What is Social Engineering?

April 30, 2018 10:02 am Geraldine Strawbridge

Social Engineering is a term we hear constantly in the news relating to cyber-attacks, but what exactly does it mean?

Social Engineering is the art of manipulating people into performing certain actions or divulging confidential information.

Rather than use traditional hacking attacks, cybercriminals take advantage of our trusting human nature to trick us into breaking normal security practices.

These types of attacks have grown in frequency and sophistication, and are proving to be a very successful way for scammers to gain unauthorised access to computer networks and sensitive data.

Social Engineering attacks come in many different forms but the common thread running through them all is their exploitation of human behaviour. The following examples are the most common forms of attack used.

Phishing

Phishing remains the most popular social engineering attack of all due to its high success rate. The majority of all cyber-attacks can be traced back to a phishing email and the online scam works by tricking people into giving out sensitive information or downloading malicious malware.

Phishing emails are designed to look genuine and will appear to come from a legitimate source. The email will include a link or attachment which once clicked, will infect a computer with malware.

Vishing

Vishing is a combination of the word voice and phishing and refers to phishing scams that take place over the phone. It has the most human interaction of all the social engineering attacks but follows the same pattern of deception. The scammers will often create a sense of urgency to convince the victim to divulge sensitive information.

The call will often be made through a spoofed ID, so it looks like it’s coming from a trustworthy source. A typical scenario will involve the scammer posing as a bank employee to flag up suspicious behaviour on an account. Once they have gained the victim’s trust they will ask for personal information such as login details, passwords and pin. The details can then be used to empty bank accounts or commit identity fraud.

Smishing

Smishing is a type of phishing which uses SMS messages as opposed to emails to target individuals. It is used by criminals to encourage individuals to divulge personal information such as account details, credit card details or usernames and passwords. This method involves the fraudster sending a text message to an individual’s phone number and usually includes a call to action that requires an immediate response. Messages will often claim to be from Banks, Tax Revenue Systems and even your own friends. They may ask you to click a link, call a number or they may even inform you that you are about to receive a phone call from a support member.

Spear – Phishing

Spear-Phishing is a more targeted attempt to steal sensitive information and typically focuses on a specific individual or organisation. These types of attacks use personal information that is specific to the individual in order to appear legitimate. Learn more about spear phishing.

The scammers will often turn to social media to research their victims. Once they have a better understanding of their target, they will start to send personalised emails which include links which once clicked will infect a computer with malware.

Whaling

What distinguishes this category of phishing from others is the high-level choice of target. A whaling attack is an attempt to steal sensitive information and is often targeted at senior management or other high-profile targets such as politicians or celebrities. The word whaling is used to indicate that the target being pursued is a big fish to capture.

Whaling emails are a lot more sophisticated than your run of the mill phishing emails and much harder to spot. Typically, the emails will contain personalised information about the target or organisation and the language will be corporate in tone. A lot more effort and thought will go into the crafting of these emails due to the high level of return for the scammers.

Baiting

Baiting, as the name implies involves luring someone into a trap to steal their personal information or infect their computer with malware.

To entice victims to fall for their trap, baiters often use offers of free music or movie downloads if users provide their login details. Another popular baiting trick involves leaving a malware-infected device such as a USB stick in a place where someone can find it.

The scammers rely on human curiosity to complete the scam and by inserting the device into their computer to see what’s on it, malware is in turn installed.

Tailgating

Tailgating involves someone following an employee into a restricted area. These attacks are often carried out offline but can lead to future online attacks.

A common example of this type of attack is someone posing as a delivery driver and waiting until an employee approaches the building. The attacker will then ask them to hold the door open for them so they can gain access. Once inside, the attacker may gain access to sensitive company information.

To prevent yourself from falling victim to these types of attacks, there are a number of steps you can follow. Never open emails from unknown sources, don’t click on suspicious links, install anti-virus software and read your company’s privacy policy.

To find out how MetaCompliance can help protect you from these types of social engineering attacks, click here