Social engineering is the process of criminals manipulating people into performing actions or divulging confidential information to their advantage. Social engineering attacks can be carried out in person, over the phone, or via email.
When targeting individuals, the aim is usually to obtain passwords and banking information through tricking users or installing malicious software that will allow them to control their computer. In the case of businesses, social engineers might try to get employees or contractors to disclose internal information or the location of a secure room.
In 2020, social engineering was responsible for 33% of reported cyber attacks (according to Verizon’s 2020 Data Breach Investigations Report).
Common types of social engineering attacks
There are several different tactics that social engineers use. These vary depending on the creativity and the access that the criminals have to be able to exploit a person or an organisation. These are some of the most common examples:
Sending emails and attachments posing as a trusted person or source
This technique is known as phishing. Hackers will pose as someone or a company known to a user and send them an email containing an attachment or link. On successful click, these will install malware onto the user’s computer and enable hackers to access confidential information and files. These emails are created to deceive, often disguised as something harmless yet urgent, such as an invoice.
Posing as a service provider
Criminals pose as an employee of a bank, internet service provider (ISP), or another popular organisation to extract information such as passwords and account numbers.
The hackers will request this information to ‘help’ the user to resolve a ‘security issue’. To prevent these attacks and data from getting into the wrong hands, many service providers now advise that they would never ask for personal information via certain types of communications.
Sending lies to users to scam them into taking an action
Pretexting is another form of phishing attack where a criminal will pose as a person or business, using a compelling story to make a user believe that they are taking helpful or advantageous action. Typical examples of the lies include:
- A ‘friend’ has been injured, robbed, or beaten and is stuck in a hospital abroad. They urgently require funds to travel home and provide instructions on how to transfer the money across.
- A ‘boss’ or ‘colleague’ asking for company credit card information, an update on an important project or another day-to-day business question.
- A notification from a ‘company’ congratulating the user on winning a prize. This email will ask for banking information for the ‘winnings’ to be distributed to.
- A request to verify the information by clicking a link and completing a form. These often look legitimate but are created to look identical to a company’s real website.
- To donate to a charity fundraiser or another type of cause, inclusive of instructions on how to send money.
- A genuine-sounding message received via email, comment, text or instant message from a seemingly legitimate organisation to provide personal information (e.g. a postal service texting someone to say they need to pay an outstanding postage fee).
Online baiting schemes
These social engineering schemes are an easy win for criminals. By creating websites or adding links to something desirable on social media – such as a free software download which would be otherwise expensive or a recent film release – they can trick users into downloading malware onto their system.
More often than not, these baiting schemes are sculpted around things that are trending, maximising the opportunity to access a user’s data and accounts. Consequently, many users come across these types of scams via the search engine results pages and it can be hard to determine the safety of the sources.
Creating distrust and conflicts
Another social engineering technique is using a user’s relationships with others against them. Here are a couple of examples:
- Posing as a spouse and asking for funds to repair their car following an accident, encouraging them to make a payment that they would not otherwise make.
- Using editing software to alter sensitive company communications to trigger a negative emotional response, increasing a person’s vulnerability and likelihood to divulge too much information.
In some instances, the victims may not be strangers. The criminals themselves may use their own relationships to manipulate those close to them.
How to avoid social engineering scams
There are a number of ways that individuals and businesses can prevent the disclosure of confidential information and unauthorised access to accounts:
- To always be suspicious of any sudden requests for information or money, particularly from unfamiliar email addresses or individuals. In this situation, people often act before thinking and realise their error in judgement later on.
- If in doubt about the legitimacy of a request from a service provider or other organisation, go directly to their website (not via any web link provided) and contact them to verify if the request is genuine. Researching is the key to prevention.
- Hover over links in suspicious emails to reveal the URL at the bottom of the page. This will enable users to instantly vet whether links are genuine or fake before clicking.
- Do not download anything if the sender is unfamiliar or the download itself is unexpected. Equally, if someone the user knows sends something across that they are not expecting, they should check with the person before clicking in case their account has been hacked.
- Automatically deleting emails that are from a foreign country and alluding to a lottery, sweepstake, or anything else suspicious along these lines. These are a form of baiting and a guaranteed scam.
- Undertaking cybersecurity training to understand the approaches criminals take and how to prevent falling victim to online security breaches
- Asking a cybersecurity specialist to organise a cyber attack simulation (penetration test). This will highlight any technical vulnerabilities a business has and help to put the right systems in place to prevent any malicious activity
With the rise of remote working and the increased threat of social engineering attacks, it is more important than ever that employees understand cybersecurity best practices.