As the world moves more and more online, it’s more important than ever to recognize the scams and techniques that these crooks use. Popular social engineering tricks include:
Phishing emails from friends and trust sources Vishing calls from phony customer and tech support Fraudulent smishing SMS messages Baiting with free offers Pretexting Quid Pro Quo Piggybacking and tailgating
To learn more about social engineering and how to protect yourself, read the full article below. Rather than actually hacking exploits in computer networks or systems, criminals can do this by preying on a victim’s trust. This act of manipulation is called social engineering, and it has been proven to be a very successful (and much easier) way for criminals to get what they want. As our lives become more and more digitized, social engineering tricks and tactics have become more sophisticated and harder to spot. In this article, we’ll delve into how social engineering works, some common scams and cons to look out for, and how you can protect yourself and your business.
How Does Social Engineering Work?
In a social engineering attack, a cybercriminal will interact with victims and gain their trust in order to obtain sensitive data or get them to perform an act they might not otherwise do. If they’re trying to infiltrate a corporate network, con artists might pose as tech support, a new employee, or a person of authority. If they’re looking to drain individual bank or cryptocurrency accounts, cybercriminals might pose as customer service representatives. The end goal for scammers is to ask questions, engage in conversation, and squeeze sensitive information like passwords or login credentials out of targets. In social engineering, the bad actor could also be trying to pry out other information like names, positions, and company or private knowledge to use on other victims, furthering their credibility.
Examples of Social Engineering Attacks
Social engineering attacks usually come in the form of emails, phone calls, text messages, and sometimes face-to-face interaction. Whatever the means of communication, social engineering attacks tend to have a sense of urgency, fear, or some other strong emotion connected to them. The aim is to push victims to take action without careful thought. When flustered, victims might do a number of things without fully thinking the situation through:
Hand over personal or company data Give up passwords, login credentials, or multifactor authorization codes Click a malicious link Download a malicious file Send money, gift cards, or cryptocurrency to a fraudulent account Give remote access control of a computer
In social engineering attacks, it’s estimated that 70% to 90% start with phishing. Here are a few examples:
1. Phishing emails or messages from a friend or contact
The domino effect that social engineering can cause is alarming. Once a social engineer has successfully hacked someone’s email or social media account, they’ve got access to the victim’s entire contact list. Now, the cycle continues as the cybercriminal tries to compromise all of the accounts on that person’s contact list. While the details of attacks are limited to the perpetrator’s imagination, researchers and cybersecurity experts have picked up on some recurring social engineering techniques and ideas.
Urgent help: Your “friend” or contact is stuck in another country. They’ve either been robbed or injured in an accident and need financial help. People who respond might be asked to click malicious links or downloads, send money or Bitcoin, or could be guided to a fraudulent site where they’ll enter sensitive data the scammer can steal. Request from boss or co-workers: A scammer could ask about invoices or company credit card details, upcoming projects, or anything connected to company business. Sometimes “bosses” will ask their workers to get gift cards that they can hand out as company perks. Please donate to charity: A compromised email might ask you to donate to a charity that is helping with a timely topic or issue. Those with soft hearts might send money to a phony charity or click a malicious link, which will then subject them to malware or redirect them to a spoofed charity site.
2. Phishing emails from trusted sources
Cybercriminals have become quite talented at recreating websites and can redirect targets to spoofed sites where they’ll enter these credentials. Here are a few common phishing techniques:
Response to your inquiry: Fraudsters will pose as huge companies or services that millions of consumers use every day and “Respond to your question.” Since they’re casting such a wide net through phishing campaigns, some users who actually asked questions or have been having issues and want to jump on the opportunity might respond. We need verification: Imposters from legitimate-looking sites may ask for account verification. You’ll be asked to provide information via email, or redirected to a spoofed form on a malicious website. Talented hackers can copy logos, banners and make a website look like the real deal, so victims may not hesitate to enter sensitive data. Government and legal requests: Victims have reported receiving fake emails from real law firms or government entities, requiring their appearance in court. The email will request that the target click a link to confirm they received the notice. Scammers might also instill alarm by issuing unpaid or overdue taxes. You’re a winner: Whether it’s the lottery, an inheritance from an unknown relative, or an accidental overpayment, victims come out a loser instead. One recent scam targets people that have ads for services or items up for sale. The scammer sends a check for too much money and asks the mark to send back the difference. Since the check is fraudulent, it bounces when cashed and the victim is out the difference.
3. Vishing and “smishing” attacks (voice and SMS text phishing)
Some phishing emails will request that you call or text customer support, tech support, or company department numbers. Fraudsters can create these false customer support phone numbers for banks or financial apps and go hunting for targets. Through spam emails and phishing attempts, they’ll try to bait victims with phony security alerts or customer service queries. On the other end of the line is a bold, social engineering criminal looking to run a scam and steal your information. But scammers can also call or text you. Outbound calls are especially dangerous because fraudsters can spoof real customer support numbers from legitimate companies and organizations. You might get a call or SMS from “your bank,” financial apps, or other services you use. Never provide any confidential information when a representative calls you by phone.
4. Spear phishing attack
These scams are much more personalized, making the target all the more likely to fall into the trap. In spear phishing attacks, the perpetrator hones in on one specific mark — likely someone who has a strong presence online — by thoroughly researching them on Google and sifting through their social media accounts. Think about it like this: a person recently posted that they were at their mobile phone provider getting a new device upgrade. The phisher could use that information to craft a spear phishing email using the mobile provider’s logos, the device they purchased, and any other information they gathered. Or they could call the target in a vishing attack and try to pull out credit card numbers or other account information. If a phisher goes after a high-profile target, like a celebrity, CEO, or higher-ups in a company, it’s called whale phishing.
Common Social Engineering Techniques
Since social engineering comes largely in the form of phishing, it’s important to be aware of the different techniques and nuances during attacks. Whatever ideas that hackers can come up with are the limits to the attacks. Through emails, phone calls, text messages, and face-to-face communication, these crooks are able to pull out all kinds of information from unsuspecting victims using different methods. Here are a few examples that experts and researchers have uncovered:
Baiting
Cybercriminals have been known to leave USBs loaded with malware around offices, coffee shops, and libraries or even hand them out at work conferences. While targets think they’re getting free storage drives, they could be unknowingly downloading remote access trojan (RAT) malware or ransomware onto their systems or devices. This concept is known as baiting, and hackers usually prefer baiting because it’s so effective. In emails, calls, and texts, scammers try to bait targets to click malicious links or download virus-loaded files with offers of free gift cards, music, movies, or other enticing gifts. Baiting in this case is quite similar to phishing. Sometimes they also use the baiting technique in reverse, by making it seem like you’re going to lose money if you don’t act. A good example of a reverse-baiting phishing email is this one:
This email uses a trusted name (Norton) and believable yet fake invoice numbers. It also creates a sense of urgency by setting a deadline and stating that you have to act if you don’t want to lose money. The message even makes it seem valid by adding a phone number. However, the layout, spelling errors, and the fact that the recipient, in this case, didn’t order Norton 360 are clear signs that this is a fake phishing email.
Pretexting
This is when the scammer has created a story, or pretext, that they want the target to fall for. Generally, victims are approached by someone posing as a person of power, such as law enforcement, company executives, or auditors — someone who has the authority to access login credentials or sensitive data. This illusion of power might make a victim feel obligated to hand over sensitive data. Imagine you’re a new employee at a company and someone pretending to be the CEO or head of IT calls you up or emails you. You’re more likely to give up sensitive login information to the corporate network during a “credential check” from someone in authority.
Quid Pro Quo
This technique is used when targets actually need something. Once a phishing target has been successfully acquired — say the cybercriminal has been looking for a worker that actually needs tech support — they try to offer their service in exchange for sensitive data. A hacker posing as IT support could be hunting for someone who’s been having a common problem, like logging into the company’s VPN. Once they’ve found their mark, the attacker could easily “take care of their technical problem” if they give them remote access to their computer, or provides their login credentials.
Piggybacking and Tailgating
These are social engineering techniques that occur in person or electronically. If a malicious actor wants access to a restricted area or to pass through security checkpoints, he or she comes along with someone who has the authorization. They could do this by tricking a target into thinking they’re someone they’re not. A target might be more apt to let a security guard tag along into a secured area, or a cybersecurity official walk them through logins. Tailgating is similar, but the authorized person isn’t aware they’re being followed. This could be something as simple as physically sticking their foot in a door before it’s closed, or complex as hacking and tracking the activity of an online user.
How to Protect Yourself Against Social Engineering Attacks
While social engineering and phishing attacks are widespread and can be devastating for individuals and companies, there are measures you can take to protect yourself and your company. Here are some tips:
Technical tips for avoiding social engineering attacks
The best line of defense against social engineering attacks is to learn how to recognize and steer clear of them. But if you happen to run into any of these scam communications, there are other ways you can protect yourself. Here’s what you can do:
What Information are Social Engineering Scams Looking For?
Con artists are constantly trying to think of ways to get you to respond in the heat of the moment. It’s a good idea to think like a crook and remember exactly what these scammers are after. In the end, the goal is often the same. They might want:
Your login info and passwords: Never give your login information or passwords for “verification” over the phone or in an email. These credentials should only be entered in secured parts of legitimate websites. To send money or cryptocurrency: Whether it’s a “friend” stuck in a tough situation or a company representative asking for account verification, never make a transfer unless you know the person and have been planning to send them money. Remote access: Cybercriminals often request remote access to your device to “fix an issue” you might have. You should never give anyone remote access to your device, especially not someone who contacted you out of nowhere. Two-factor/multifactor authentication info: Fraudsters could be hunting for 2FA codes or passwords to access your account. Never give these up. They’re there to offer an extra wall of protection in case your passwords are compromised. Your personal information: If a social engineer can’t get any of the above information, they’ll be more than happy to obtain all sorts of other information. They often do this by cyberstalking their victims too. Security questions for lost passwords are often things like children and pet names, schools you attended, or jobs you’ve worked at — all of which the cybercriminal can use against you. Scammers can also get information about a company to make themselves more believable when trying to breach a corporate network.
Even Bigger Companies are at Risk of Social Engineering Attacks
Even companies with the highest level of cybersecurity training and technical know-how can fall victim to these kinds of tactics. When hackers breached Twitter in 2020 and ran an unprecedented Bitcoin scam on users, they used social engineering to infiltrate Twitter’s administrative network. Many hackers use social engineering tactics to commit CEO fraud and water holing, as well. Instead of exploiting technical vulnerabilities, cybercriminals took it to a human level and, posing as Twitter IT support, offered to fix a common VPN issue that Twitter employees had been facing. Hackers directed a high-ranking employee to a fraudulent phishing site and persuaded them to enter their login credentials. Simultaneously, the hackers entered the credentials into the real Twitter site. When prompted with two-factor authentication, the employee complied, and hackers had access to one of the largest social media platforms in the world. In today’s increasingly dangerous online world, it’s more important than ever to recognize threats and know how to protect yourself and your business.
They typically have a sense of urgency or try to instill some kind of strong emotion. They pressure the reader to take action immediately, in the hopes the victim acts before they’ve had time to think. They might pretend to be technical support or customer service, contacting you via calls or emails you didn’t request.
For a deep dive, read our full article on how to protect yourself from social engineering attacks. These are also some of the most commonly used PayPal scams.