What Is Social Engineering and How Does It Work?

What Is Social Engineering in Cyber Security

People like to think of email hackers and cyber attackers as international men of mystery. They are a foreign threat in people’s minds, often with a poor grasp of the English language. And while this does describe a certain segment of spammers and phishers, it is a dangerous mindset to have.

Cyber Security threats come in all shapes and sizes, both local and foreign. And it’s the emails you get from people who sound just like you, who speak your lingo, who convincingly mimic the emails you get from your boss, your colleague, or your supplier, that can cause the most damage. This is a trend in cyber attacks known as social engineering.

What Is Social Engineering in Cyber Security?

When looking for a social engineering definition, there’s something that you need to understand. People trust people. It’s innate. Society relies on trust to operate – you trust the businesses you deal with, your clients trust you, you trust the friends and family that surround you. And it’s this trust that a social engineering attack relies on.

Attackers that use social engineering as a tool specifically exploit the trust that you place in other people. They use it to their own advantage, either by posing as someone that you already trust – a friend, colleague, or boss – or by manipulating your emotions to gain your trust. The very meaning of social engineering is creating or fabricating a social connection to gain information or access.

How Does Social Engineering Work?

Now that you understand what social engineering means, let’s take a look at how social engineering attacks happen.

First things first, while there are many different types of social engineering attacks, they all start with the same step. Research. Attackers will spend some time getting to know you on social media, getting to know your company through its website. The foundation of all successful social engineering plots is gaining your trust, and the best way to do that is to know a bit about who you are and what you do. That way they can know the right person to pose as.

From there, they make contact. Sometimes contact starts with email scams. You know the type. A Nigerian prince looking for a new bride. An inheritance with your name on it. A chance to win a million dollars – all you have to do is click on this website link. But social engineering takes this one step further because you already know about those kinds of scams. Instead, social engineering scam emails will look like they’re coming from a legitimate source. Maybe one of your social media platforms warning you that your details have been compromised. Maybe, someone, you went to school by reaching out.

Other times, first contact will involve pretending to be someone you are close to. A colleague you’re friends with. Your boss asking for a quick favour. A supplier letting to know that their banking details have changed. Sometimes they’ll ask for small, seemingly insignificant tidbits of information – your cellphone number or personal email address, for example.

Next, once you’ve sent a few emails back and forth, gained your trust, they’ll strike. They’ll send a link for you to click that installs malware on your machine. Or they’ll ask for a password. The ways that they gain access may differ, but the result is the same – they get what they came for, be it access, money or data.

In some cases, they won’t need to ask for any details at all. That ‘supplier’ asking you to update details on your side won’t need anything from you, after all. They’ll just wait for you to pay your latest invoice into the wrong account, and their job will be done.

And then, they’ll disappear. You won’t hear from them again. Mails will bounce back. WhatsApp and phone messages will go undelivered. It will be like they never existed. They’ve got what they needed from you and won’t need to chat or gain your trust any longer. They can simply take what they need from your systems and servers, use your data to their own advantage, or enjoy the money that got transferred.

Social Engineering in Action

It’s one thing knowing how social engineering attacks work, but it’s another seeing them in action. Let’s look at some examples of social engineering attacks that really did take place.

1. Spear and Whale Phishing 

While there are plenty of types of phishing out there, spear and whaling phishing (where attackers target high-ups in a business like CEOs, Founders, and Managers) have the potential to do the most damage. Don’t take our word for it – just look at Belgium’s Crelan Bank. All it took was an attacker compromising one high-level exec’s email address, and the attacker managed to convince employees to transfer $75.8 million (or R1,115 million) into his account.

{Want to learn more about whaling attacks? Check out our blog on whaling phishing attacks}

And though high-level targets do make for great paydays, they are not the only people who need to worry about their emails being hacked. Any employee could become the target of spear phishing mail. With so much information available online, it’s easy for an attacker to access personal information that could see your employees falling for a social engineering scam and having their email addresses hacked.

2. Restrict Online (and Offline) Baiting 

Would you click on the link in an email that offered you the job of your dreams? Would you give up information about yourself or your job if you were offered something in return – some money on the side, or even a gift sent in the mail? What if you came across a USB drive in the work parking lot – would you plug it in and try to find out who it belonged to? 

This kind of online and offline baiting is a technique that has seen great success for hackers. Particularly when the USB trick led to what was, at the time, the worst breach of U.S. military computers.

3. Data Breaches

Even the most secure facility in the world isn’t immune to cyberattacks. Last year saw the FBI’s Law Enforcement Enterprise Portal becoming compromised in a data breach. While no personally identifiable information was accessed, fake emails were sent to over 100,000 email addresses. And who wouldn’t trust and click on a link in an email coming straight from the FBI?

4. DNS Spoofing

You think you’re visiting a trustworthy site. You’ve typed in the domain name straight into your browser, rather than clicking a link in an email. You try to sign in, but something’s not quite right. There’s a 404 error, a page not found, a blank screen. This kind of DNS spoofing can happen in any number of ways – it could be your device, your ISP, even the site’s host that’s been compromised. But the result is the same – your login details are in an attacker’s hand, to be used as they like.

This happened to a number of sites hosted on Amazon Web Servers back in 2018, and in one case saw attackers walking away with over $150,000 (or over R2 million) in cryptocurrency after gaining access to users MyEtherWallet login details.

5. Scareware

If your own machine told you that it had found a virus, would you trust it? What if it was a seemingly qualified technician telling you that you needed to pay for them to run a program that cleans your machines and devices from infected files. You’ve never heard of the program itself, but you can trust a professional, can’t you?

The answer is no. At least, not without doing a bit of research first, at least. Scareware is a popular tool that both cyberattackers and scrupulous individuals use to scare you into paying for a service that you don’t need and don’t perform. Take, for example, the case of the Star Tribune. Visitors to the newspaper’s website had ‘adverts’ pop up to inform them that their machines were experiencing security problems. If they wanted to fix it, they had to pay $49.95 for a fake anti-virus.

In cases of scareware, there often isn’t anything actually wrong with the machines. Users simply hear the word ‘virus’ and want to do everything in their power to protect themselves, even if it means paying for services they don’t actually need. In other cases, attackers would actually infect machines with malware, pretend to ‘detect’ it, and offer to remove it at a cost.

More than 90% of targeted security threats start with an email. How sure are you that your email's secured?

How Do You Know Who To Trust?

With social engineering attackers often playing on your emotions, pretending to be trustworthy individuals, even people you know or work with, it’s difficult to know who to trust. And this is especially the case when trying to find the right IT support partner to work with. The social engineering examples above show you just how difficult (and dangerous) trusting a new company can be! How can you know that they are the right Managed IT Services provider for your business, or if they’re just a threat waiting to happen.

A good place to start is by doing a bit of research. Companies like Solid Systems that have been around for over two decades are going to be far more reliable than those who have popped up overnight. That’s not to say that all new businesses are untrustworthy, but there are risks involved in working with start-ups that have less experience in the industry.

You also want to find a business that works with you. You want someone who will help you reach (and exceed) your goals, who talks to you on your level, not throwing around jargon that you don’t understand. You want someone who will create strategic roadmaps that see you adopting and embracing new technologies without exceeding your budget, and who are well versed in everything you need, from infrastructure management to email security services.

Want to learn more about why Solid Systems is the perfect partner for your business? Contact us today, or book a meeting to discuss your needs.

Daniel Avinir

Daniel Avinir

Head of Client Success at Solid Systems | Virtual CIO I have a love and passion for people, their minds, technology, and nature.I believe in empowering people to work in increasingly flexible and productive ways, helping them unlock the collaboration potential and leading the cultural & technological change of our time.

Didn't find what you were looking for?