Social Engineering
What Is Social Engineering?
Social engineering is when someone manipulates someone else into sharing confidential information (personal or financial) or performing an action they wouldn’t normally do that compromises security (for example, giving access to a computer system or a physical location).
Social engineering exploits the natural human tendency to trust. It relies more on human vulnerability than on vulnerabilities in software or hardware systems.
Third-party definition
Social engineering refers to all techniques aimed at talking a target into revealing specific information or performing a specific action for illegitimate reasons. – ENISA
Social Engineering Techniques
Common social engineering techniques include:
- Phishing. Sending fraudulent emails or messages that mimic legitimate organizations/individuals to get recipients to reveal sensitive information or download malware.
- Spear phishing. When the attacker customizes their phishing approach for a specific individual or organization, often using personal information to enhance their credibility.
- Pretexting. The attacker invents a scenario or pretends to need information for a legitimate reason, like a security verification or company survey, to extract sensitive data from their target.
- Baiting. This technique involves offering something enticing to the victim in exchange for private information. It could be as straightforward as a free music or movie download that leads to malicious software installation.
- Quid pro quo. Similar to baiting, but the attacker promises a benefit in return for information. This could involve a hacker posing as a technical support agent offering to resolve a non-existent issue on the victim’s computer.
- Tailgating or piggybacking. The attacker seeks physical access to a restricted area by following closely behind a legitimate employee or convincing someone to hold a door open for them.
- Vishing (voice phishing). Using phone calls to scam the user into divulging confidential information, often with the pretense of being from a legitimate organization like a bank or tax authority.
- Smishing (SMS phishing). Like vishing, but instead of calls, the attacker texts their victim.
- Whaling. Attack that targets high-profile individuals like top executives, politicians, or celebrities. These high-level targets are referred to metaphorically as “whales,” hence the term “whaling.”
- Business email compromise (BEC). When attackers compromise or impersonate corporate email accounts to defraud the company, its employees, customers, or partners out of money or sensitive information.
- Honey trap. The use of romantic or sexual attraction to manipulate, deceive, or capture a target, typically for political, military, or espionage purposes. The person setting the trap will use allure and charm to form a relationship with the target, gain their trust, and then extract sensitive information or influence them to take certain actions.
- Watering hole attack. Compromising a frequently visited website to target specific groups of users, infecting their devices with malware when they visit the site.
Why Social Engineering Is Dangerous
One of the main reasons social engineering is so dangerous is because it’s tough to spot and stop.
Unlike traditional attacks, which target technical vulnerabilities, social engineering exploits basic human traits such as trust, fear, and curiosity. These psychological manipulations are much harder to detect and prevent.
It doesn’t help that attackers often personalize their approach based on detailed research about their targets. This makes their fraudulent requests or offers seem more legitimate and increases the likelihood of success.
Everyone is susceptible to social engineering, regardless of their position or the level of their technical expertise. Even the most cautious individuals can be deceived if the attacker’s approach is convincing enough.
4 Stages of Social Engineering
Social engineering typically happens in four stages:
1. Research
The attacker gathers as much information as possible about the target. This can include information about the individual, such as their job role, interests, social habits, and broader information about their organization.
Public sources like social media, company websites, data brokers, and professional networking sites are common research tools. This stage is crucial for planning and making the attack as believable and effective as possible.
2. Establishing trust and rapport
Once the attacker has enough information, they initiate contact with the target.
The goal here is to establish a relationship and build trust. The attacker may impersonate someone the target knows or create a scenario that seems legitimate.
They might pose as a co-worker, an IT department member, a trusted vendor, or even law enforcement. The attacker uses the information gathered in the research stage to make their approach convincing.
3. Exploitation
With trust established, the attacker exploits the relationship to manipulate the target into divulging confidential information or performing actions that compromise security.
This can involve asking for sensitive information directly, tricking the target into breaking normal security procedures or convincing them to install malicious software.
4. Execution
In the final stage, the attacker uses the information or access they’ve gained to achieve their goal. This might be stealing funds, obtaining confidential data, installing malware, or gaining access to restricted areas.
After reaching their objective, attackers try to cover their tracks to avoid detection.
Reducing the Risk of Social Engineering Attacks
While training can help reduce the risk of engineering attacks, it’s not foolproof. If an attacker can find enough personal information about a target, they will more than likely be able to socially engineer them.
For this reason, one of the best ways to protect yourself against social engineering attempts is to reduce your digital footprint and opt out of data brokers. Data brokers compile vast amounts of personal information, including addresses, phone numbers, email addresses, and employment history.
Removing your information from these databases means there’s less publicly available data for social engineers to use in crafting targeted and convincing scams. If a data broker doesn’t have your details, it’s more challenging for an attacker to impersonate someone in your circle or to create a scenario that feels personally relevant to you.
Even if you’re not the direct target, removing your personal information from data broker sites means that attackers trying to get to someone through you (like in a business email compromise attack) will find it harder to use your information as a leverage point.
However, remember to opt out of data brokers regularly. These sites relist people’s information as soon as they find more of it online. Alternatively, you can subscribe to a data broker removal service like DeleteMe.
Don’t stop at data brokers, either. Look at your overall digital footprint. If someone were to search for you online, what would they find? Depending on what comes up when you search for your name on your preferred search engine, you might want to remove your personal information from forum posts and old blogs and make your social media profiles visible to friends and family only.
Other steps you can take to avoid social engineering attacks are to use antivirus software, enable multi-factor authentication, and be skeptical of unsolicited requests.