What is social engineering?
At its core, social engineering is simply manipulating people to spill sensitive information.
Social engineering has existed for thousands of years, before modern history; we can look at the ancient history of the Trojan Horse, a wooden horse used by the Greeks to enter the city of Troy and win the Trojan War.
Even today, in an ever increasingly connected world, social engineering continues to exist outside of cybersecurity. Many social engineering techniques have been and are continually used in intelligence gathering, such as in recruiting assets. Operations security (OPSEC) is frequently compromised via clever social engineering techniques.
Everyone on the planet is vulnerable to social engineering; the right attack method at the right time on the “right” person can compromise anybody. For an organization, one person giving sensitive information to an attacker can be enough to affect everyone else in that organization.
Social engineering attacks
Social engineering attacks listed here are in reference to the common end user as opposed to organizations or public figures.
Phishing is a very broad topic, and it’s near-impossible to cover all the nuances including tactics, procedures, and methods just on this page alone.
According to the National Institute of Standards and Technology (NIST), phishing is “A technique for attempting to acquire sensitive data, such as bank account numbers, through a fraudulent solicitation in email or on a web site, in which the perpetrator masquerades as a legitimate business or reputable person.”
At its core, phishing is a social engineering attack. Teasing apart NIST’s definition of phishing, there are two main components here:
- Someone is posing as someone else (a trusted entity)
- Request for sensitive information
In short, malicious actors use the exploitation of human trust by imitating a "trusted" entity to then obtain access to sensitive/confidential information.
Phishing comes in many forms, but the most common vector for phishing attacks is an email that often include a link to a phishing website. However, other forms of phishing are also growing increasingly popular:
- Text messages (smishing)
- Social media direct messaging
- Phone call (vishing)
Additionally, successful phishing attacks can entice a user to give control of their device to attackers or download malware that further compromises the user’s device.
Like phishing, scams come in many different shapes and sizes; it’s also impossible to cover all the nuances of scams here alone.
More elaborate scams, such as “romance scams,” where the scammer poses as a romantic interest and often asks for money or giftcards, heavily rely on social engineering; these scams often carry on for months or years to establish trust. In the end, victims are often scammed out of money, cryptocurrency, and sensitive information such as social security numbers (SSNs) or other personal information (PII).
Phishing and scamming frequently overlap; phishing is usually used as a method to scam people out of money. As a very general rule, phishing is focused on obtaining information for more malicious purposes (such as access to an enterprise network to deploy ransomware) whereas scamming is focused on obtaining money or cryptocurrency (such as enticing a victim to use a money-transfer app to send money directly to the scammer.)
Baiting is just as it sounds - offering a tempting “want” in the hopes someone takes it and consequently falls into a laid trap.
Baiting typically involves malware, or tricking users into installing malware on their devices. Sometimes attackers might use phishing techniques to install malware, but this is not always the case.
For example, an attacker might offer a free download of a much-sought after digital product; however, once downloaded, this digital product might execute malicious code on the device. Perhaps the attacker offers a free item in exchange for the user purchasing a set amount of goods, only to never deliver on the free item or the purchased goods.
Baiting can also transfer into the “physical world” in the form of USB baiting - malware-infected USB devices (such as phone chargers) that, once plugged into a device, execute malicious code on the device.
Protecting yourself from social engineering attacks
Protecting yourself from social engineering attacks is an ever changing, multi-step process and requires vigilance on the user’s end. Social engineering attacks are constantly evolving, and users should stay in-the-know enough to not fall victim to attacks.
For most users, phishing (in all of its numerous forms) is by far the most common social engineering attack they will encounter. Naturally, some phishing attempts are better than others and many phishing methods exist.
However, there are some core rules users can adopt to protect from phishing and and other social engineering attacks:
- Never click on unsolicited links sent via email, text message, any messaging platform, or social media direct message.
- Never click/download unsolicited email attachments.
- Avoid giving information on
- Avoid connecting unfamiliar devices, such as USB chargers, to devices.
Most social engineering attacks require a momentary lapse of judgment from the intended victim (read: you) and to increase this likelihood, attackers will imply urgency or pressure for an immediate response. The best way to counteract this is to slow down; a healthy dose of skepticism can go a long way.