Social engineering is a term used to describe the ways in which fraudsters manipulate people into performing certain actions.
In an information security context, it refers to the tactics used to trick people into handing over sensitive information or exposing their devices to malware.
Because social engineering works by forcing people into mistakes, it can be difficult to identify threats and take corrective action.
Unlike technical weaknesses, it’s not as simple as running a vulnerability scan and securing your system. Human error is much harder to mitigate against, and it requires potential victims to understand the way criminals operate.
We provide everything you need to know in this blog, explaining the techniques that cyber criminals use and what you can do to stay safe.
How does social engineering work?
Social engineering begins with the scammer investigating the victim to gather information that can help them conduct their con.
For online scams, this could include technical information, such as the email address of a senior employee, whose contact details they will attempt to replicate in a bogus message.
The scammer may also research the relationship between that employee and the target of their attack to ensure that their message sounds genuine.
Meanwhile, a fraudster conducting a social engineering attack in person might investigate how they can breach the organisation’s perimeter without raising an alarm.
For example, they might look for ways they can fool someone into thinking they are permitted into the building, or probe weak security protocols that allow them to enter undetected.
From there, it’s a case of tricking someone into performing a certain action, and in the next section, we look at some ways in which fraudsters do that.
Social engineering attack techniques
Here are 12 of the most common techniques used in social engineering attacks:
Phishing is the quintessential example of social engineering, with scammers emailing people pretending to be from a trusted source.
They will try to trick recipients into handing over their personal details or downloading an infected attachment.
They typically do that by creating a sense of fear or curiosity. For example, they might imitate a subscription service such as Netflix and claim that, due to a security alert, you must follow a link to change your password.
This is a specific type of phishing scam in which the scammers claim they have something beneficial for the victim if they follow their instructions.
For example, a scam might direct the victim towards a website where they can supposedly download music, TV series or films. However, that website is designed to capture personal information or trick people into downloading infected files.
Baiting has also been used in physical attacks, with scammers leaving infected USB drives lying around conspicuously, waiting for someone to pick them up thinking that there might be something interesting on them.
3. Quid pro quo
Similar to baiting, quid pro quo attacks claim to help the victim – usually by offering a service – in exchange for information. The difference is that these types of attacks are supposedly mutually beneficial.
The most widely known quid pro quo attack is the Nigerian prince scam: the attacker has vast sums of money they need help transferring, and if you give them the cash to do that, you’ll be recompensed.
Attacks have become more credible since then, and may involve, for example, an attacker phoning an employee claiming to be from technical support. They will say that there is something wrong with your device and they need your personal details to proceed.
This attack is designed to trick people into buying unnecessary software. It begins with a pop-up ad – generally imitating a Windows error message or antivirus program – claiming that the victim’s computer has been infected with malware.
Alongside the message, the ad will claim that the target needs to purchase or upgrade their software to fix the issue.
The bogus software appears to scan the computer but is in fact either doing nothing or installing malware.
This refers to the creation of a false scenario – or pretext – to contact victims.
In a typical social engineering scam, the pretext might be that there has been suspicious activity on your bank account or that you need to confirm your payment card details for an Amazon order.
6. Spear phishing
Spear phishing is a specific type of phishing attack in which criminals tailor their scams to a specific person. They do this by researching the target online – often using information from social media – and by imitating a familiar email address.
An attacker might look at a victim’s job title, the people whom they manage, the sorts of requests they send and the language and tone they use in correspondences.
Whaling is an even more advanced version of phishing, in which the attacker targets high-level employees who have privileged access to systems or highly valuable sensitive information.
Network executives, the C-suite and finance executives are the most common targets of whaling.
This is another type of phishing in which scammers pose as customer representatives on social media.
They create accounts that imitate an official brand and wait for someone to post a complaint about that organisation on Facebook or Twitter.
The scammer will respond in one of two ways. They might link to what appears to be an official complaint channel or offer the victim something by way of an apology, such as a discount on their next purchase.
Both these approaches are designed to direct the victim to a site or email address controlled by the attacker, where they’ll attempt to steal the victim’s personal information.
Vishing is the term given to phishing attacks that are carried out over the phone rather than by email.
Fraudsters use the same techniques that you see in phishing scams, preying on people’s sense of fear and curiosity, to coerce them into handing over sensitive information.
10. Watering hole
In these attacks, cyber attackers compromise a legitimate website using a zero-day exploit, and plant malware.
Watering hole attacks take skill to conduct, as the attacker must find a way to use the vulnerability without raising alarms.
11. Diversion theft
This is a type of social engineering attack that takes place in person. The scammer identifies and then diverts a delivery person to the wrong location.
They then then turn up at the real site pretending to be the courier in order to steal packages or sensitive documents.
Tailgating attacks are another form of social engineering that occurs in person, and occurs when the attacker acts as though they belong in a restricted place.
For example, they might follow someone through a door with a keycode and ask them to hold the door while they enter.
What is the best defence against social engineering?
Because social engineering manipulates the way people think and act, the best way to defend against attacks is to train yourself to spot the signs of a scam.
Potential victims should get into the habit of asking whether there something unusual going on. Have they seen that person before? Does this email create a sense of curiosity of fear?
If any suspicions are aroused, they must take a moment to look for discrepancies that might suggest that they are being manipulated.
Even the most sophisticated scams will contain clues that point to their true nature, and you can find out how adept your employees are at spotting them with our Phishing Staff Awareness E-learning Course.
The course is updated quarterly to contain the latest tricks that cyber criminals use and up-to-date guidance on how to spot the signs of a scam.
It also provides knowledge checks at the end of each section and a final assessment upon completion of the course. This ensures that staff understand the course content, and gives them clarity on anything they may have misunderstood.
The course addresses each of the points we’ve outlined in this article, so if you’re looking for an e-learning training provider, why not join the 800 organisations that are already using our courses?