Social Engineering

What Is Social Engineering?

Social engineering is the act of exploiting human weaknesses to gain access to personal information and protected systems. Social engineering relies on manipulating individuals rather than hacking computer systems to penetrate a target’s account.

Understanding Social Engineering

Social engineering refers to the manipulation of a target so that they give up key information. In addition to stealing an individual’s identity or compromising a credit card or bank account, social engineering can be applied to obtain a company’s trade secrets or exploit national security.

For example, a woman might call a male victim’s bank, pretend to be his wife, claim an emergency, and request access to his account. If the woman can successfully socially engineer the bank's customer service representative by appealing to the representative's empathetic tendency, she may succeed in obtaining access to the man’s account and stealing his money.

Similarly, an attacker might contact an email provider’s customer service department to obtain a password reset, making it possible for the attacker to control a target’s email account rather than hacking into that account.

Preventing Social Engineering

Social engineering is complex for potential targets to prevent. Precautions such as strong passwords and two-factor authentication for accounts can be used, but accounts can still be compromised by third parties with access to accounts, such as bank employees.

However, individuals can decrease their risk in many ways. These include avoiding giving out confidential information, being cautious when sharing information on social media, and not repeating passwords to your accounts. Additional ways to decrease hacking are using two-factor authentication, using fake or difficult-to-guess answers to account security questions, and keeping a close eye on accounts, particularly financial ones.

Set your spam filters to high to keep out unwanted messages, and never open an attachment without careful consideration of what it contains. And it is always a wise decision to pay close attention to any emails that seem suspicious or out of the ordinary, even if they seem to come from someone or a business you know.

Social Engineering Tactics

Attackers often use surprisingly simple tactics in social engineering schemes, such as asking people for help. Another tactic is to exploit disaster victims by asking them to provide personally identifiable information such as maiden names, addresses, dates of birth, and social security numbers for missing or deceased loved ones. Why? Because these pieces of information can later be used for identity theft.

Posing as a tech-support professional or a delivery person is easy to gain unauthorized access to an account, as is sending a seemingly legitimate email with a malicious attachment. Such emails are often sent to a work email address where people are less likely to be suspicious of an unknown sender.

Emails can be disguised to appear as though they have originated from a known sender when they are sent by a hacker. More elaborate tactics targeted to specific people might involve learning about their interests and then sending the target a link related to that interest. The link can contain malicious code that can steal personal information from their computers. Popular social engineering techniques include phishing, catfishing, tailgating, and baiting.

If you aren't expecting a link or attachment from a friend or colleague, it may even be worth a phone call or text to them to find out if they did send it to rule out a scammer.

Types of Social Engineering Attacks

There are many ways hackers create social engineering attacks, from posing as a tech support professional offering to "fix" a bug in your computer to sending you a "friend" request to your social media account. Here are three popular social engineering attacks.

Online Baiting

Online baiting occurs when hackers send out ads with links that look like opportunities to find jobs, earn side money, or appear to provide useful information. When an unsuspecting person clicks on the bait, malware infects their computer.

Phishing

These scams are done in the form of texts or emails that impersonate a bank or other financial institution, or even a government office, claiming you have violated a policy, forgotten to pay your taxes, or asking you to change your password. These scams are designed to elicit fear or concern from the receiver and get them to give out sensitive information.

These types of attacks lure unsuspecting individuals to provide personal information such as bank account numbers, social security numbers, and other sensitive information with the hacker's goal of breaching your financial accounts.

Physical Interactions

Social engineering attacks don't just happen online. Physical interactions can occur, such as an individual pretending to work in your office, and asking you to let them in because they "forgot the door code or their card key," and need help.

Social Engineering FAQs

What Is the Most Common Form of Social Engineering?

Phishing used to obtain social security numbers, addresses, and other forms of personal information is the most common form of social engineering.

How Common Is Social Engineering?

Social engineering is extremely common and hackers and scammers are becoming more sophisticated in their methods.

Is Social Engineering Illegal?

Yes. Social engineering attacks are illegal, and some forms, such as identity theft or breaking into a government facility, are considered serious crimes.