- So, What Is Social Engineering?
- Four Social Engineering Methods
- Variations on Social Engineering Attacks
- How to Recognize Social Engineering
- Real Life Examples of Social Engineering Attacks
- How to Prevent a Social Engineering Attack
- What to Do If You’re a Victim of Social Engineering Tactics
- Conclusion: Social Engineering
What is social engineering? Think of it as con artistry for the internet age.
Now, everybody loves a good con. From Paul Newman and Robert Redford swindling a mobster in The Sting to Leonardo DiCaprio eluding the feds as real-life con man Frank Abagnale in Catch Me If You Can, our society has an insatiable appetite for grifters, shysters and tricksters. But it’s not nearly as fun when it’s happening to you.
Lots of people think of hackers as shadowy teens in hoodies who steal their victims’ personal information by typing really fast. In reality, the vast majority of “hacks” don’t require any computer knowledge at all. Social engineering makes that possible.
So, What Is Social Engineering?
Through social engineering, hackers can gain access to your sensitive data or even identity using old-fashioned deception through human behavior — unless you study up on their tricks. As you’ll learn, there are many ways to execute a social engineering attack, but they’re all the same at heart: the scammer uses psychological manipulation to trick the victim into giving up critical info.
But now that you’ve found this article, you don’t have to be a victim anymore. Read on and wise up to all the common social engineering tricks, so that if somebody tries them on you, you’ll be ready.
Four Social Engineering Methods
Imagine opening your inbox one day and seeing an email from the Debt Management Bureau. “We’ve discovered serious irregularities in your bank account,” it says in frightening red letters. “Please provide your account and routing numbers immediately so we can investigate the source.”
This is obviously nonsense. Even if the Debt Management Bureau was a real thing, it wouldn’t need your banking information to investigate your account activity. But the scammers only need one person to miss that.
Phishing refers to any social engineering attack that relies on faking legitimate correspondence. Smishing and vishing (see “Variations on Social Engineering Attacks”) are subtypes of phishing.
Phishing attacks tend to follow certain recognizable patterns. Scammers send out a blast of emails that pretend to be from a service everyone relies on. Banks, credit card companies and widely used sites like Amazon and PayPal are common impersonation targets.
These emails will be light on detail but heavy on urgent language. By getting their potential victims worked up about identity theft, credit card fraud or losing access to next-day delivery of 47 pounds of gummy bears, the scammers evoke the kind of fear that leads to bad decisions.
Phishing emails increasingly don’t ask for sensitive information directly. Instead, they’ll share a link they claim goes to a website where you can fix the problem. The link takes you to a very close replica of the real company’s website — often so similar that you don’t recognize it until it’s too late.
Phishing artists (phishmongers?) blast out thousands of scam emails at a time with links to these malicious websites. Even a one-in-a-thousand success rate can net them a massive return in stolen profits. They’re often most successful when preying on vulnerable people, like senior citizens unfamiliar with online banking.
Pretexting is when the scammer creates a pretext that makes the target more likely to trust them. Where phishing relies on a false sense of urgency to bypass the target’s rational thoughts, pretexting depends on the subject’s natural deference to authority and expertise.
When we see somebody wearing a visibility vest and carrying a clipboard, we assume they’re in a place they’re supposed to be. It’s human nature. Same with a police officer’s uniform, a doctor’s white lab coat or a suit with a name tag reading “John from HR.”
Pretexting is proof that a social engineering scam doesn’t have to rely on complicated technology. One widespread example would be a grifter dressed as an employee at an office building. He could leave a note on the bulletin board saying the IT number had changed, give his own number as the new helpline, and collect dozens of usernames and passwords in one day.
That said, cybercriminals have technology on their side as well. More and more scammers are employing “deepfakes” that use AI to mimic a person’s voice so closely that nobody can tell the difference. Just because you hear your wife, friend or boss talking, doesn’t mean it’s them!
3. Baiting or Quid Pro Quo
These are two similar social engineering attacks in which the scammer offers goods or services in exchange for information. “Baiting” usually refers to goods and “quid pro quo” refers to services, but the terms are also used interchangeably.
One form of baiting you’ve likely encountered is the classic “You’re the 1,000,000th visitor to our website! You’ve won A BRAND NEW CAR!” banner ad, but it can take many forms. Some are even considered legitimate, like offering free gifts in exchange for the customer making a purchase or joining a mailing list.
Most baiting attacks start with a bit of pretexting, establishing the grifter as somebody you’d accept goods or services from. In some recorded attacks, scammers handed out unmarked flash drives or CDs, exploiting the recipient’s natural curiosity to make them download malware.
In other attacks, the baiting and pretexting happen simultaneously. A study by the University of Luxembourg showed that people were more likely to give up their passwords if the person asking gave them some chocolate — even if the chocolate was given out before the examiner asked a single question.
4. Tailgating or Piggybacking
These two related methods of social engineering are used to penetrate physical security measures.
Most organizations with assets to protect have some sort of security in place, whether it’s as simple as an auto-locking door or as complex as those laser grids from the movies.
In a tailgating attack, the infiltrator follows somebody who’s allowed to be there, slipping in behind them before the door closes. In piggybacking, the legit employee is aware they’re being followed, but helps out of a sense of obligation. A common technique is for the perpetrator to pretend they’re carrying heavy objects that prevent them from opening the door themselves.
Variations on Social Engineering Attacks
Smishing is an abbreviation of “SMS phishing.” It’s like email phishing, except that the spoofed communication is on mobile devices via a text message instead of an email. Any organization that sends you texts — from dentists to parcel delivery — is fair game.
As with a phishing scam, most smishing attacks try to get the target to click on a link, which will take them to a mobile-friendly scam website.
Vishing stands for “voice phishing.” It’s when the fraudulent message comes in the form of a phone call or voicemail. Voice phishing takes advantage of the fact that it was very hard to get a fraudulent phone number during the landline era. That residual trust can lead victims to assume voice messages are more legit than texts or emails.
Vishing attacks are usually conducted through text-to-speech apps so the scammer doesn’t leave any clues to their identity. Like other social engineering attacks in the phishing family, vishing relies on urgency, demanding that you call a certain number immediately and provide vital information.
Spear phishing is phishing, smishing or vishing that targets specific victims the scammer has researched beforehand. Instead of the usual approach of blasting out mass emails, spear phishing is calculated to work based on each victim’s unique situation.
Whaling is a targeted social engineering strategy that goes after high-value individuals in a business or other organization via any phishing attack. Getting the CEO’s password is much more likely to net a hefty ransom payment than compromising a random employee’s desktop computer.
How to Recognize Social Engineering
As you can see, although there are many kinds of social engineering attacks, they have one thing in common: they request access to something you normally keep secure.
This is true of every single social engineering technique, from typo-riddled Nigerian Prince emails to finely crafted fake websites. Grifters don’t launch social engineering scams for fun (mostly). They’re looking for a reward. Any request for access, or for information that grants access, might be social engineering.
Now, that doesn’t mean all requests for information or access are social engineering. It just means that if somebody is asking for your username, your password, your bank account number, help getting into your building, etc., that’s your cue to start asking questions.
Another common (but not universal) element of social engineering attacks is a sense of false urgency. A social engineer creates the illusion that you’ll put yourself in danger if you don’t follow their instructions. However, the danger is always vague and amorphous: “We’ve detected a serious problem with your credit card account!”
Almost every social engineering tactic involves some element of pretexting: the scammer either takes on an identity or creates an environment that makes you more likely to trust them. If you get an email from “the IRS” or “the IT department,” treat it with extra caution. And if it asks you to provide any sensitive information, run for the hills.
A few more specific things that suggest a social engineering attack:
- Asking you to click on a link
- Offering a substantial reward
- Accusing you of breaking the law
- Responding to a request for help that you never submitted
- Directing you to websites with unfamiliar domain names
- Posing as your superior to request that you do something immediately
Real Life Examples of Social Engineering Attacks
These real-life social engineering attacks prove that not even the biggest companies or the most tech-savvy people are immune to getting scammed.
Google and Facebook send $100M to Con Artists
In 2013, a scammer named Evaldas Rimasaukas set up a company in his native Lithuania, using the exact same name as an Asian tech firm that sold computer hardware to Google and Facebook. He then used the fake company to invoice Google and Facebook employees for merchandise the real company had provided, netting $100 million over three years.
Hackers Impersonate Joe Biden to Net Huge Bitcoin Haul
On July 15, 2020, several high-profile, verified Twitter accounts tweeted that any bitcoin payments sent to a linked address would be doubled and returned. The accounts belonged to everyone from Kim Kardashian to Joe Biden.
In a caper worthy of a heist movie, hackers convinced employees of the social media network to log in to a fake VPN, then used their credentials to change the verification emails for the celebrity accounts. The perpetrators were ultimately caught, but not before stealing over $110,000 in bitcoin. None of the bitcoin was ever seen again.
Deepfakes Defraud an Energy CEO
In 2019, the CEO of an energy company in the UK received a call from his boss, who ran his parent company in Germany. His boss told him that he urgently needed to transfer $243,000 to a “Ukrainian supplier,” which was actually a scam account.
The grifters used deepfake technology to mimic the German CEO’s voice so closely that his own subordinate couldn’t tell the difference. It was so convincing that, even though the attacker called two more times that day, the UK CEO only became suspicious when a promised reimbursement never arrived.
How to Prevent a Social Engineering Attack
The good news about social engineering attacks is that the perpetrators are counting on you not paying attention. As long as you keep these tips in mind, 99.99 percent of them will never be able to touch you.
Don’t share confidential information with anybody whose identity you can’t confirm. Here’s a tip: banks will never need your account number to “verify” anything. They already know which accounts you have.
Don’t click links. If an email tells you to click on a link, don’t do it, no matter how much you trust the sender. Instead, Google the website. A fake phishing website is very unlikely to rank highly in the search results, so you can verify the email’s claims in a safe environment.
Build trust. If you get an email that appears to be from someone you know, check with the person who allegedly sent it. Don’t reply to the email you got — send a new email, call, or walk to their office if you can. You can bet that CEO who gave away $243,000 wishes he’d made that one call.
Ask for proof. Somebody calls you and tells you they’re from the IRS and you’re suspected of tax fraud? Ask them to prove it. It’s why we make cops wear badges.
Use two-factor authentication. With 2FA, someone who has your password can’t unlock any of your accounts unless they also stole your phone.
Establish business security protocols. Establishing security protocols that all employees can follow is the best first step for companies so employees can know what to do if they come upon suspicious communications.
Take a deep breath. Have you ever woken up from a bad dream after realizing the situation you were in didn’t make any sense? That also works with social engineering. If you see a scary email and panic, take a walk before you act. Ask yourself if the message makes sense, or if it’s trying to manipulate you into taking a certain action.
Use a VPN. A virtual private network hides your IP address from third parties, making it way harder to connect your online activity to your identity. That protects you from spear phishing and other social engineering attacks that rely on researching the target.
What to Do If You’re a Victim of Social Engineering Tactics
If you think you might have given information to a social engineering grifter, don’t panic! All is not lost. There are still things you can do to protect yourself.
If you gave up information, make it obsolete. If you gave up your password, change it. If you gave out your bank account number, call your bank and move to a new account ASAP. You can even change your social security number, though you’ll need proof that your identity might have been stolen.
Tell your superiors. Yes, it’s scary to admit you screwed up, but think of it this way: you might get fired for giving information to a scammer, but you’ll definitely get fired once the scammer uses it. The earlier you let someone know your suspicions, the sooner they can take protective measures.
Watch your bank account for suspicious activity. Take note of any fraudulent transactions. If you see one, tell your bank immediately. If the scammer is caught, you might be eligible for compensation.
Tell the authorities. Report the phishing email to the Federal Trade Commission at ReportFraud.ftc.gov. The more evidence their investigators gather, the more likely it is that the culprit will be caught.
Conclusion: Social Engineering
Upon learning about social engineering for the first time, people often react with despair. I get that. It sounds like I’m advising them not to trust any message they don’t receive in person, even if it comes from their closest friend.
But that’s not how I see it. I look at the rise of social engineering attacks as an opportunity to strengthen two very important things for living in the modern world: our networks of trusted people, and our healthy skepticism.
Skepticism doesn’t mean being paranoid. It means being smart. If there’s one thing social engineers fear, it’s a target who stops to think things through instead of reacting based on their first instinct.
If there’s one thing they fear even more, it’s open communication between their targets. The more people you feel comfortable checking in with, the fewer people grifters can impersonate when they need something from you.
Imagine you knew all the delivery people who served your office. Not only would you have several new friends, but if someone new claimed to be making a delivery, you’d be far less likely to let them inside.
Have you ever dodged or fallen victim to a social engineering attack? What do you do to stay safe from social engineering? Let me know in the comments, and thanks for reading!