What is Social Engineering? 11 Examples to Watch Out For
Table of Contents
What exactly is Social Engineering, anyway?
Social engineering refers to the act of manipulating people to extract their confidential information. The kind of information that criminals look for may vary. Usually, the individuals are targeted for their bank details or their account passwords. Criminals also attempt to access the victim’s computer so that they install malicious software. This software then helps them to extract any information they might need.
Criminals use social engineering tactics because it is often easy to exploit a person by gaining their trust and convince them to give up their personal details. It is a more convenient way than directly hacking into someone’s computer without their knowledge.
Social Engineering Examples
You will be able to protect yourself better by being informed of the different ways in which social engineering is done.
Pretexting is used when the criminal wants to access sensitive information from the victim for performing a critical task. The attacker tries to obtain the information through several carefully crafted lies.
The criminal begins by establishing trust with the victim. This may be done by impersonating their friends, colleagues, bank officials, police, or other authorities who may ask for such sensitive information. The attacker asks them a series of questions with the pretext of confirming their identity and gathers personal data in this process.
This method is used to extract all kinds of personal and official details from a person. Such information may include personal addresses, social security numbers, phone numbers, phone records, bank details, staff vacation dates, security information related to businesses, and so on.
2. Diversion Theft
This is a type of scam that is generally targeted towards courier and transport companies. The criminal tries to trick the target company by making them provide their delivery package to a different delivery location than the one originally intended. This technique is used to steal precious goods that are being delivered through the post.
This scam may be carried out both offline and online. The personnel carrying the packages may be approached and be convinced to drop off the delivery at a different location. Attackers might also gain access to the online delivery system. They can then intercept the delivery schedule and make alterations to it.
Phishing is one of the most popular forms of social engineering. Phishing scams involve email and text messages that might create a sense of curiosity, fear, or urgency in the victims. The text or email instigates them to click on links that would lead to malicious websites or attachments that would install malware on their devices.
For example, users of an online service might receive an email claiming that there has been a policy change that requires them to change their passwords immediately. The mail will contain a link to an illegal website that is identical to the original website. The user will then input their account credentials into that website, considering it to be the legitimate one. On submitting their details, the information will be accessible to the criminal.
4. Spear Phishing
This is a type of phishing scam that is more targeted towards a particular individual or an organization. The attacker customizes their messages based on the job positions, characteristics, and contracts related to the victim, so that they may seem more genuine. Spear phishing requires more effort on the part of the criminal and may take a lot more time than regular phishing. However, they are harder to identify and have a better success rate.
For example, an attacker attempting spear phishing on an organization will send an email to an employee impersonating the IT consultant of the firm. The email will be framed in a way that is exactly similar to how the consultant does it. It will seem authentic enough to deceive the recipient. The email will prompt the employee to change their password by providing them with a link to a malicious webpage that will record their information and send it to the attacker.
The water-holing scam takes advantage of trustworthy websites that are regularly visited by a lot of people. The criminal will gather information regarding a targeted group of people to determine which websites they are frequently visiting. These websites will then be tested for vulnerabilities. With time, one or more members of this group will get infected. The attacker will then be able to access the secure system of these infected users.
The name comes from the analogy of how animals drink water by gathering at their trusted places when they are thirsty. They do not think twice about taking precautions. The predators are aware of this, so they wait nearby, ready to attack them when their guard is down. Water-holing in the digital landscape can be used to make some of the most devastating attacks on a group of vulnerable users at the same time.
As it is evident from the name, baiting involves the use of a false promise to trigger the victim’s curiosity or greed. The victim is lured into a digital trap that will help the criminal steal their personal details or install malware into their systems.
Baiting can take place through both online and offline mediums. As an offline example, the criminal might leave the bait in the form of a flash drive that has been infected with malware at conspicuous locations. This might be the elevator, bathroom, parking lot, etc., of the targeted company. The flash drive will have an authentic look to it, which will make the victim take it and insert it into their work or home computer. The flash drive will then automatically export malware into the system.
Online forms of baiting might be in the form of attractive and enticing advertisements that would encourage victims to click on it. The link may download malicious programs, which will then infect their computer with malware.
7. Quid Pro Quo
A quid pro quo attack means a “something for something” attack. It is a variation of the baiting technique. Instead of baiting the victims with the promise of a benefit, a quid pro quo attack promises a service if a specific action has been executed. The attacker offers a fake benefit to the victim in exchange for access or information.
The most common form of this attack is when a criminal impersonates an IT staff of a company. The criminal then contacts the company’s employees and offers them new software or a system upgrade. The employee will then be asked to disable their anti-virus software or install malicious software if they want the upgrade.
A tailgating attack is also called piggybacking. It involves the criminal seeking entry inside a restricted location that does not have proper authentication measures. The criminal can gain access by walking in behind another person who has been authorized to enter the area.
As an example, the criminal may impersonate a delivery driver who has his hands full of packages. He waits for an authorized employee to enter the door. The imposter delivery guy then asks the employee to hold the door for him, thereby letting him access without any authorization.
This trick involves the criminal pretending to be an attractive person online. The person befriends their targets and fakes an online relationship with them. The criminal then takes advantage of this relationship to extract their victims’ personal details, borrow money from them, or make them install malware into their computers.
The name ‘honeytrap’ comes from the old spy tactics where women were used for targeting men.
Rogue software might appear in the form of rogue anti-malware, rogue scanner, rogue scareware, anti-spyware, and so on. This type of computer malware misleads users into paying for a simulated or fake software that promised to remove malware. Rogue security software has become a growing concern in recent years. An unsuspecting user might easily fall prey to such software, which is available in plenty.
The objective of a malware attack is to get the victim to install malware into their systems. The attacker manipulates human emotions to make the victim allow the malware into their computers. This technique involves the use of instant messages, text messages, social media, email, etc., to send phishing messages. These messages trick the victim into clicking a link that will open up a website that contains the malware.
Scare tactics are often used for the messages. They might say that there is something wrong with your account and that you must immediately click on the provided link to log into your account. The link will then make you download a file through which the malware will be installed on your computer.
Stay Aware, Stay Safe
Keeping yourself informed is the first step towards protecting yourself from social engineering attacks. A basic tip is to ignore any messages asking for your password or financial information. You can use spam filters that come with your email services to flag such emails. Getting a trusted anti-virus software will also help further secure your system.