While computing devices themselves are technically capable of being infallible, they all remain slaves to human interaction, be it in terms of the code underneath their operating systems, or the quality of programming that goes into the software they run. What’s more, computing devices are at the whim of a range of human beings with varying levels of security knowledge and awareness.
Social engineering exploits human vulnerabilities, and is a core factor in a range of criminal schemes. While no one can make themselves immune to social engineering, being aware of the common tactics used can reduce our susceptibility to manipulation.
In this article, we explain what social engineering is and how it’s used, and provide tips to help you ensure you don’t become the next victim.
Often termed “hacking the human,” social engineering is a skill. Human interaction expert Jenny Radcliffe defines it as:
Social Engineering is the manipulation of a person or persons through psychological or non-technical means, in order to gain access to finance, data, information or even physical access to premises or goods. It’s a “people hack” because it uses human beings rather than technology as the basis for an attack.
A skilled social engineer targets and exploits human weaknesses and vulnerabilities in an effort to circumvent controls and procedures that would otherwise prevent them extracting the information they seek.
As cybersecurity expert Joshua Crumbaugh points out, social engineering isn’t new and is what conmen have been doing forever. It has just been given a different name.
Social engineering often targets the person whose information the attacker is trying to glean, but it may also target those who have access to that information, such as accountants or customer service representatives. These attacks can take place via various media, including phone, email, snail mail, text message, and online chat.
Many online scams we’ve written about in the past involve social engineering techniques, including phishing attacks, elder fraud, dating scams, and tax scams. Plenty of schemes center around getting people to hand over financial information, money, or goods directly. But often scammers are only after a small set of seemingly harmless information for use in a broader scam.
Here a few examples of schemes involving social engineering to illustrate the type and scope of these attacks.
SIM swapping
This is a little-known but increasingly popular scam where fraudsters hijack cellphone numbers for various reasons, including stealing money or cryptocurrency or even extorting victims for valuable Instagram handles.
The crux of the scam involves the criminals tricking cellphone carrier customer service representatives into transferring someone else’s account onto a SIM that they (the hackers) already own. An attacker might only start with a name and phone number, then use social engineering to uncover more detailed information about the account holder, such as their zip code, social security number and the last four digits of their credit card.
Eventually, after the hacker has discovered sufficient information (often involving multiple customer service calls or online chats), they can convince a representative to access the account and transfer the phone number to a new SIM (in the hacker’s possession).
The real owner of the phone number is then shut out of their account (they lose phone service) and the attacker has access to and control of all information stored on the victim’s phone. They can use it to access social media accounts, drain funds via mobile banking apps, and more. The phone number can even be used to bypass two-step verification methods in place. Attackers work quickly to get what they want, so the damage is done before victims realize what has happened.
Account access phishing scheme
While phishing schemes are many and varied, there is one very popular type of phishing scheme that targets customers of large companies like Netflix, Facebook, and PayPal. The victim will receive a phishing email that appears to come from the company, regarding a generic topic, such as updating payment information or account cancellation.
The recipient will be prompted to click a link which will take them to the company website. The problem is, the link is a phishing link which leads to a fake (phishing) website designed to gather users’ login credentials (usernames and passwords).
Once criminals have these credentials, they can access the account, depending on the nature of the account, they may use it to find out more personal information including credit card details, make purchases, contact friends and family members of the victim, and more.
These scams can be very sophisticated and both the emails and malicious websites can look legitimate if you’re not paying attention. However, there are usually tell-tale signs such as a misspelled company name in the sender’s email or the website URL, and poor spelling and grammar in the email and website content.
Tech support scam
In a tech support scam, initial contact is often made via a phone call. Alternatively, a computer popup (that’s difficult to get rid of) might state that there’s a computer issue such as a virus, and provide a number to call. Scammers will purport to be technicians representing large firms like Microsoft, and will ask the victim to allow remote access to their device.
Once they have access, the fraudster is free to do what they like within the system, including installing malware or accessing accounts. There have even been cases where the scammer will ask the victim to access their online banking account and complete a transaction “as a test” to make sure everything is working.
Some criminals will even double down on this scam and ask for payment information to take a fee for “fixing the issue.”
CEO fraud and whaling
Individuals fall victim to phishing attacks all the time, but businesses offer criminals the chance of bigger payouts. One type of phishing scheme that targets companies is CEO fraud. In this scheme, phishing emails are sent to employees with the goal of learning more information about the company, such as the day-to-day schedule of senior employees and which employees have access to company funds.
Once they have gathered enough information, the criminal can send an email to select employees who are duped into believing the sender is a senior manager, executive, or even CEO of the company. They might ask employees to carry out an urgent request—for example, initiate a wire transfer to an outside account.
The emails will often target the finance department of the company or any personnel authorized to access and transfer company funds. CEO fraud cost Ubiquiti Networks more than $40 million when it was the target of a 2015 scheme.
Grandparent scam
This horrible scam is becoming more well-known, unfortunately as more cases are reported. Scammers prey on the trust and vulnerability of the elderly when they pose as their grandchildren asking for help. They will purport to be in some type of financial trouble and ask for funds to be sent or for banking information.
This scheme is typically carried out over the phone, so the fraudster has to mimic the grandchild’s voice. You’d think this would be very difficult, but it still works in many cases. The scammer will at least know the name of the grandchild, but may know more detailed information (often gleaned from social media) that helps them to persuade their victim.
Loverboy scam
In this scam, perpetrators approach victims – often via social media – with the aim of building a romantic relationship with them. The perpetrators will prey on the victim’s vulnerabilities, overwhelming them with declarations of affection, promises of a better life and expensive gifts. Ultimately, the victim is coerced into cutting ties with their family and friends. Once they are sufficiently isolated – which is often achieved by moving them to a different country – the victims are forced into prostitution.
In April 2023, Europol reported the conclusion of Operation MOTLEY, which saw the arrest of nine Bulgarian nationals believed to have trafficked young women to the UK for sexual exploitation. The perpetrators targeted their victims on social media and used the “loverboy” method to lure them to the United Kingdom, where they were advertised on adult services websites.
These are just a few examples, and there are many avenues a social engineer will look to exploit in an attempt to steal information, or gain access to something or someplace they shouldn’t.
Social engineering is all about psychology. These criminals understand the human psyche. They know how people generally react in certain situations, so they can tailor their approach to manipulate responses.
By creating fear, for example, saying something like “your account has been compromised – please log in via this link and change your password now,” the savvy criminal seeds a very compelling call to action that far too many people are likely to heed. Indeed, in Proofpoint’s “2023 Human Factor” study, 11 percent of malicious links were clicked on within one minute of delivery.
A social engineer will often rely on other tactics such as the following (with examples):
- Curiosity: A funny image you just have to look at
- Urgency: A friend has been stranded in a foreign country and needs your urgent assistance to get home
- Empathy: An email from a charity for sick children, along with a handy link allowing you to send your cash straight to the criminal
- Compliancy: A boss has sent a request and it’s ingrained in you to comply immediately
In other cases, there are no real tell-tale signs, and the engineer is just very crafty in the way things are worded. For example, “playing dumb” with a customer service representative could mean they give you a little leeway and help you with prompts to verify an account.
Of course, not everyone will react in the same way, and many attempts to access information will be unsuccessful. But it’s human nature to want to trust and help people, and to avoid conflict. If the perpetrator tries enough times, they will eventually hit the right target.
For example, if a criminal is phishing for information from a customer service representative, if one person isn’t being helpful, all the engineer has to do is cut the conversation and try someone else.
Social engineering isn’t a new concept, but the opportunities for criminals are arguably more prevalent than ever before. Here are some of the reasons why social engineering is such an attractive tactic:
Minimal technological knowledge required
Yes, social engineers need some knowledge of human psychology to be successful. But hacking a human is often far easier than hacking a computer. While some attacks are large-scale and intricately planned, many are rudimentary and involve calling or messaging a long list of targets. This form of attack is often a go-to for criminals with limited technological knowledge as very little education or know-how is needed to develop and execute an attack.
Digitization and accessibility of private information
These days, everything from photo folders to bank accounts to medical records are accessible through websites and apps. While this makes it convenient for people to access accounts, view their information, and make necessary changes, it makes it easier for criminals to do the same.
It only takes a few small details for someone to potentially have access to a plethora of information about you. Not only that, but the control we have at our fingertips means it’s straightforward for someone to change your information and block you out of accounts.
Public information
The age of social media has brought with it an environment in which a ton of information can be gleaned about an individual or a company just by conducting a little online research. Profiles on sites like Facebook, Twitter, and Instagram can give criminals plenty of information about where someone lives, vacations, eats, shops, banks, and more.
For large-scale attacks against companies, criminals can look to company websites and platforms like LinkedIn to research the roles and backgrounds of employees before executing their plan. They can even look at things like post comments to learn more about the corporate lingo and the relationships individual employees have with each other.
Criminals can also use facts in the news to their advantage. For example, citing a recently-announced company merger as the reason for an email requesting a password change might help persuade the reader to comply.
Although social engineering schemes are many and varied, there are precautions you can take to mitigate the risks. Here are our top tips to avoid becoming the next victim of a social engineer.
1. Use common sense
We’re only human and we’re bound to make mistakes, but using common sense and keeping your wits about you is the best thing you can do to ensure you don’t become a victim of social engineering.
Never share your personal or financial data with anyone. That includes usernames, passwords, PIN numbers, and any other data that reveals anything about you that could be of use to a criminal.
Social engineers often tempt people with offers that are just too good to pass up. When considering an opportunity, take some time to consider how realistic it is. Bear in mind the old saying: “If it sounds too good to be true, it probably is.”
2. Verify who you are talking to
Fraudsters will often add a sense of urgency to requests, so be on the lookout for those types of situations. Slow down and take the time to verify some facts about the request. If someone visits in-person (at home or at the office), ask for an ID card and to arrange a different time to meet.
If it’s a phone call, ask for the person’s name and a callback number that you can then verify. Fraudsters often impersonate people you know, such as family members or co-workers, so you could ask questions to verify their identity.
When contacted via phone, email, or SMS, search for the company online (for example, via a Google search) to find official contact information and verify the caller or sender.
3. Don’t open emails from unknown senders
Never open links or attachments in emails from unknown senders. Treat any unsolicited email with suspicion, even if you do recognize the sender—many phishing emails are sent through legitimate accounts that have been hacked. Such communication is often used to spread malware or phish for personal information.
Malicious emails often include links to phishing sites, which are fake versions of legitimate websites designed to steal information such as your login credentials (username and password) for specific accounts.
4. Secure your computer
Although social engineering hinges on human interaction, securing your computer and applications can help. For example, spam filters are becoming increasingly adept at identifying bogus emails and preventing them from ever reaching your inbox.
Security software, such as antivirus programs and full internet security suites, often include tools that can identify or block phishing emails, as well as protect systems from the more direct threat posed by malware.
5. Use two-step verification or two-factor authentication
If someone learns your account credentials or deduces them via a brute force or similar attack, having an extra verification step in place can help greatly. Many platforms offer two-step verification (2SV) where a secondary step (often entering a code received by text or email) is required after you enter your usual login credentials. There are also third-party apps you can use to set up 2SV, such as Google Authenticator and Authy.
Note that 2SV is sometimes referred to as 2FA (two-factor authentication) although 2FA technically refers to a process where the second step involves a different type of authentication, such as biometrics (for example, a fingerprint), a keycard, or a fob.
Although you might have your wits about you when is comes to disclosing information, there is still a chance you could become victim to attacks. Data breaches occur all the time, even in companies you think are secure, such as financial institutions and social media platforms. In these cases, lists of username and password combinations often end up doing the rounds in cybercriminal circles.
Plus, even if you keep your information safe, you can’t always trust company representatives to avoid social engineering. As in the case of SIM swapping earlier, you might find yourself a victim as a result of someone else’s loose lips.
6. Train employees to recognize attacks
If you’re a business-owner or you have some sway in your company’s security policies, you might want to look into employee training against social engineering. Many firms offer programs specifically designed to help combat these attacks and will even come in and perform penetration testing to see how employees react in the face of security risks.
Aside from training, general policies might also require reform in order to stay safe, such as how urgent requests are dealt with.