Unlike cyber-hacking, social engineering relies on human error rather than technical loopholes in software or operating systems, and for that reason it can be hard to track and prevent.
How does social engineering work?
Social engineering attacks are generally carefully planned in advance, with research being carried out on the victim to discover potential areas of weakness.
The scams generally involve four stages:
- Planning: Perpetrators begin by identifying their intended victim, gathering information about them and planning the most appropriate form of attack.
- Approaching the victim: Once the groundwork has been laid, the victim is approached and deceived through a fictitious storyline.
- Extracting information: The victim is then convinced to hand over personal information or to download malware – depending on the intent of the scam.
- Ending the interaction: Once the goal has been reached, the perpetrator will then extract themselves from the interaction, ideally without arousing suspicion so that the victim is not aware they have been scammed.
What are examples of social engineering?
Social engineering can come in many different guises, wrapped up as an email from a friend or message a legitimate business. What they always have in common is the intent of deceiving and manipulating the victim in order to exploit them.
Here are some examples of social engineering:
1. Baiting
As the name suggests, baiting is a technique that entices the victim with bait, playing on the victim’s greed or curiosity, and hopes that they take the bait. This could be physical bait – such as an intriguingly labelled USB drive left lying in a workplace. Most commonly though baiting occurs on peer-to-peer or social media sites, offering a free download of a video or music, as well as too-good-to-be-true offers on marketplaces or auction sites.
2. Phishing scams
Phishing scams are the most well-known forms of social engineering. Since they are mass produced email or SMS campaigns, they are the easiest for anti-spam software to detect and nullify.
The content and title of the email or SMS will play on the curiosity, greed or fear of the recipients, often with an added element of urgency to manipulate victims into responding before they have adequate time to reflect.
Examples include:
- A notification that you are a “winner” of a competition
- A request for a charitable donation
- A request for help – eg. from a “friend” who is stuck in a foreign country
- A warning of a problem that you must click on the link to fix.
3. Spear Phishing
Similar to phishing, spear phishing uses emails or SMS to try and elicit information out of the recipients. However, spear phishing is more highly targeted and therefore more difficult to detect.
Attackers select individuals or organisations and tailor their messaging to reflect the style of the individual or company, so they do not appear conspicuous. They may impersonate someone within the business – such as an IT technician –and send emails to colleagues telling them they need to reset passwords etc.
4. Scareware
Unlike baiting, scareware is used to exploit fear, rather than curiosity. It will create false alarm in its victims, notifying them of threats, such as malware being found on their computer. The victim falls for the trick and installs the software that the attacker offers as a solution to the threat. In reality the software is generally malicious and designed to serve the attacker’s purposes.
Spyware may come in the form of an email, but it can also appear as pop-ups on your browser that direct you to a malicious site or invite you to download the malware.
5. DNS spoofing
DNS spoofing, also known as cache poisoning, is when hackers implant malicious redirects into a browser cache that redirects the user to counterfeit websites. The attackers target specific websites, and when users try to access the site, for example to log into their account, they are rerouted without their knowledge to a fake website that will infect their computer with malware or gather all of their login details.
An example of this was a hack in 2018 of the cryptocurrency Ethereum’s website. The hackers gathered credentials from the users who logged into the decoy website, which they subsequently used to log into users accounts and drain their wallets of cryptocurrency.
6. Pretexting
In this scenario, the attacker creates a more complex storyline for connecting with the victim. They will often pose as a legitimate source– a bank, tax office or law firm etc – since the victim is more likely to be willing to hand over information to a source they trust.
The attacker will build a storyline explaining a need for access to sensitive information from the victim – such as social security details, contact information or credit card details. They could also extract payment under false pretences.
For example, you may get an email apparently from the Post Office saying you have unpaid fees on delivery, which you need to settle before the package can be delivered to you. The email may even include some personal details such as your name and address, making it appear legitimate. You are therefore likely to enter login details when requested, even if you are not aware of which package the email refers to.
How to prevent social engineering
Social engineering attacks can be very carefully targeted and difficult to spot. They manipulate key human instincts such as fear and curiosity, and can be humiliating to fall victim to.
So what can you do to ensure you don’t fall for these sorts of attacks?
- Increase your awareness – educate yourself as to the forms that social engineering can take, so that you are more able to spot likely scenarios.
- Avoid suspicious emails, pop-ups or downloads– If an email is suspicious, avoid opening it at all and do not click on any links. Similarly, avoid clicking on pop-ups or downloading files from the internet unless you trust the source. Simply clicking on a malicious link could open you up to malware.
- Take your time – Many social engineering scams are geared to play upon your instincts and catch you off guard. Always take your time when dealing with unsolicited emails and don’t act upon them until you have had time to reflect. If it is a legitimate email, the likelihood is that delaying your response by a day or two won’t matter.
- Verify unknown sources – if you receive communications from an unknown source that appear suspicious, run a Google search on a different device to check their authenticity. If it appears to be from a legitimate source, try logging onto the company website independently, rather than following a link, and find a phone number you can call to enquire further before taking any action.
- Double-check messages from known sources – even if you know the person who has contacted you, if you are in any way suspicious about their message, try contacting them through alternative means – such as by phone – to check that their message was real. Attackers can impersonate individuals to gain trust, and this can make them harder to spot.