Social engineering is at the heart of most cyberattacks. It’s a deceptive means of gaining trust from a person to get them to take a specific action.
That action could be clicking a link in an email, revealing their login password to a business app, or handing over credit card details for a scam.
Wikipedia defines social engineering as “the psychological manipulation of people into performing actions or divulging confidential information.”
While phishing and cybersecurity may be common terms that your employees are very familiar with, not all are as familiar with social engineering, which is the driver behind those phishing emails as well as other types of attacks.
It’s estimated that 98% of all cyberattacks use social engineering.
Social engineering plays on human emotions and often uses tactics like fear or the promise of a reward to manipulate someone into doing what the hacker wants.
There are usually two main goals of social engineering attackers:
- Theft of money, data, or resources
- Sabotage that disrupts business activities or damages data
Emotions Used in Social Engineering
The reason social engineering is used in so many cyberattacks is because its target is a human, not a machine. For example, it’s much easier for a hacker to trick a person into downloading spyware onto a work computer rather than trying to get past a firewall and other security to break into the system by force.
Emotional tactics are commonly used by social engineering scammers to get a reaction.
Fear is one of the most common tactics used in social engineering attacks. It could be in the form of “Respond now or your account will be closed!” or in a spoofed email that looks like it’s from a manager, it might play on a person’s fear of getting in trouble for not doing a requested task.
Many of the recent COVID phishing scams use fear of getting infected as a ploy for getting someone to “click on a link to a map of outbreaks” or send money for a fake prevention product.
When you get a fake order email from Amazon (like the one below), you may initially feel anger that either “Amazon messed up” or someone placed an order without permission. This emotional tactic is to get you to respond urgently out of anger without thinking.
Emails from customers you’ve never heard of or promising large orders can be the sign of a social engineering scam. This type uses excitement and the promise of a big sale to get you to open a fake purchase order that is actually injected with malware.
Curiosity is another popular emotion exploited in social engineering attacks. For example, you may receive a text saying, “You have to check out this great photo of you I found online” with a link to a malicious site. But out of curiosity you click it, even though you don’t recognize the number it came from.
Types of Social Engineering
Social engineering is the base tactic that is used in multiple types of scams. It can be deployed in a wide variety of ways to fool people into trusting the wrong person, message, or email.
The way the following scenario plays out can differ according to method, but the basics of the scam are the same:
- Gain Trust: The criminal will attempt to gain your trust. This can be through a spoofed email that uses Amazon’s logo or through them knowing and pretending to share some of your interests (by researching you on social media in advance). They may also spoof a co-worker’s email address.
- Inject Urgency: In many social engineering scams, the perpetrator will inject a sense of urgency to get you to act before you can think or research their request.
- Making You Feel Liked: In scams where the criminal is striking up a conversation over the phone or on social media, they may compliment you and “seem nice” to get you to let your guard down.
- Makes a Request of You: At some point in time (immediately in the case of an email) the scammer will make some type of request. It could be to click a link, borrow money, or do them a favor of some kind.
Here are some of the ways that social engineering shows up in your daily life.
The top deployment of social engineering is through phishing emails, which remain a top cause of malware infections and data breaches.
Social engineering scammers have gone from email to text messages and often users get tricked into clicking a link because they can’t always hover over it in the same way to reveal the URL as they can on a computer.
Social engineering has been long used in scam and robo calls to make people think the IRS was going to arrest them if they didn’t pay up or that “Microsoft Support” needs to look at their computer.
Social Media Direct Messages
Direct messages over social media is another way that social engineering scammers target unsuspecting people. There is so much shared over social media these days that they don’t have to spend much time learning enough about a person to try to con them.
Sign Up for Free Cybersecurity Awareness Training Today!
One of the most important layers of any good cybersecurity plan is employee awareness training. ProdigyTeks can help your Chicago area business strengthen your team’s knowledge and IT security skills.
Schedule a free cybersecurity awareness training today! Call 312-600-8357 or reach us online.