Posts

What is social engineering? It is a form of cyberattack that involves using manipulation and deception to gain access to data or information. The goal of social engineering is to trick people into divulging sensitive information, such as passwords and network details, by making them believe they are interacting with someone they trust. 

In some cases, social engineers will also attempt to get you to download malware — software that can be used for malicious purposes — onto your computer without you noticing.

What is Social Engineering: Definition

Social engineering is the act of manipulating people into performing actions or divulging confidential information. It’s a form of hacking, but instead of breaking into computers, social engineers try to gain access to them by tricking employees into giving up information or downloading malware.

Techniques of Social Engineering: How Does Social Engineering Work?

  • Social engineering may be carried out over the phone, via email, or via text messages. A social engineer may call a company and ask for access to a restricted area, or they may impersonate someone in order to get someone else to open an email account on their behalf.
  • Social engineers use many different tactics in order to achieve their goals. For example, they may claim that they are calling from a company’s help desk and request remote access so they can fix something on your computer or network. Or they might claim that they need your password or other personal information such as bank credentials so they can resolve an issue with your bank account.
  • In some cases, social engineers will even pretend to be law enforcement officers and threaten legal action if you refuse to comply with their demands for information. While it’s important for businesses to take these threats seriously, remember that the police will never call up someone and ask them for their passwords over the phone!

Purpose of Social Engineering

Social engineering is often used in phishing attacks, which are emails that appear to be from a trusted source but are actually aimed at stealing your personal information. The emails usually contain an attachment with malicious software (often called malware) that will infect your computer if opened.

The goal of social engineering is always the same: getting access to something valuable without having to work for it. 

1. Stealing sensitive information

So social engineers may try to trick you into giving up your password and login credentials (such as your username/email address) so they can access your email account or social media profile where they can steal personal information like credit card numbers and bank account info from previous transactions. 

2. Identity theft

They could also use this information to assume the victim’s identity and carry out malicious activities posing to be them down the line if they choose not to destroy it immediately.

Learn why cyberattackers commonly use social engineering

How to identify a Social Engineering Attack?

1. Trust your gut

If you receive any emails or phone calls that sound suspicious, don’t give out any information until you’ve verified your identity. You can do this by calling your company directly or by checking in with the person who supposedly sent the email or left a message on your voicemail.

2. Don’t submit your personal information

If someone asks for your Social Security number or other private details, that’s a sign that they’re trying to take advantage of your trust and use it against you later. It’s advised not to give out any information unless it’s absolutely necessary. 

3. Unusual Requests Without Context

Social engineers usually make large requests without giving any context. If someone asks for money or other resources without explaining why they need it, there’s probably something fishy going on there. It’s better to err on the side of caution when someone makes a large request like this—you never know what kind of damage could be done with access to your bank account!

Here are some ways you can spot social engineering attacks:

  • Receiving an email from someone who claims to be from your IT department asking you to reset your password and provide it in an email or text message
  • Receiving an email from someone claiming to be from your bank asking for personal information, such as your account number or PIN code
  • Receiving an email from someone claiming to be from your bank asking for personal information, such as your account number or PIN code
  • Being asked for information about the company by someone claiming to be from the company’s HR department

Email-based Social Engineering Attacks

Phishing emails – These look like they’re from a legitimate source but are actually trying to trick you into opening an attachment or visiting a malicious website

Spear phishingSpear phishing attacks are more targeted than phishing emails and use information about you to make them seem more credible

CEO FraudCEO fraud is a type of phishing scam that involves impersonating a CEO or high-level executive in order to get access to sensitive information. This can include bank account numbers, wire transfer details, or even employee payroll information.

Learn about other types of social engineering attacks. 

How to Prevent Social Engineering?

We’ve got some tips on how to prevent social engineering attacks and protect yourself from them.

  1. Make sure you have good antivirus software installed on your devices and computers.
  2. Don’t open suspicious emails or attachments from people who aren’t in your circle of trust (this includes emails from anyone claiming to be your bank or credit card company).
  3. Don’t click on links in emails unless you’re sure they’re safe—even if they come from someone you know! If there’s ever any doubt about whether an email is legitimate, call up the sender directly via phone or text message instead of looking for more information online first.
  4. Be wary of unsolicited phone calls or text messages offering something “too good to be true” (this could include free prizes and other offers for signing up for things like free trials). 
  5. Use two-factor authentication wherever possible—this means that even if someone has your password, they will still need another piece of information (like a one-time code) in order to access your account.
  6. Set up email authentication protocols like DMARC to secure your email channels against phishing attacks, social engineering, and domain abuse. 

To Summarize

It’s important to protect against social engineering because it can result in losing money and other personal information as well as compromising security systems and data breaches. 

No matter how good your IT team is at protecting your company from cyberattacks, you can never completely eliminate the risk of someone trying to get into your system through social engineering methods. That’s why it’s so important to train employees about identifying phishing emails and other types of social engineering attacks.

Before diving into the types of social engineering attacks that victims fall prey to on a daily basis, along with upcoming attacks that have taken the internet by a storm, let’s first briefly get into what social engineering is all about. 

To explain it in layman’s terms, social engineering refers to a cyberattack deployment tactic where threat actors use psychological manipulation to exploit their victims and defraud them.

Social Engineering: Definition and Examples

What is a social engineering attack?

As opposed to cybercriminals hacking into your computer or email system, social engineering attacks are orchestrated by trying to influence a victim’s opinions into manoeuvering them to expose sensitive information. Security analysts have confirmed that more than 70% of cyberattacks that take place on the internet on an annual basis are social engineering attacks.

Social Engineering Examples

Take a look at the example shown below:

 

Here we can observe an online advertisement luring the victim in with a promise to earn $1000 per hour. This ad contains a malicious link that can initiate a malware installation on their system. 

This type of attack is commonly known as Online Baiting or simply Baiting, and is a form of social engineering attack. 

Given below is another example:

As shown above, social engineering attacks can also be perpetrated using email as a potent medium. A common example of this is a Phishing attack. We would be getting into these attacks in more detail, in the next section.

Types of Social Engineering Attacks

1. Vishing & Smishing

Suppose today you get an SMS from your bank (supposedly) asking you to verify your identity by clicking on a link, or else your account will be deactivated. This is a very common message that is often circulated by cybercriminals to fool unsuspecting people. Once you click on the link you are redirected to a spoofing page that demands your banking information. Rest assured that if you end up providing your bank details to attackers they will drain your account. 

Similarly, Vishing or Voice phishing is initiated through phone calls instead of SMS.

2. Online Baiting / Baiting 

We come across a range of online advertisements every single day while browsing websites. While most of them are harmless and authentic, there might be a few bad apples hiding in the lot. This can be identified easily by spotting advertisements that seem too good to be true. They usually have ridiculous claims and lures such as hitting the jackpot or offering a huge discount.

Remember that this may be a trap (aka a bait). If something appears too good to be true, it probably is. Hence it is better to steer clear of suspicious ads on the internet, and resist clicking on them.

3. Phishing

Social engineering attacks are more often than not carried out via emails, and are termed Phishing. Phishing attacks have been wreaking havoc on a global scale for almost as long as email itself has existed. Since 2020, due to a spike in email communications, the rate of phishing has also shot up, defrauding organizations, large and small, and making headlines every day. 

Phishing attacks can be categorized into Spear phishing, whaling, and CEO fraud, referring to the act of impersonating specific employees within an organization, decision-makers of the company, and the CEO, respectively.

4. Romance scams

The  Federal Bureau of Investigation (FBI) defines internet romance scams as “ scams that occur when a criminal adopts a fake online identity to gain a victim’s affection and trust. The scammer then uses the illusion of a romantic or close relationship to manipulate and/or steal from the victim.” 

Romance scams fall under the types of social engineering attacks since attackers use manipulative tactics to form a close romantic relationship with their victims before acting on their main agenda: i.e. scamming them. In 2021, Romance scams took the #1 position as the most financially damaging cyberattack of the year, closely followed by ransomware.

5. Spoofing

Domain spoofing is a highly evolved form of social engineering attack. This is when an attacker forges a legitimate company domain to send emails to customers on behalf of the sending organization. The attacker manipulates victims into believing that the said email comes from an authentic source, i.e. a company whose services they rely on. 

Spoofing attacks are hard to track since emails are sent from a company’s own domain. However, there are ways to troubleshoot it. One of the popular methods used and recommended by industry experts is to minimize spoofing with the help of a DMARC setup.

6. Pretexting

Pretexting can be referred to as a predecessor of a social engineering attack. It is when an attacker weaves a hypothetical story to back his claim of sensitive company information. In most cases pretexting is carried out via phone calls, wherein an attacker impersonates a customer or employee, demanding sensitive information from the company. 

What is a common method used in social engineering?

The most common method used in social engineering is Phishing. Let’s take a look at some statistics to better understand how Phishing is a rising global threat:

  • The 2021 Cybersecurity Threat Trends report by CISCO highlighted that a whopping 90% of data breaches take place as a result of phishing
  • IBM in their Cost of a Data Breach Report of 2021 delegated the title of most financially costing attack vector to phishing
  • With each year, the rate of phishing attacks has been found to increase by 400%, as reported by the FBI

How to protect yourself from Social Engineering attacks?

Protocols and tools you can configure: 

  • Deploy email authentication protocols at your organization like SPF, DKIM, and DMARC. Start by creating a free DMARC record today with our DMARC record generator.
  • Enforce your DMARC policy to p=reject to minimize direct domain spoofing and email phishing attacks
  • Make sure your computer system is protected with the help of an antivirus software

Personal measures you can take:

  • Raise awareness in your organization against common types of social engineering attacks, attack vectors, and warning signs
  • Educate yourself regarding attack vectors and types. Visit our knowledge base, enter “phishing” in the search bar, hit enter, and start learning today!  
  • Never submit confidential information on external websites
  • Enable caller ID identification applications on your mobile device
  • Always remember that your bank will never ask you to submit your account information and password via email, SMS, or call
  • Always recheck the mail From address and Return-path address of your emails to ensure that they are a match 
  • Never click on suspicious email attachments or links before being 100% sure about the authenticity of their source
  • Think twice before trusting people you interact with online and do not know in real life
  • Do not browse websites that are not secured over an HTTPS connection (e.g. http://domain.com)