Social engineering in its various forms is the manipulation of others in order to gain information, money, access or assets. Targets are coerced, often through the use of common psychological tricks which serve to scare or create a false sense of security. Criminals will look to elicit feelings of sympathy, shame, or companionship. They will use flattery, a sense of urgency or an air of authority, exploiting human nature, busy lifestyles and trusting dispositions. These common techniques bring emotions such as fear, worry or ease into play, meaning that victims act impulsively or without judgment, leading to the outcome which the attacker intended.
Understanding the ways in which social engineering works, and how to spot these techniques is critical to combating the problem.
The most common cyber attack to use social engineering is phishing. Phishing usually takes the form of emails, which appear to arrive from legitimate sources, intending to manipulate the recipient to carry out certain actions. This might be to transfer money, download a file or input personal information. The sender may claim to be a wealthy relative, and that by sending a small amount of money, a larger sum will later be sent.
A more targeted, and therefore successful, method of attack is spear phishing. These are less general and more personal, masquerading as a trusted source such as the victim’s bank, colleague or friend. Using the recipients name or showing that the scammer knows one of their passwords makes the email appear more legitimate or urgent. While phishing in general has become more well recognised, spear phishing can be more difficult to spot. Their convincing nature, often appearing as professional emails from established companies or credible individuals has meant that spear phishing poses a real threat to organisations and their cyber security. Increasingly, companies are educating their workforce and employing resources to tackle this issue.
Taking the form of phone calls, voice phishing, or ‘vishing’ applies social engineering in similar ways to other modes of phishing. Sometimes, vishing will be used to set up an attack, for example calling a victim pretending to be from a sales team, informing them that they will soon send over further information via email. This phone interaction preceding the email makes the email then appear much more harmless, and the attack therefore more likely to be successful. Vishing may also be used as its own attack, for example with calls seemingly from the ‘bank’, asking for personal information or money.
It is important to recognise that social engineering can come in many forms and through modes other than emails or calls, such as through social media platforms. Fake profiles which may immediately appear friendly or legit are frequently using social engineering tactics to gain information. Phishing through Whatsapp or SMS messages, known as smishing, is on the rise. Smishing works in the same way as phishing, though the scams will be sent via text or other form of instant message. While we are typically instructed to be vigilant of scams through emails, people may be more trusting of a text. Whether masquerading as a company such as a bank, or pretending to be a friend asking for a verification code, smishing will involve social engineering to mislead a victim. While social media platforms and texting are ever-increasing in popularity, hackers will use this to their advantage, so it is crucial to stay alert in all digital spaces.
Although commonly used in cyber attacks, social engineering is also utilised in a legal and ethical capacity when testing the human and physical defences of a company. Certified ethical hackers will often be employed to find flaws and gaps in an organisation’s cyber security. As people play an important role in cyber-security on an individual and company-wide level, sometimes the vulnerability is human. Therefore, as an overall security penetration test, ethical hackers will use social engineering tactics to find out how vulnerable employees are to these techniques. Not only does this help to determine how staff may respond to scams, but it also helps to raise awareness of social engineering within the company, and helps to reduce complacency once people understand how easy it may be to fall for these tricks.
As we become more aware of scams and social engineering techniques, attackers adapt to find new ways of deceiving and defrauding victims. To stay ahead, we must continue to educate organisations and individuals instead of victim blaming those who have been misled.