There are all sorts of different organisations in the world, doing all sorts of different work, but one thing they have in common is the humans that make up their teams.
On the whole, humans are a pretty nice bunch. We want to help each other, do our jobs well, and make it as easy as possible for our workmates and bosses to do their work, too.
Sounds nice — and it is! The downside is that cyber attackers have found a way to use all these positive traits against us. This is called social engineering, and it’s a common attack technique that works remarkably well.
Most of us rely on technology, whether for work, entertainment, keeping in touch with friends and family, or staying up to date with what’s happening around the world. We’re connected to the internet regularly (if not constantly), which means there are plenty of opportunities to be targeted by social engineering.
Today we’re going to define social engineering and introduce a few related terms to get familiar with. We’ll also explain how social engineering works and talk about the most common forms of it. Then, we’ll share six tips for spotting social engineering attacks, including what to do if you think you’re being targeted.
Social engineering terminology
What is social engineering?
Social engineering is a form of attack that’s built around human interactions and behaviour.
It often involves tricking people into not following standard practices, with the goal of getting them to reveal sensitive information or make sensitive changes.
Social engineers also use techniques to manipulate, influence, and deceive people. Because of all this, it’s a pretty sophisticated type of attack that can be tough to spot.
What is a social engineer?
A social engineer is an attacker who operates like a con artist typically would — which means you could quite easily not realise they’re an attacker at all.
There are a few common social engineering tactics you can watch out for, though. A social engineer is likely to try and do the following.
- Use your emotions against you
- Convince you of the story they’re telling you
- Get you to take some kind of action as a result.
What is a social engineering attempt?
A social engineering attempt is when someone tries to trick you into giving them access or information they’re not meant to have and that they can use to cause harm.
How does social engineering work?
Rather than using tools like malware or viruses, social engineers rely on manipulating human reactions in everyday social situations.
For most of us, it’s human nature to want to help someone who’s in need or try to solve a problem when someone tells you something is wrong. Social engineers build their attacks around these kinds of responses.
If you’ve ever worked in a customer-facing role, you’ll know that being empathetic, caring, and wanting to make sure people have a positive experience is a big part of what makes you good at your job. The tricky thing is that working with customers also means you’re almost constantly dealing with strangers, which opens you up to more social engineering attempts than if you were in a different type of job.
Social engineering attempts can happen in person, over the phone, or through digital channels like email and social media. Social engineers will choose their communication method carefully, making sure whatever they choose suits their goal.
It’s important to note that not all social engineering attempts come from strangers. Sometimes peer pressure from people you know (like your workmates or others related to your workplace) who want you to break the rules can also be a form of social engineering. This is where attackers might use the names of other people you know or reference your close relationships to create a false sense of trust.
The three components of a social engineering attempt
While social engineering can be hard to spot when you’re in the middle of it, there are some common elements you can keep an eye out for.
- A story.
Social engineers will tell you a story to explain who they are. Their stories can be very credible (read: well-researched) and will help them seem familiar in the context of your work — like you should know who they are, and you’re at fault if you don’t.
- An action.
After they’ve told you their story, they’ll explain what they want you to do and why they need your help.
- An incentive.
They may offer a reward for helping them, like a gift or money, or play on an emotional trigger, like suggesting your employer will be unhappy with you if you don’t do what they’re asking.
Social engineers can get really creative, and they have many resources they can use to craft a convincing story.
To make their stories more believable, they might get information from:
- Social media profiles
- Company websites or financial reports
- News articles
- Stolen information from lost documents, illegal access to accounts, and in some extreme cases, finding information in items or documents people have thrown out or given away.
Next, let’s look at some of the different forms social engineering can take.
Common forms of social engineering
Social engineers have plenty of options when it comes to tricking us into giving up personal information, and grouping them by the techniques and channels used is one way to make them easier to understand.
Pretexting social engineering is one of the more advanced types of cyber security attacks. It involves the attacker forming a relationship with you before they ask you to do anything.
While they’re building this relationship, they might use your personal information, like your date of birth, phone number, or the names of people you know — creating a sense of “if they know this about me, they must be trustworthy”.
Building trust with you is precisely what they’re aiming for. Once they’ve done that, it’s more likely you’ll say yes to whatever they ask.
Baiting is when an attacker tricks people into giving them information, downloading files, or plugging things into their computers (like USB drives) in exchange for something valuable.
What that “something valuable” is can vary, but a typical online example is free music or movies. In the physical world, it could be a USB drive offered as a promotional gift that looks innocent but is loaded up with malicious software.
The next step up in a baiting attack could be to label a hard drive “confidential” or “urgent” and strategically leave it in an organisation’s reception area for employees to grab and plug into their work computers.
Diversion theft is a social engineering attempt where attackers trick people into sending information or goods to the wrong person or place.
In the digital world, this usually involves people being convinced to send sensitive information to someone who shouldn’t be receiving it. This is commonly done by creating an email address that seems legitimate (say, from a bank) but isn’t and using it to request information from the people it’s targeting.
In the physical world, diversion theft typically involves transport companies being convinced to redirect their deliveries to a different location where the goods can be stolen or swapped out for something less valuable.
This is when an attacker tries to sneak into an organisation or a restricted area by following someone who legitimately has access. This often happens where an entrance is controlled by software and electronic devices, like a swipe card. Since this type of restriction makes unauthorised entry much harder, social engineers will try to trick someone into letting them follow them in.
Tailgating social engineering techniques play on people’s tendency to be helpful. Common examples include an attacker carrying a lot of items (like laptops, bags, or coffees) and looking like they need the door held open for them, or creating a sense of being rushed on their way to an important meeting.
Phishing, spear phishing, and smishing
These are very common types of phishing attacks, where an attacker sends you an email or message to try and trick you into giving them information.
These messages can be very cleverly targeted — especially in the case of spear phishing, which works by collecting personal data on a specific individual. Using techniques like this, attackers can convincingly pretend to be friends or colleagues of the person they’re targeting.
Dating scams or honey traps
Dating scams typically happen on dating websites, apps, and social media. Attackers take advantage of people looking for relationships online, creating profiles with fake names and photos found on the internet and using these to form connections.
Once they’ve done this, they use emotional triggers to try and get money, gifts, credit card details, and sensitive information from the people they’ve connected with.
Vishing is a type of social engineering scam where attackers use phone calls to trick you into sharing your personal information.
Attackers typically pretend to be calling from a well-known place (like an internet company or government organisation) to warn you about compromised accounts, ask you to make an urgent payment, or suggest that you need help installing their software.
As customer-facing roles are designed to help customers and deliver the best possible service, attackers often target help desk support or customer support teams through vishing, asking them to reset passwords or give them access to an account they shouldn’t have access to.
Six tips for spotting social engineering attempts
The more confident you are about what to look out for, the better your chances of realising when you’re being targeted by a social engineering attempt.
Luckily, there are some common clues we can stay alert for.
- You’re being rushed.
Attackers create urgency, so you’ll feel like you don’t have time to think their request over. Their goal is to put you off-balance, so you’re more likely to agree to their request.
- You’re being asked to skip or go against standard procedures.
This signals you’re being asked to do something that’s against company policy, which usually means it’s risky — for you, your organisation, or both.
- Overly curious or prying behaviour.
A person asking too many questions or asking about things that don’t concern them is a red flag that could indicate they’re gathering information to use to their advantage.
- Confusing jargon and technical language.
An attacker may try to pressure you into taking action by making it seem like they know more about a situation than you do. If you don’t understand what they’re asking you to do or why, and their explanations don’t make it any clearer, proceed with caution.
- The offer seems too good to be true.
If they’re offering you an incentive, ask questions and take some time to think over what they’re saying. If it seems too good to be true, it probably is.
- The message language and tone are a bit off the mark.
In the case of a written message like email or text, look at whether it has a generic greeting, a tone of urgency, or spelling or grammar that’s not quite right. These are all hallmarks of a message that isn’t legitimate.
What to do if you think you’re in the middle of a social engineering attack
Firstly and most importantly, politely excuse yourself from the situation so you can stop all communications with the potential attacker.
Depending on what you feel most comfortable with, you can talk to your manager first or go straight to your IT support team if you’re being targeted through your digital work channels like email, chat, or social media.
Try our SafeStack Academy Security Awareness programme
By arming yourself with the knowledge of how social engineers operate, you’re already in a much better position to keep yourself safe. Make sure to also follow the cyber security guidelines set out by your organisation — they’re there to protect you, your workmates, and your company.
Like any type of cyber attack, social engineering can happen to anyone. That’s why we share engaging, action-focused cyber security training that helps you develop the skills you need to identify when they might be happening to you.
Our short courses give you all the information you need to know and include interactive tasks and quizzes so you can test your knowledge and build your confidence in applying what you learn to your day-to-day life.
Get a free 14 day trial and see how your organisation can benefit from our Security Awareness programme.
We love to hear from you
If you enjoyed reading this blog post or if something sparked an interest, please share it with us. Drop us a line at firstname.lastname@example.org and let us know what you think.