Social engineering cybersecurity threats are the most common form of cyber threat today.
Social engineering cybersecurity threats are the most common form of cyber threat today, but many people are unfamiliar with what it entails. In this article, we’ll seek to unravel the basics of social engineering and what it means for you.
There are far more forms of social engineering attacks than you would think. Some of these include baiting social engineering attacks, where hackers lure people in with promises of money or important information, only to infect a system once the person has fallen for the trick.
Baiting can take the form of a physical cybersecurity attack (via a flash drive planted in the office with a virus installed) or a virtual attack (by using ads and emails to entice curious users to click). Attackers like to label their bait in ways that will get employees curious. Some examples include labels like “New incentive structures” or “Q4 payroll.”
Once the person plugs the flash drive in or inserts the disk, malware and hacking software begin to tear apart the system. When someone finally notices the damage, it’ll be too late.
Tailgating social engineering attacks are also carried out physically. In these situations, the cyber attacker physically follows someone to an area where they don’t belong (see the above example of an office). The attacker carries heavy boxes or equipment in an attempt to get you to hold the door open for them, allowing them access to a restricted area.
Here are a few more examples of social engineering attacks:
In the next section, let’s go over “What is social engineering in cybersecurity?” and talk more in-depth about the examples of social engineering shared above.
Your destination may be achieving compliance in industry certifications such as SOC2 or ISO27001, but it doesn’t stop there. With Trava, our modern tools can help you bridge the gap between where you are and where you want to be by giving you the control to assess your risk, repair the most vulnerable areas, and transfer risk through insurance.
For those wondering what social engineering is, it’s actually quite simple.
Social engineering is the term used to describe what happens when hackers deceive or manipulate people into sharing confidential or personal information. There are several examples of social engineering attacks above, but this section will provide more details about each of the social engineering examples.
First, though, let’s talk a bit about the psychology of social engineering. Social engineering tactics rely on six social engineering principles laid out by behavioral scientist Robert Cialdini. These principles include:
For more on social engineering psychology, read on.
Quid pro quo tactics are very similar to baiting tactics in that hackers promise something (usually money) in exchange for information that can be used to steal money or important data. Sometimes quid pro quo tactics involve hackers taking control of an account.
Phishing is the most common form of social engineering attack. For that reason, there’s an entire section dedicated to it below.
As recently as April 2021, hackers began using contact forms to deliver malware. This is how it worked: hackers used business contact forms to threaten legal action against the company, telling recipients to click the link to review their “evidence”. When the company representative clicked on these links, they were unknowingly downloading web-based banking trojan IceID.
Impersonation, or pretexting, is a common tactic in which hackers use false authority or pretend to be someone else in order to gain access to data. In the above example, the hackers pretended to be a photographer who was pursuing legal action against the business for using copyrighted images without permission.
Before covering how to prevent social engineering attacks, let’s finish up our discussion of the different types of social engineering attacks. What is social engineering attack?
Man-in-the-middle attacks are another type of social engineering attack. In this one, two people are having a conversation (via email, etc), but unbeknownst to them, there’s a third person in the mix obtaining information - a hacker, the man in the middle. This virtual form of eavesdropping is done by hackers on public Wi-Fi or via malware.
Once you know the ways to recognize social engineering, you’ll be better equipped to prevent it.
Here are some of the things you can do to prevent social engineering attacks:
You can't protect yourself from risks you don't know about. Enter your website and receive a completely free risk assessment score along with helpful information delivered instantly to your inbox.
Since social engineering phishing is the most common form of social engineering attacks, there are far more variations of it. This section will cover social engineering phishing examples and common terms used to distinguish specific phishing attacks.
Phishing is sometimes confused as a different type of cyber attack altogether. However, it’s not a matter of “How can I tell if it’s social engineering vs phishing?” because phishing falls under the umbrella of social engineering cyber tactics.
As mentioned above, phishing attacks involve hackers imitating trusted sources and attempting to obtain login credentials or sensitive personal data from their victims. General phishing emails are sent out in bulk to large lists of people.
There are different phishing categories depending on the type of attack, and certain types of phishing can be far more targeted attacks.
Whaling (or CEO fraud) is a phishing technique in which the hacker goes after the “big fish” of the company. (For example, the CEO, CFO, or another high-level executive.) These emails are customized to make them sound more legitimate and relevant in the hopes that the CEO will click on the email, download the malware, and lose their company’s data.
Spear phishing is similar to whaling in that it’s a targeted attack, but instead of going to the top executives of the company, the attack goes to lower-level employees in the hopes that they aren’t as educated about cybersecurity.
Angler phishing targets social media users. Hackers pretend to be customer service agents on social media and reach out to disgruntled customers to obtain their personal information or credentials.
Smishing attacks are carried out over text messages, and vishing social engineering attacks involve hackers leaving voicemail messages or making phone calls to obtain a person’s sensitive information.
This section will expound upon the social engineering principles covered earlier. Let’s take a look at each of the social engineering psychology principles as outlined above.
Reciprocity is the idea that we should return favors and pay back debts. Hackers use this principle to make their potential victims feel like they’ve done them a favor. Once the victim falls for this, however, the hacker gains access to information and takes everything.
Commitment and consistency is the idea that all we need to do to get people to follow a path is to get them to commit to it initially. Hackers take advantage of this by attempting to rope victims into commitments, only to remove the incentive to follow the commitment. However, human beings are wired to honor commitments even if those things fall through.
Social proof is the concept that people will feel more apt to do something if they see that others are doing it. This is why hackers will have pages of false reviews or post fake credentials.
Authority is something that people are trained to obey from even a young age. This is why hackers will impersonate important authority figures, such as police officers, the IRS, financial authorities, help desk experts, and more.
Liking is one of the social engineering psychology examples that hit closest to home. Liking is a technique hackers use to win people over by being friendly. Tailgating is an example of this.
There’s one more example of social engineering: scarcity. Scarcity is the idea that something will be gone soon, so you need it now. Hackers use scarcity to their advantage by making a claim that their victims can receive a benefit, but only if they click the link in the next couple of hours. Victims may not do their due diligence in their hurry not to miss out.
For more information on social engineering attacks, SBA Research has published a PDF detailing different types of social engineering.
If you want to pinpoint where your company is most vulnerable and what types of attacks you’re most susceptible to, Trava offers risk assessment and vulnerability scans. Contact Trava for a security quote today!
