Social Engineering
What is Social Engineering & What Are The Common Types?
Within cyber security, social engineering is the practice of using psychological manipulation to trick victims into revealing sensitive information or taking unsafe actions, such as clicking a malicious link.
Even the best security software and hardware can be bypassed by a single click from an unwitting target, so cyber-criminals are increasingly relying on these digital social engineering techniques to successfully carry out their phishing attempts.
In this way, the success or failure of any type of phishing attack is entirely dependent on the target’s ability to recognise social engineering.
Social engineering meaning
Social engineering refers to the tactic of using psychological persuasion and analysis to trick a person into giving away their personal data. It’s not technically a cyber-attack as it focussed on the human element more than the technical. But it is usually a key element in most phishing attacks.
The term ‘social engineer’ was first used in 1894 by industrialist J.C. Van Marken, and later by sociologist Edwin L. Earp. It was originally defined as an approach to social relations that regarded people as machinery. The theory was that society could be ‘engineered’ into behaving a certain way and therefore bring about social change.
How to prevent social engineering
The rising quality of cybersecurity hardware means that hackers are increasingly reliant on social engineering and human error to successfully carry out their phishing attacks.
By investing in regular Security Awareness Training and teaching your staff how to spot a spoof email address or dodgy website link, you can increase your defences and eliminate social engineering threats.
Download our Social Engineering Safety infographic and learn about some of the most common social engineering tactics being used today. These include:
- Emotionally charged emails – If a message makes you panic, then take a minute to stop, breathe, and think. Social engineers rely on fear making you take immediate (and unwise) actions.
- False identities – Look out for emails from unknown contacts claiming to be from the IT support team. Social engineers will often ask you to install software or send them your password so they can “upgrade” your account.
- Spear phishing attacks – Always check the sender’s email address and writing style to ensure your message has actually been sent by the person they’re claiming to be.
- “Is it too good to be true?” –Social engineers will often try and offer your exceptional deals or discounts to make you click on a dodgy link. If it sounds too good to be true: it probably is.
- Manners maketh man – Social engineering can happen in real life as well as in the digital world. Always follow building access and security protocols, even if it feels ‘rude’, as Threat Actors will often rely on good manners clouding your common sense.
Social engineering techniques
Social engineering can be broken down into four phases, all with their own techniques and motivations.
Understanding how each phase works can help you identify a social engineering attempt – so read through the descriptions below and start learning what to look for.
1. Research
The first step to any successful social engineering attempt is research. During this initial phase, the hacker will learn everything there is to know about their target individual and organisation. The more they know, the more they can exploit later.
They often use free information found publicly on search engines, social media pages and news articles, but may also acquire more sensitive data through the dark web or a previous phishing attack.
An experienced social engineer might also research third party organisations and contacts, to discover things like which delivery company the victim uses, who their accountant is, how often they speak with their boss, what kind of coffee they order…
The list is endless and some of the information may seem useless to you, but to a social engineer, knowledge is power.
2. Planning
Planning is where the social engineer creates a strategy to lead them to their final goal.
Are they aiming to steal bank account numbers or vital documents? Do they want to silently install malware for future use? The hacker will need to use different social engineering techniques in each of these scenarios.
If a social engineer is planning an attack on a business, this might also be where they decide which employee to approach. Different employees will have difference access levels and training backgrounds, so choosing the right target and planning correctly is crucial.
3. Contact
The social engineer contacts their chosen victim and begins working to gain their trust. Their initial approach will depend on the plan they’ve worked out earlier.
For instance, if the target is a younger employee, the social engineer may impersonate the CEO, using a firm and dismissive tone of voice to intimidate the victim and manipulate them into following orders.
Or they might opt for a very friendly tone instead, offering helpful hints or favours to win over the victim’s trust and confidence. This contact method can be particularly dangerous as the victim may become an unwitting insider threat.
4. Execute
Thank to your unsuspecting employee, the hacker is now inside your defence network. Whether they’re looking for credit card details, employee credentials or company secrets – they now have everything they need to cause almost unlimited damage to your business.
If the social engineer has done their job properly, your staff will have no idea they were party to a potentially devastating data breach.
Occasionally, the social engineer may even contact their victim again after the attack, to avoid suspicion and retain the connection. This massively increases the risk of the hacker returning in the future to do it all again.
Types of social engineering
The most effective weapon against social engineering is awareness. With Security Awareness Training, you can help protect your organisation and encourage your employees to do the same.
Here is a quick introduction to some of the main types of social engineering attacks we see every day:
1. Phishing
Phishing scams are the most used attack vector by modern social engineers, with over 90% of all data breaches caused by phishing attacks.
Most phishing attempts begin with an email or SMS message (known as ‘smishing’) containing a malicious link or attachment that’s designed to steal sensitive information from the victim – such as log in credentials, credit card numbers or bank account details.
Social engineers often impersonate well-known, reputable organisations and trick victims into thinking they need to make a change to their account or update their personal details.
2. Spear phishing
Spear Phishing is the significantly more refined and targeted version of a phishing attack. The social engineer will spend considerable time researching their target organisation and spear phishing victim, aiming for a more valuable pay-off.
Instead of sending thousands of vague emails to a large number of inboxes, spear phishing attacks may only need one carefully written email sent to a single, well-selected employee to cause infinite damage.
3. Baiting
Baiting is when a social engineer uses a carefully chosen piece of bait to lure their victim into doing something they shouldn’t – such as clicking on a digital file marked ‘Confidential’.
Alternatively, a social engineer might leave a malware-loaded USB stick marked “Bonus Schedule Q4” in the office cafeteria or on a bench where the boss has their coffee each morning.
All it takes is one unsuspecting employee to plug in the device – hoping for some juicy gossip or insider information – and the social engineer will be inside your network.
4. Scareware
Scareware is a form of malicious software designed to scare the victim into taking an action that benefits the social engineer. This could include fake virus-scanning software that informs the victim their device has been infected and they must purchase a license to remove it.
Scare attacks are most effective against individuals with very little security awareness training. Without regular testing, users might be aware of the dangers of malware, but may not be able to spot the fake software.
The impact of social engineering attacks on your business
The insidious nature of social engineering can cause devastating damage to a business’ infrastructure and reputation. Over 90% of successful data breaches in 2022 were caused by a phishing attack, and most of these attempts began with careful use of social engineering techniques.
One human mistake can breach even the strongest of security and technological defences – resulting in loss of data, customers, and billions in revenue.
Other critical consequences of a business falling prey to social engineering can include:
- Identity theft
- Client information theft
- Theft of funds
- Credit card fraud
- Loss of intellectual property
- Installation of malware and ransomware