What is Social Engineering?
Top 5 Types & Examples
Did you know that hackers can break into your computer or some other internet-connected device without actually doing any hacking? They can use manipulation to build trust and trick you into sharing your private information, and you may not realize this until it’s too late. If you open links in emails you receive without double-checking the name of the recipient or disclose your personal information in emails, you risk becoming the victim of social engineering.
Key takeaway: Social engineering is the use of non-technical methods to trick a potential victim into sharing their personal information with a hacker. Hackers use deceptive practices to appeal to their target’s willingness to be helpful in order to obtain passwords, bank account details, and other personal information. Read on to learn more about the five most common types of social engineering.
What Is Social Engineering?
Social engineering is an umbrella term for a variety of methods and techniques employed by hackers and other cybercriminals with the goal of deceiving unsuspecting victims into sharing their personal data, opening links to infected websites, or unknowingly allowing hackers to install malicious software on their computers. These hackers manipulate their victims into bypassing the usual cybersecurity procedures in order to gain access to the victims’ computers and/or personal information, usually for financial gain.
The term social engineering originated in social science, where it denotes any effort by the major change actors (i.e. media, governments, or private groups) to influence or shape their target population’s behavior. In simpler terms, social engineering involves the use of manipulation in order to achieve a goal, be it good (e.g. promoting tolerance) or bad (e.g. warmongering). Although it dates all the way back to the late 19th century, the term social engineering is now more closely associated with cybersecurity.
To successfully carry out their social engineering attacks, many hackers rely on their potential victims’ willingness to be helpful. Similarly, they may try to exploit their victims’ lack of technical knowledge. In most cases, however, hackers will conduct research on the potential target. For individual targets, this involves a thorough check of their social media accounts for any personal information that they have shared, including their birthdays, email addresses, phone numbers, and the places they visit the most.
The process is somewhat different for business targets. Hackers need someone on the inside to gather intelligence about the enterprise, its operations, employee structure, and the list of its business partners. Most of them thus choose to target low-level employees who have access to this information. They will either trick the target into sharing this information voluntarily or infect their computer with malicious software that will monitor their network activity and send detailed reports directly to the hacker.
What Types of Social Engineering Exist?
Social engineering comes in many shapes and forms. Some attacks can only be carried out offline, like strangers being polite and counting on your kindness to enter your office building and acquire the information they need in person. There are also some social engineering attacks that are carried out over the phone. Known as vishing (voice phishing), they involve a person falsely introducing themselves as a fellow employee or a trusted authority and directly asking for the information that they’re after.
When it comes to online social engineering, the five most common types include the following:
- Spear Phishing
Whereas most phishing campaigns involve the mass-sending of emails to as many random addresses as possible, spear phishing targets specific groups or individuals. Hackers – also known as phishers – will use social media to gather information about their targets – sometimes referred to as spears – in order to be able to personalize their phishing emails, thus making them seem more realistic and more likely to work.
In an effort to make their attacks look even more like the real thing, phishers will introduce themselves as a friend, a business partner, or some outside institution that’s somehow related to the victim. For example, a phisher may pose as a representative of the victim’s bank and ask them to provide the information they’re looking for. What’s more, they may also use the official logo and imagery of the bank in question to make it more difficult for the victim to tell that the message is not genuine.
Baiting is different from most other types of online social engineering in that it also involves a physical component. As the name suggests, baiting involves an actual physical bait that the victim must take in order for the attack to be successful. For example, the hacker can leave a malware-infected USB stick on the victim’s desk, hoping that they’ll take the bait and plug it into their computer. To increase their chances of success, the hacker might also label the USB stick “important” or “confidential”.
If the victim takes the bait and plugs the USB stick into their computer, it will immediately install malicious software on their PC. This, in turn, will give the hacker insight into their online and offline activity, as well as access to their files and folders. If the infected computer is part of a network, the hacker will also gain instant access to all other devices that make up this network.
Pretexting involves the use of a captivating pretext designed to grab the target’s attention and hooks them in. Once they are immersed in the story, the hacker behind the attack will try to trick the potential victim into providing valuable information. This type of social engineering is often seen in the so-called Nigerian email scams that promise you a lot of money if you provide your bank account info. If you fall for it, not only will you not see a dime but you may even lose the money that’s already in your account.
- Contact Spamming
Contact spamming is perhaps the most widespread form of online social engineering. As the name suggests, hackers use this method to send out spam messages to all of their victims’ contacts. Those emails will be sent from the victims’ mailing list, which means that they’ll look more realistic to the recipient. More importantly, they will be much less likely to end up in the spam folder of their inbox.
This method works in a very simple way. If you see an email sent from your friend with an informal subject line (e.g. “Check this out!”), you may open it to find a textual link. The link is usually shortened, so there’s no way to see what it is without clicking on it. However, if you click on it, an exact copy of the email will be sent to all your contacts, thus continuing the spam chain. Additionally, the link may take you to a malicious website and download spyware or some other malicious software on your computer.
- Quid Pro Quo
Latin for “a favor for a favor”, quid pro quo is a type of social engineering that involves an exchange of favors and services between a hacker and their unsuspecting target. Most often, hackers will pose as IT support technicians and ask you for your login details so that they can run an allegedly important cybersecurity check. In addition, they may ask you to disable your antivirus software or install a program they send you, thus allowing them access to your computer and giving them a chance to install malware.
Examples of Social Engineering Attacks
Some of the largest social engineering attacks in recent years include the following:
- In 2017, more than a million Google Docs users received the same phishing email which informed them that one of their contacts was trying to share a document with them. Clicking on the link included in the email took them to a fake Google Docs login page, where many of the targets entered their Google login data. This, in turn, gave hackers access to more than a million Google accounts, complete with emails, contacts, online documents, and smartphone backups.
- In 2007, a Michigan treasurer fell for a Nigerian pretexting scam that involved a fictional prince who wanted to escape from Nigeria but needed help transferring his fortune out of the country. Over a few months, the treasurer made several payments of $185,000 total ($72,000 of his own money) to the hackers behind this email scam. It was later revealed that the rest of the funds came from the $1.2 million he had embezzled during his 13 years of public service.
- In 2013, hackers managed to steal the credit card info of more than 40 million Target customers. According to official accounts, the hackers first researched the major retail chain’s air-conditioning subcontractor and targeted their employees with phishing emails. This allowed the hackers to access Target’s network and steal the customers’ payment info. Although the perpetrator was never caught, Target had to pay $18.5 million in 2017 to settle state claims.
How to Protect Yourself from Social Engineering
Because the hackers behind social engineering scams most often rely on their victims’ kindness and willingness to help, the best way to protect yourself is to be less trusting in an online environment. While using the best antivirus software is certainly important, you also need to be very careful on the internet.
If someone sends you an email claiming that they are one of your vendors or business partners, you should call their office before you reply to their email or open any links or attachments it might contain. Similarly, if an email allegedly sent by your friend looks suspicious, call your friend to make sure they were the ones who sent it. No matter who you’re exchanging messages with, never disclose your credit card details, bank account info, Social Security number, or any other personal information in an email.
In addition to manipulating your emotions, hackers will often try to trick you into installing malicious software on your computer. Depending on the type of software, this may allow them to monitor your activity, copy and delete your files and other data, as well as to steal your passwords, credit card details, and other sensitive information. To prevent this, you should use the best antivirus software that can easily find and remove malicious software and keep your computer protected from all potential threats.
- Fraud Magazine
- NBC News
- The Register
- Wikipedia (1)
- Wikipedia (2)
Are you protected?
Hackers often use malicious software to monitor your activity, access your files, and steal your data. Don’t leave your online security to chance.