Building (and abusing) trust: what is social engineering?
Nov 14, 2019
They wear many faces. Your grandson, tearfully begging for cash after a crash. A foreign prince, promising a fortune for a small deposit to “liberate” the funds. Your boss, asking for the admin password to patch a bug. Criminals use social engineering to slip under your guard and steal your data.
What is social engineering?
“Social engineering” is an umbrella term for a whole host of techniques used to manipulate the victim. Since cybersecurity has evolved to the point where cracking code is very, very difficult, criminals started exploiting the biggest weakness in the system — human gullibility.
There are many types of social engineering attacks. Some cybercriminals impersonate people you trust to make you lower your guard. Others prey on your habits, hoping that you’ll miss the warning signs while going through the motions. Yet others try to put you on the spot to stress you out and slip up.
Don’t panic — while the scams are many and varied, you can avoid most of them by keeping a cool head on your shoulders.
What are the most common social engineering scams?
Knowing is half the battle. If you recognize what’s coming, it’s much easier to protect yourself. Read on to learn which social engineering attacks you should be aware of.
Everyone has encountered phishing at least once in their lives. It involves sending a fraudulent message to trick the victim into taking some action — clicking an infected link, downloading a virus, or disclosing sensitive information.
Picture this: you get an email from your bank saying that your account has been locked due to suspicious activity. The bank urges you to log in immediately via the safe link provided to check your recent transaction. In reality, that link leads to a fake website that will log any details you enter, including your password.
Most phishing attacks are indiscriminate — cybercriminals cast a wide net, hoping to catch at least a few unwary victims. When scammers single out their prey, we get spear phishing. This involves researching the victim’s habits, corporate structure, company policy, and more to create a much more convincing scenario.
Spear phishing takes a lot more effort but is also more likely to succeed. People put plenty of information about themselves on the internet, especially on social media, and it’s hard to get personal in megacorporations. When you get an “urgent” request from what appears to be your boss, you might forward the data without a second thought.
Whereas regular phishing attempts involve emails and text messages, vishing uses voice communications. The principle is the same — the scammer pretends to be someone you can trust, like your bank, and tries to trick you into divulging sensitive information.
Vishing attempts can sound very convincing. Cybercriminals will spoof phone numbers, use credible pre-recorded lines, or even set up fake call centers to maintain the charade. Just remember that you should never reveal anything sensitive over the phone, especially passwords. If in doubt, ask them to call again and dig around a little.
Pretexting is a social engineering technique in which the scammer presents a seemingly convincing reason — a pretext — for you to divulge sensitive information. The scenario is designed to make you believe that the scammer has the authority to handle your data. For example, they may pretend to be in a position of power or handling tech support.
Pretexting requires a lot of research to succeed and is often paired with spear-phishing attempts. Scammers can be very convincing, but remember — legitimate authorities will never request sensitive data over insecure channels (like phone or email). If in doubt, don’t be afraid to ask or double-check on the internet.
When catfishing, cybercriminals target a specific victim through fake online personas. They fabricate a social media presence with stolen photos, then use the account for harassment or deception. Perhaps the most infamous social engineering attacks are the so-called romance scams on dating websites.
Unlike most other forms of social engineering, catfishing is not a “one-and-done” type of deal. The scammer must maintain contact with the victim, sometimes for a great length of time, in order to earn their trust and, eventually, get their valuables. It doesn’t always involve romance — scammers also target gamers and people in close-knit online communities.
Be wary of friendly strangers that try to goad you into providing information, money, or even just your live feed. Cybercriminals don’t want to show their faces and will consistently decline requests to chat through a webcam or meet offline.
Sometimes scammers don’t bother to contact you directly — sometimes they leave out bait so that you’ll come to them. In a baiting scenario, you’ll be presented with a strong incentive to take an action that will either compromise your computer or disclose something you shouldn’t.
In the past, baiting was often done through infected storage mediums, like USB keys, which promised to reveal tantalizing information. Imagine attending a big tech conference and finding a key with “TOP SECRET: NEW MICROSOFT PROJECT” written on it! Nowadays, most baiting attacks occur through infected files on P2P and file sharing sites.
Quid pro quo
During a quid pro quo attack, scammers will pretend to offer you a genuine service in exchange for access or information. The most common scenario is that of a computer technician calling about some vague bug and persuading the victim to install malware as a way to fix it.
Sometimes the victim believes that the scammer’s request is a necessary part of the process — like remote access to the computer. Other times, they believe they’re getting a fair deal. In both cases, the scammer is the one who’s actually coming out on top.
Most people let their guard down when receiving messages from their loved ones. A letter from your attorney about some Nigerian prince raving about a deal might raise an eyebrow, but a funny cat video from your buddy Jeff? You’ll click it without a second thought.
Once a cybercriminal gets into your account, they’ll try to infect as many of your contacts by spamming them with infected emails and texts. It pays to be careful even with messages from people you trust. Check if anything feels off, if they sound off-tone, and if the link actually leads where they claim it does.
Watering hole attack
In watering hole attacks, scammers target victims belonging to a very specific group. The criminals don’t contact their victims directly — instead, they infect a website that members of the group are likely to visit. Fortunately, major websites are very difficult to penetrate, so scammers are usually forced to go for smaller niche pages.
Since websites in watering hole attacks are often infected through zero-day software vulnerabilities, the malware can be very difficult to detect. The employees may also rely on the site for critical information. The best way to stay safe is to update your software, monitor your network, and encrypt your traffic through a trustworthy VPN, like NordVPN.
What is the primary countermeasure to social engineering?
The best defense against social engineering is simple caution. As trite as it sounds, taking a few moments to think things through can foil many attacks. Don’t turn off your brain when you go online — cybercriminals rely on you doing things without thinking, like clicking odd links sent by your loved ones.
Here’s what you should always keep in mind:
- People don’t ask for sensitive information out of the blue. If you receive a call or email from your bank, gas company, or any other authority asking for your password, it’s time to get suspicious. Likewise, be wary of any messages asking for information that answers any security question, even if they come from a trusted source.
- There’s no harm in checking twice. Don’t go with the flow — if in doubt, ask, question, investigate. Try to figure out if the person really is who they claim to be and don’t take action until you’re sure.
- If it sounds too good to be true, it probably is. Received a message that you are the beneficiary of a will or have a fantastic financial opportunity? Don’t break out the champagne just yet — it might be another scam. Keep an eye out for more realistic social engineering attacks as well, like free online lotteries that ask for your personal details.
- The devil’s in the details. Spelling mistakes, unusual, stilted writing style, and extra letters in link addresses are all dead giveaways that something’s not right. Always double-check anything you receive before clicking. Hover over the link or file in question with your mouse to see what it really is.
John believes that the best things in life are simple. He uses the same approach when he’s writing about online security. John says that his #1 pet peeve is phishing scams. Ironically, his favorite non-work related activity is fishing.