Many people may think that cyber attacks only target IT systems, but this is far from the truth. Some cybercrime targets people, and it's actually people that cybercriminals are trying to hack. This kind of cybercrime is called social engineering attacks.
Manipulation of people
Social engineering is a process or strategy whereby cybercriminals, also called social engineers, by manipulating individuals, get them to perform certain actions in order to gain access to the victims' confidential information or computer. The private information can be account details, passwords or social security numbers.
The strategy of a social engineering attack is to build trust with victims through communications that are credible and convincing. The communication most often consists of fake emails, but it can also be done over SMS messages, social media or phone.
Social engineering is an exploitation of the human errors that can occur when we humans process information. Cyber criminals use targeted manipulation to impair people's judgement when they are in a situation and have to make a choice. Social engineering thus relies heavily on human error.
Social engineering techniques
Cyber criminals typically use six social engineering techniques to influence their victims; namely authority, intimidation, social acceptance, time pressure, scarcity and positive evaluation. Through these techniques, they can evoke certain emotions in their victims that can impair their judgment - making them more likely to carry out the cybercriminals' desired actions.
Cybercriminals often want to appear as an authority, such as a well-known organisation or the victim's own organisation's senior staff. Here they take advantage of the fact that most people follow their superiors, either because they trust them or because they will not speak out against an authority.
Many social engineering attacks include warnings or threats of negative consequences if the victim does not follow the hacker's instructions. The consequences can be a closure of the person's account or additional fees.
People tend to follow people and will therefore do things that they see or hear other people doing. Hackers can exploit this by mentioning other people, perhaps someone the victim knows, in their social engineering attacks.
By incorporating urgency, such as short deadlines, into social engineering attacks, most people will feel that they do not have time to double-check and therefore must react immediately.
If an item is in limited supply or only available for a short time, it will create demand. Therefore, hackers will often mention that there is only a limited number of a particular item in their social engineering attacks.
People are more likely to help someone they like or they think they like. Therefore, hackers will often appear polite and friendly, or they may pretend to be someone the victim knows.
Other human mistakes
As well as using these techniques to exploit people's inability to think critically, hackers can also exploit other normal human traits, such as curiosity or the desire to be helpful.
By referring to an interesting job advert, the hacker can make the recipient so curious that they can't help but click on the link to the fake job advert. And by pretending to be a friend in need of money, the recipient's compassion and desire to help may lead them to transfer money to the hacker.
Social engineering in phishing attacks
The most common type of social engineering attack is a phishing attack, where the cybercriminal impersonates a known company or public authority through email, SMS, phone or social media.
An example of a typical phishing attack is an email that alerts the recipient to perform an action involving valuable information immediately by clicking on a link. When they click on the link, they are sent to a fake phishing website that looks like a legitimate company website. Here, they are then asked to enter some confidential information and a password. This information is then sent to the cyber criminals.
Spear phishing attack
Social engineering in phishing is particularly seen in spear phishing. Here, the social engineering process targets specific employees within organisations, and this kind of phishing is therefore even more adapted to building trust with employees. The cybercrimesnelle can obtain personal information about the recipient through the Internet and publicly accessible networks.
Examples of social engineering attacks
In addition to phishing attacks, there are a number of other social engineering attacks that are important to be aware of.
Baiting is a way of attracting the recipient's interest and can be done both online and offline. A physical way to bait is to leave some hardware, such as a USB stick, in a public place where the hacker knows there are many people. This could be lifts, public toilets or car parks. The USB stick typically has a label with a company logo and a description of the contents. Out of curiosity, the recipient takes the USB stick home and inserts it into his or her computer, which is then infected with malware.
Online baiting can include advertisements that lure users with interesting offers. When the victim clicks on the advertisement, they are directed to a fake website or to download some malware.
Vishing and smishing - phishing by phone
Both types of attack are variations of phishing. Vishing, or "voice-phishing", is an attack carried out through telephone calls. The cybercriminals call the recipient and pretend to be from a well-known company that needs some information. In smishing, the hackers use SMS as a medium to lure information out of the victim.
Mailhacking is a type of attack where the cybercriminals force their way into the recipient's email or social media account and then gain access to the victim's contacts. The hackers send fake messages to the contacts, which may contain, for example, "funny videos" from their friend that link to a fake website or contain malware.
Through scareware, cybercriminals can bombard their recipients with fake threats, both in emails and internet browsers. A common scareware attack is through fake pop-up banners that appear in the victim's internet browser. The banner might say that the victim's computer has been infected with malware or spyware. Recipients are therefore asked to download a tool that can help them. This tool consists of malware that the cybercriminal uses to access the recipient's data.
Unlike the previously mentioned social engineering attacks, pretexting is not an isolated attack. Pretexting is a longer process in which the cybercriminal impersonates an authority or an acquaintance. Through this process, the cybercriminal establishes trust with the recipient and becomes a trusted source. The cybercriminal can then slowly collect personal information from the victim. Often, the cybercriminal also tries to convince the recipient to transfer money to them.
Social engineering on social media
Social engineering attacks have also found their way onto social media, such as Facebook and Instagram. Cyber criminals create fake social media accounts from which they send phishing messages. They can either create fake posts, send messages over the chat function or comment in the comment track of other posts.
Protect yourself from social engineering attacks
The best protection against hackers and social engineering is to increase your personal cyber and information security. You can do this by paying attention to all your emails, text messages and messages on your social media accounts. You should never disclose information that can be categorised as sensitive over email or SMS, especially not through a link.
Sofie Meyer is a copywriter and phishing aficionado here at Moxso. She has a master´s degree in Danish and a great interest in cybercrime, which resulted in a master thesis project on phishing.