What Is Social Engineering in Cybersecurity?

Social engineering refers to a wide range of attacks that leverage human interaction and emotions to manipulate the target. During the attack, the victim is fooled into giving away sensitive information or compromising security.

A social engineering attack typically takes multiple steps. The attacker will research the potential victim, gathering information about them and how they can use them to bypass security protocols or get information. Then the attacker does something to gain the target’s trust before finally manipulating them into divulging sensitive information or violating security policies.

In this definition of social engineering, a social engineering attack begins with the attacker figuring out what they want from an organization or person. They then study the behavior or likes and dislikes of a human target to figure out how best to exploit them. Then the hacker will execute the attack, trying to gain access to sensitive data or secured networks or systems.

There are certain traits that are endemic to human behavior that social engineering cyberattacks seek to exploit.

People have a tendency to give more credibility to those they like than those they do not. To exploit this, a social engineering attacker may try to appear trustworthy, attractive, or like someone who shares similar interests.

have been given something. Social engineering attackers abuse this tendency by offering advice, something exclusive, or personalizing their offer to make the target feel obliged to give something back.

After someone commits to a course of action, they feel obligated to stick with their decision. An attacker using social engineering tools can exploit this by having the victim agree to small things before asking them for something bigger. They may also have them agree to an action before its risks are obvious.

People are far more likely to get behind a product if other people they trust have endorsed it. Attackers may use social networking to exploit the social proof concept by claiming that the victim’s online friends have already endorsed an action, product, or service.

People naturally tend to trust authorities more than those with less experience or expertise. Hence, an attacker may try to use phrases such as “according to experts” or “science proves” to convince a target to agree to something.

Despite the existence of so many modern social engineering examples, the practice actually has a long history—dating back to the 18^th century. 

After the French Revolution, prisoners in France falsely claiming to be valets for French noblemen sent out letters that claimed they had hidden their master's vast treasure and would provide a map to help the recipient find it. In return for this “priceless” information, they would request a modest amount and hoped for a little preferential treatment. 

While computers were centuries from being invented, this kind of scam certainly fit the common social engineering definition.

These kinds of early social engineering attacks continued with a similar prison-based scam involving someone incarcerated in Spain. 

The convicted would write a letter claiming to be a European nobleman who had been wrongly imprisoned. The bars not only kept him from freedom but also from his impoverished daughter, who needed him free to survive. The letter would ask the recipient for enough money to secure the prisoner’s release while promising a handsome payment—far more than what the recipient provided—as soon as the prisoner saw the light of day.

What is social engineering today? 

As time passed, the technologies and text changed but the psychological manipulation did not—as could be seen in the Nigerian Prince scam. 

The social engineering toolkit for this scam simply involves an email account and some faked documents. Someone pretending to be a Nigerian prince claims there is money locked away that they cannot access without help. If the recipient gives them the cash they need to bribe officials or pay the fee needed to gain access to the funds, the “Prince” will share the loot with the recipient. Of course, there never is any money at all, and anything the target wires never gets returned.

Frank Abagnale is probably the most famous example of a social engineering attack. The book and movie Catch Me if You Can depict how Mr. Abagnale impersonated several people, including a doctor, a lawyer, and an airplane pilot to gain people’s trust and take advantage of them.

In 2011, an attacker penetrated the security company RSA by sending phishing emails to groups of employees. The emails had an Excel spreadsheet attached. The spreadsheet had malicious code embedded in it, which used a vulnerability in Adobe Flash to install a backdoor into the system. If the employees had not been socially engineered into opening the file, the attack would not have been successful. 

Phishing in a pandemic is also common, so users should always be on the lookout.

To spot a social engineering attack, look for the following signs:

1. An emotional plea that leverages fear, curiosity, excitement, anger, sadness, or guilt
2. A sense of urgency around the request
3. An attempt to establish trust with the recipient

In short, anytime someone tries to get you to provide money or sensitive information through manipulation or coercion, you are being targeted with a social engineering attack.

Always be careful when communicating online, and never trust anyone whose identity you cannot confirm. Most importantly, never click on anything that looks suspicious, and never divulge sensitive information.

Instead of clicking on a Uniform Resource Locator (URL), type it in manually in the address bar. Double-check the origin of all URLs before clicking on them, and if you cannot verify their legitimacy, avoid them.

Using more than a password to access an account can help prevent social engineers from breaching a system. This could include biometrics or temporary passwords sent through a text message.

Your passwords should be both complex and unique, never repeated for more than one site or account. You can use a secure password manager to organize them and have them available when needed.

A relationship that does not include any in-person interaction or phone conversation can easily be used for social engineering in 2021. Beware of anyone who wants to interact solely online.

Allowing someone to access your primary Wi-Fi network leaves it open to eavesdropping. To prevent this, use a guest network for those who visit your office or home.

A virtual private network (VPN) provides you with a secure, encrypted tunnel through which communications pass. Even if someone were to snoop on your communications, the VPN would encrypt the transmissions, rendering them useless for the attacker.

While your Wi-Fi connections at and around the office are likely secured, as are your mobile devices, it is important to not neglect other devices such as infotainment systems in your car. Getting within these systems can help a social engineer further personalize their attack.

Internet security software can protect your system from malware that gets implanted via a social engineering attack. Some security solutions can also track the source of the attack, which can be reported to authorities to aid in their investigation of the crime.

Your computer and mobile devices should always be locked up or securely on your person. This holds true whether you are in a public place or a semi-public environment like your job.

Software updates help ensure your applications are impervious to the newest kinds of attacks on the landscape. After an attack has been successful, the software’s design team may address the vulnerability in an update, so frequent updates provide you with the most up-to-date security.

Some companies keep track of accounts that have been compromised by hackers. If your account information is on their list, take steps to secure it by changing your password or adding MFA.