Social engineering: what it is and how to identify it
Social engineering is a psychological manipulation technique used by criminals to persuade victims to reveal confidential information or to trick them into doing something.
Social engineering is extremely effective because criminals, including cybercriminals, know that fooling people can often be much easier than circumventing physical or computer security barriers.
You may wonder why people always seem to fall for criminals' lies. Well, there are many reasons. Sometimes we get distracted, tired, or simply fail to identify the risk when it appears.
The truth is, one of our intrinsic characteristics as human beings is empathy, that is, the desire to be friendly and obey authority. And these are precisely the two factors most exploited by criminals when pulling off social engineering scams.
In practice
At the end of the day, the goal of criminals using social engineering to trick their victims is almost always to achieve something for their benefit: to collect information to commit fraud or attack systems; to make quick money; to steal identities, and so on.
Let’s take a look at a few social engineering techniques widely practiced by criminals.
Pretexting
Through pretexting, criminals make up a story to manipulate victims into taking actions they wouldn’t usually do under "normal" circumstances. A trustworthy person is often impersonated to more easily convince the victim of the scam.
For example, a scammer might send an email to the victim posing as the company's support department, claiming that a security problem has been identified on the computer and that new security software needs to be installed.
Another scenario involves the victim receiving a telephone call from someone pretending to be a bank representative, claiming that a suspicious transaction has been identified in the victim's account. The victim is then required to provide some personal information to confirm that they are really using the card.
Pretexting essentially exploits trust.
Baiting
Baiting is a technique where cybercriminals set traps to draw victims’ attention.
A common technique is to leave virus-infected USBs lying around in a crowded place like a company cafeteria or co-working office, hoping that a curious victim will plug it into the work computer, infecting the systems with malware.
This technique is also used digitally when cybercriminals offer surprise gifts or exclusive discounts in fraudulent messages. Ultimately, these are just traps to hook victims.
Baiting essentially exploits curiosity.
Phishing
Phishing is a scam used by cybercriminals to send fraudulent electronic communications to victims in an attempt to get them to perform some action harmful to themselves, whether that means providing confidential information, clicking on a malicious attachment, or transferring money to the scammer. Phishing is often accompanied by pretexting and baiting techniques.
When phishing occurs via email, cybercriminals usually pose as a legitimate company, claiming that there is an incredible discount on a product, or that a problem has been identified with an account, such as a missed payment or attempted invasion.
Phishing over instant messaging apps involves cybercriminals often impersonating a victim’s acquaintance and asking them to transfer a certain amount of money to resolve an urgent problem.
Phishing essentially exploits fear, greed, and empathy.
How to spot and avoid social engineering scams
Unfortunately, anyone can be targeted by a scammer. However, there are some ways to identify and avoid social engineering in case a criminal tries to use them against you.
1) Be wary of offers that seem too good to be true
If someone offers something that seems like an incredible deal, it is likely a scam. Be wary of investments with guaranteed, risk-free returns and messages that claim you've won a prize you weren't even expecting.
2) Don't share confidential information
Never share confidential information like passwords, access credentials, credit card numbers, bank account information, or personal data, no matter how legitimate or urgent the communication may seem.
3) Verify requests and don't trust unknown senders
Before clicking on a link, making a cash transfer, or sharing information, carefully verify the source of the request. If it is an unknown sender, it’s best to ignore the request. If you know the apparent sender, contact the person by other means to check if the request is true.
4) Reject unsolicited contact
Whether by email, phone, or instant messaging apps like WhatsApp, if someone contacts you asking for some type of information, or has some unmissable offer or claims you need to contact some kind of support, the best thing is to ignore the message. If in doubt, contact the person or institution in question directly to find out more details about what happened.
Protect your company against social engineering scams
Company employees are just like the rest of us and are also potential victims of social engineering scams. That’s why it’s vital to invest in employee cybersecurity awareness so that they learn to adopt safe daily habits, keeping the organization protected.