Social engineering: meaning, methods, and how not to become a cybercrime statistic

Social engineering: meaning, methods, and how not to become a cybercrime statistic

If we had a 2024 cybersecurity bingo card, social engineering as a top cyberattack vector would certainly be on it. According to Verizon’s latest Data Breach Investigations Report, such incidents have increased from the previous year largely due to pretexting. This tactic is commonly used in business email compromise (BEC) attacks, having almost doubled since 2022. The median amount stolen in these incidents has also soared over the last couple of years to $50,000.

Social engineering, however, isn’t just extremely widespread. It’s also one of the most insidious methods hackers use to dupe unsuspecting businesses or individuals. This is because they leverage weaknesses in human psychology, persuading people to reveal sensitive information, often without realizing they’ve become victims. They’ve come a long way from your basic Nigerian Prince scams, too, having grown both in sophistication and efficiency at an alarming rate.

This week, we’ll take a deep dive into all things social engineering, including what a social engineering attack is, how it works as well as how to spot and prevent these incidents and how end-to-end encryption can strengthen your defense.

What is social engineering in cyber security? Definition and key considerations

Social engineering attacks are not primarily technological but psychological in nature. As we explained in our guide on what to do if you click on a phishing link, these campaigns rely on psychological manipulation to trick users into compromising their security, transferring funds, or sharing sensitive data. Albeit using digital tools, they aren’t all that different from traditional scams, like the door-to-door salesman that convinces elderly targets to buy a dietary supplement pack subscription that never arrives.

Physical or digital, all social engineering methods rely on the same modus operandi: exploiting our weaknesses, such as vanity, fear, or greed, or on the other extreme, curiosity, generosity, or sympathy. In fact, they often capitalize on current events and certain times of the year, such as natural disasters, like the Sunda Strait tsunami, epidemics and health scares, such as the COVID-19 pandemic, economic concerns, like IRS scams during tax season, or holidays, points out the US Cybersecurity and Infrastructure Security Agency.

Hacking psychology: how does social engineering work – and why is it so effective?

Social engineering exploits the one weakness found in every organization: human psychology. Rather than using brute force methods or sophisticated hacking techniques to facilitate attacks, social engineers manipulate people into voluntarily revealing sensitive information. They’re often successful because their tactics hinge on our innate tendency to trust and be helpful. But how do they do it exactly?

According to research, social engineering relies heavily on the six principles of influence outlined by Dr. Robert Cialdini, an American behavioral psychologist and world-renowned expert on influence and persuasion. These principles are reciprocity, commitment and consistency, social proof, authority, liking, and scarcity – all widely applied in the field of sales and marketing to influence people’s buying and consumption decisions.

Social engineers, however, use them for much more nefarious purposes.

The principle of reciprocity is rooted in the idea that people feel obliged to give back if they receive a favor or a gift, even if it’s only in the form of a simple “thank you.” In the context of social engineering, attackers may offer seemingly valuable information or assistance, which prompts the victim to “return the favor,” often by providing sensitive information.

Scarcity refers to our tendency to value things more when they’re less available. Think limited edition merch launches, flash sales, and online retailers’ warning if the product you’re eying is low-stock. Accordingly, social engineers may create a false sense of urgency or scarcity to prompt immediate action, often leading to compromised security.

People tend to obey authority figures, so attackers often pose as company executives, law enforcement officers, IRS agents, or IT personnel to extract valuable information. Another thing people like is consistency. With their commitments and beliefs, that is, which malicious actors can easily use against them by first eliciting a small commitment, then escalating.

The principle of liking is based on the notion that we’re wired to be influenced and persuaded by people we favor rather than strangers. Thus, attackers may try to build a rapport with their targets. Or even impersonate trusted individuals or groups, preying on our impulse to look for social proof, or behavioral guidance from our peers in times of uncertainty.

The most common social engineering attack types and examples you should know about

1. Phishing, vishing and smishing

Perhaps the most well-known type of social engineering attack, phishing involves sending fraudulent emails that appear to come from reputable sources with the goal of gaining sensitive data like usernames, passwords, or credit card details. Phishers often create a sense of urgency in their messages to prompt immediate action, which often leads victims to unknowingly compromise their security.

Vishing, or voice phishing, refers to a type of social engineering technique where fraudsters use telephony and voice technology to steal personal information or money from their targets. Vishing calls can be made by actual people or using automated robocall technology – or both. Smishing, or SMS phishing, is carried out via text messages or other popular messaging apps, such as WhatsApp, Viber, Snapchat, or Slack.

2. Baiting

At its core, baiting exploits human curiosity. It involves luring the victim into performing a specific task by providing easy access to something they want, as explained by the European Union Agency for Cybersecurity. For example, leaving a malware-infected flash drive labeled “Payroll Q4” in a spot where potential targets are certain to see it. Once the USB is inserted into a computer, the malware is installed, opening the door to cyber attackers.

3. Pretexting

Pretexting involves a scenario (or pretext) where the scammer impersonates a trusted entity – like a coworker, tax authority official, or insurance investigator – to persuade someone into giving up sensitive information. More often than not, they pretend to be technical support agents looking to fix a non-existent IT issue, bank officers calling to verify account details for a supposed suspicious activity, or HR personnel conducting routine data verification.

4. Quid pro quo

Similar to baiting, quid pro quo attacks typically start with a hacker asking for high-value information, such as login credentials, in return for a free or critical service. For example, they might pose as the representative of an external IT service provider offering the target a complimentary virus scan or as a member of the company’s in-house IT team calling to assist with debugging or installing a software update in exchange for the user’s password.

5. Tailgating

TechTarget defines a tailgating attack, aka piggybacking, as a type of physical security breach in which an unauthorized person follows an authorized one to sneak into secured premises. An attacker who’s looking to enter a restricted area that requires proper identification, for example, might pretend to be a delivery driver and wait outside the building. When an employee opens the door, the scammer casually asks them to hold it – and they’re in.

5. Diversion theft

This type of social engineering attacks can be executed online or offline to intercept a transaction, usually the delivery of goods. It might be a spyware-infected laptop instead of the one the victim ordered, rewarding the scammer with both a new device and access to sensitive data. Diversion theft can have vastly more far-reaching effects if, for example, the transaction involves potentially dangerous chemicals that end up in the hands of terrorist or extremist groups.

6. Honeytrap

If you’ve seen the hit 2022 Netflix documentary The Tinder Swindler, you know exactly what a honeytrap scheme looks like. One of the oldest tricks in the book, honeytraps are set specifically for those looking for love on dating apps or social media. Fraudsters using this form of social engineering attacks leverage romantic or personal allure to trap someone into sharing confidential information, giving them money or installing malicious software.

7. Watering hole

Watering hole attacks exploit the trust users put in certain websites, especially professional communities like Stack Exchange. Users generally feel at ease clicking on a link provided on such a site than elsewhere on the internet, allowing malicious actors a way to install malware on their devices or compromise login details. The 2019 Holy Water Campaign, for example, infamously targeted Asian religious groups with fake Adobe Flash update pop-ups.

How to recognize a social engineering threat: 7 telltale signs to watch out for

1. Unsolicited communication

Be wary of unsolicited emails, calls, or messages, especially if they’re asking for sensitive information, help or money – they might be from a scammer looking to catch you off guard.

2. Urgency

Social engineers are all about pressuring their targets to act quickly. Too quickly, to be precise. If a message is rushing you to click a link or share information, it’s a red flag.

3. Too good to be true offers

Enticements that seem overly generous – especially in return for something small like a click or a sign-up – usually have hidden motives. Always approach such offers with skepticism.

4. Generic salutations

Messages that start with generic salutations like “Dear Customer” or “Dear User” are usually suspicious. Most reputable organizations address their customers by their names.

5. Mismatched URLs

Hover your mouse over a link in an email or message to display the actual URL without clicking it. If the link text and the URL don’t match, it’s likely a scam.

6. Non-standard email addresses

Pay close attention to the sender’s email address. If it’s different from the company’s official domain or appears suspicious, it might be a phishing attempt.

7. Poor grammar or spelling

Communication from reputable businesses is usually proofread for grammar and accuracy. If a message is ridden with spelling mistakes and inconsistencies, it could be a scam.

8. Request for personal information

Legitimate companies rarely ask for personal details, especially login credentials, through email or phone. Any message making such a request should be seen as a potential ruse.

9. Unexpected attachments

Be cautious of unsolicited emails requesting you to download and open an attachment, as they’re a common delivery mechanism for malware, points out CISA.

10. Too much personalization

Cybercriminals often rely on personal details to build trust – and steal even more personal details. If a message references information you haven’t shared, be on high alert.

How to prevent social engineering: techniques, tips, and best practices

Setting up automated filters, tagging emails from external senders as well as flagging senders and IP addresses with a history of malicious intent are each important steps in avoiding social engineering attacks. But let’s not forget that the primary target of these campaigns is humans – so your defense should start there.

What’s the most effective way to detect and stop social engineering attacks? There isn’t one. Instead, businesses should rely on a combination of tools, tactics, and approaches to minimize the risk of individual users falling victim to social engineering ploys – and potentially harming the entire organization in the process.

Here are the seven most important ones.

1. Check the sender

Always be suspicious of emails from unknown senders, especially if they come with an external sender tag. Check if the message is actually from someone you know and, in case it’s not, if it’s something you were expecting.

When in doubt, hover over the display name of the sender to see the actual email address. Scammers often spoof email addresses to appear as if sent from a legitimate domain by altering or omitting characters here and there.

It’s also crucial to consider if the email contains a call to action. If yes, does it make sense? If someone you know is asking for information they normally wouldn’t, remember that their account may be compromised.

2. Don’t trust links or attachments

Place the cursor over any links in the mail without clicking. Be as careful as with the sender. If the message seems to be from a service you use – like Microsoft, Google, or LastPass – open the service provider’s page manually, log in and see if you receive any notifications. If not, report the email. Avoid downloading email attachments, especially from unknown senders.

3. Verify, verify, and verify again

If you’re worried that a coworker’s or friend’s account may be compromised, make sure to check in with them through another channel to verify if they actually sent you a specific communication. If you have their phone number, call them directly. If the message advises you otherwise, it’s best to disregard it. No issue is so urgent that it leaves no time for following security protocols.

4. Establish and enforce policies

Speaking of protocols, make sure to have clear guidelines in place on what to do and who to turn to when something seems off. An environment where abnormal occurrences are questioned fosters vigilance. Employees should be educated on the most common social engineering techniques scammers use and what part they play in thwarting such attacks.

5. Ditch unsecured channels

Simply reducing the number of emails colleagues receive can be a huge help in mitigating social engineering attacks. Consider moving away from email as the primary means of internal communication and switching to workplace chat applications, project management tools, and cloud-based collaboration platforms instead to share information and ideas with each other.

6. Simulate social engineering attacks

As 95% of Fortune 500 companies rely on Microsoft cloud services, many of their users probably have access to information that cybercriminals consider extremely high-value. This is why Microsoft notifications are part of our quarterly phishing email drills. In these simulated attacks, our colleagues receive a spoofed security alert, but when they click to check their activity history, a proxied clone of the Microsoft login page pops up to steal their credentials.

Simulations like this are key to fostering a company culture that embraces the idea that cybersecurity is a shared responsibility. Transparent communication about potential threats and the steps the company is taking to address them can build trust and cooperation among teams. What’s more, this practice not only keeps individual users alert but also helps you identify loopholes and areas of improvement in your existing security protocols.

How can end-to-end encryption help companies protect themselves against social engineering?

End-to-end encrypted file sharing and collaboration platforms like Tresorit can be a viable layer of defense against social engineering attacks. While they can’t block such attempts altogether, they can help you create a company culture that empowers users and boosts organizational resilience against cyber threats. For example, if security protocols prescribe the use of secure links to share documents with internal and external collaborators, employees are more likely to treat email attachments with suspicion and to exercise caution.

Secure share links also allow users to revoke access to files and folders sent out in error. This is important because not all social engineering campaigns target credentials – some are after high-value company data. With traditional attachments, once the email is sent, your data is out of your control. Share links, on the other hand, can be revoked to prevent further access by unauthorized users, then document analytics (if enabled) can be checked to see how much of the shared document they were able to read.