerabilities togain access to unauthorized devices or networks, social engineering techniquestarget human vulnerabilities. For this reason, it’s also considered humanhacking.
Cybercriminals who conduct social engineering attacks are called socialengineers, and they’re usually operating with two goals in mind: to wreak havocand/or obtain valuables like important information or money.
How social engineering works
Like most types of manipulation, social engineering is built on trustfirst—false trust, that is— and persuasion second. Generally, thereare four steps to a successful social engineering attack:
- Preparation: The social engineer gathers information about their victims, including where they can access them, such as on social media, email, text message, etc.
- Infiltration: The social engineer approaches their victims, usually impersonating a trustworthy source and using the information gathered about the victim to validate themselves.
- Exploitation: The social engineer uses persuasion to request information from their victim, such as account logins, payment methods, contact information, etc., that they can use to commit their cyberattack.
- Disengagement: The social engineer stops communication with their victim, commits their attack, and swiftly departs.
Depending on the social engineering attack type, these steps could span a matter of hours to a matter of months. No matter the time frame, knowing the signs of a social engineering attack can help you spot — and stop — one fast.
Signs of a social engineering attack
Social engineering can happen everywhere, online and offline. And unliketraditional cyberattacks, whereby cybercriminals are stealthy and want to gounnoticed, social engineers are often communicating with us in plain sight.Consider these common social engineering tactics that one might be right underyour nose.
Your “friend” sends you a strange message
Social engineers can pose as trusted individuals in your life, includinga friend, boss, coworker, even a banking institution, and send you conspicuousmessages containing malicious links or downloads. Just remember, you know yourfriends best — and if they send you something unusual, ask them about it.
Your emotions are heightened
The more irritable we are, the more likely we are to put our guard down.Social engineers are great at stirring up our emotions like fear, excitement,curiosity, anger, guilt, or sadness. In your online interactions, consider thecause of these emotional triggers before acting on them.
The request is urgent
Social engineers don’t want you to think twice about their tactics.That’s why many social engineering attacks involve some type of urgency, suchas a sweepstake you have to enter now or a cybersecurity software you need todownload to wipe a virus off of your computer.
The offer feels too good to be true
Ever receive news that you didn’t ask for? Even good news like, saywinning the lottery or a free cruise? Chances are that if the offer seems toogood to be true, it’s just that — and potentially a social engineering attack.
You’re receiving help you didn’t ask for
Social engineers might reach out under the guise of a company providing help for a problem you have, similar to a tech support scam. And considering you mightnot be an expert in their line of work, you might believe they’re who they saythey are and provide them access to your device or accounts.
The sender can’t prove their identity
If you raise any suspicions with a potential social engineer and they’reunable to prove their identity —perhaps they won’t do a video callwith you, for instance—chances are they’re not to be trusted.
10 social engineering attack types + examples
Almost all cyberattacks have some form of social engineering involved.And most social engineering techniques also involve malware, meaning malicioussoftware that unknowingly wreaks havoc on our devices and potentially monitorsour activity.
Pore over these common forms of social engineering, some involvingmalware, as well as real-world examples and scenarios for further context.
As the name indicates, scarewareis malware that’s meant toscare you to take action — and take action fast. It often comes in the form ofpop-ups or emails indicating you need to “act now” to get rid of viruses ormalware on your device. In fact, if you act you might be downloading a computer virusor malware.
Turns out it’s not only single-acting cybercriminals who leveragescareware.In 2019, an office supplier and techsupport company teamed up to commit scareware acts. The office supplierrequired its employees to run a rigged PC test on customers’ devices that wouldencourage customers to purchase unneeded repair services. Ultimately, the FederalTrade Commission ordered the supplier and tech support company to pay a $35million settlement.
2. Email hacking and contact spamming
It’s in our nature to pay attention to messages from people we know. Andsocial engineers know this all too well, commandeering email accounts and spammingcontact lists with phishingscams and messages.
Email hacking and contact spamming example
If your friend sent you an email with the subject, “Check out this siteI found, it’s totally cool,” you might not think twice before opening it. Bytaking over someone’s email account, a social engineer can make those on thecontact list believe they’re receiving emails from someone they know. Theprimary objectives include spreading malware and tricking people out of theirpersonal data.
3. Access tailgating
Also known as piggybacking, access tailgating is when a social engineerphysically trails or follows an authorized individual into an area they do nothave access to. This can be as simple of an act as holding a door open forsomeone else. Once inside, they have full reign to access devices containingimportant information.
Access tailgating example
If someone is trailing behind you with their hands full of heavy boxes,you’d hold the door for them, right? In reality, you might have a socialengineer on your hands. Your act of kindness is granting them access to anunrestricted area where they can potentially tap into private devices andnetworks.
Phishing is a well-known way to grab information from an unwittingvictim. How it typically works: A cybercriminal, or phisher, sends a message toa target that’s an ask for some type of information or action that might helpwith a more significant crime. The ask can be as simple as encouraging you to download an attachment or verifying your mailing address.
Worth noting is there are many forms of phishing that social engineerschoose from, all with different means of targeting. Spam phishing oftentakes the form of one big email sweep, not necessarily targeting a single user.Spear phishingtargets individual users, perhaps by impersonating a trusted contact. Whaling targets celebritiesor high-level executives.
Phishing also comes in a few different delivery forms:
- Vishing, meaning voice phishing, is when your phone call might be recorded, including information you input on PIN pads.
- Smishing, meaning SMS phishing, are texts containing malicious links.
- Email phishingis among the most traditional phishing method, meaning phishing by email oftentimes by delivering a malicious link or a download.
- Angler phishing is when a cybercriminal impersonates a customer service person to intercept your communications and private messages.
- URL phishing is a falsified link you receive that contains malware.
- In-session phishing occurs when you’re already on a platform or account and are asked, for instance, to log in again.
- Fax-based phishing often occurs as a fake email from a trusted institution requested you print off the message and fax back your sensitive information.
A social engineer might pose as a banking institution, for instance, asking email recipients to click on a link to log in to their accounts. Those who click on the link, though, are taken to a fake website that, like the email, appears to be legitimate. If they log in at that fake site, they’re essentially handing over their login credentials and giving the cybercriminal access to their bank accounts.
5. DNS spoofing
Also known as cache poisoning, DNS spoofing is when a browser is manipulated so that online users are redirected to malicious websites bent on stealing sensitive information. In other words, DNS spoofing is when your cache is poisoned with these malicious redirects.
DNS spoofing example
In 2018, a cloud computing company and its customers were victims of a DNS spoofing attack that resulted in around$17 million of cryptocurrency being stolen from victims. Cybercriminalsrerouted people trying to log into their cryptocurrency accounts to a fakewebsite that gathered their credentials to the cryptocurrency site andultimately drained their accounts.
Baiting is built on the premise of someone taking the bait, meaningdangling something desirable in front of a victim, and hoping they’ll bite.This occurs most often on peer-to-peer sites like social media, whereby someonemight encourage you to download a video or music, just to discover it’sinfected with malware — and now, so is your device.
For a physical example of baiting, a social engineer might leave a USBstick, loaded with malware, in a public place where targets will see it such asin a cafe or bathroom. In addition, the criminal might label the device in acompelling way — “confidential” or “bonuses.” A target who takes the bait willpick up the device and plug it into a computer to see what’s on it. The malwarewill then automatically inject itself into the computer.
7. Physical breaches
As the name indicates, physical breaches are when a cybercriminal is in plain sight, physically posing as a legitimate source to steal confidentialdata or information from you. This might be as a colleague or an IT person —perhaps they’re a disgruntled former employee — acting like they’re helping youwith a problem on your device. In fact, they could be stealing your accountlogins.
Physical breaches example
A social engineer posing as an IT person could be granted access into anoffice setting to update employees’ devices — and they might actually do this.At the same time, however, they could be putting a keyloggeron the devices to trackemployees ’ every keystroke and patch together confidential information thatcan be used toward other cyberattacks.
What is pretexting? It’s the use of an interesting pretext, or ploy, tocapture someone’s attention. Once the story hooks the person, the socialengineer tries to trick the would-be victim into providing something of value.Oftentimes, the social engineer is impersonating a legitimate source.
Let’s say you received an email, naming you as the beneficiary of a willor a house deed. The email requests yourpersonal information to prove you’re the actual beneficiary and to speed thetransfer of your inheritance. Instead, you’re at risk of giving a con artistthe ability not to add to your bank account, but to access and withdraw yourfunds.
9. Watering hole attacks
A watering hole attack is a one-sweep attack that infects a singlewebpage with malware. The webpage is almost always on a very popular site — orvirtual watering hole, if you will —to ensure that the malware can reachas many victims as possible.
Watering hold attack example
In 2014, a media site was compromised with a watering hole attack attributed to Chinese cybercriminals.They exploited vulnerabilities on the media site to create a fake widget that,when loaded, infected visitors’ browsers with malware.
10. Quid pro quo
Quid pro quo means a favor for a favor, essentially “I give you this,and you give me that.” In the instance of social engineering, the victim coughsup sensitive information like account logins or payment methods and then thesocial engineer doesn’t return their end of the bargain.
Quid pro quo example
For a quid pro quo video gaming example, you might be on a gaming forum and on the lookout for a cheat code to surpass a difficult level. Perhaps youwire money to someone selling the code, just to never hear from them again andto never see your money again.
15 tips to avoid becoming a victim of a social engineering attack
Your best defense against social engineering attacks is to educate yourself of their risks, red flags, and remedies. To that end, look to thefollowing tips to stay alert and avoid becoming a victim of a socialengineering attack.
Communicate safely online
Your own wits are your first defense against social engineering attacks. Simply slowing down and approaching almost all online interactions withskepticism can go a long way in stopping social engineering attacks in their tracks.
1. Don’t click links you don’t request.
2.Don’t overshare personal information online.
3. Be cautious of online-only friendships.
4. Remember the signs of social engineering.
5. Acknowledge what’s too good to be true.
Secure your accounts and networks
Beyond putting a guard up yourself, you’re best to guard your accounts and networks against cyberattacks, too. Consider these means and methods to lock down the places that host your sensitive information.
6.Use two-factor authentication.
7.Only use strong, uniquepasswords and change them often.
8.Consider a password manager to keep track of yourstrong passwords.
9. Set high spam filters.
10.Don’t allow strangers on your Wi-Fi network.
11.Use a virtual private network.
12.Monitor your account activity closely.
Safeguard your devices
Finally, ensuring your devices are up to cybersecurity snuff means thatyou aren’t the only one charged with warding off social engineers — yourdevices are doing the same.
13.Don’t leave devices unattended.
14.Use cybersecurity software.
15.Keep your software up to date
Manipulation is a nasty tactic for someone to get what they want.Thankfully, it’s not a sure-fire one when you know how to spot the signs of it.Now that you know what is social engineering —and the techniquesassociated with it —you’ll know when to put your guard up higher, onlineand offline.