What Is Social Engineering? How Fraudsters Use Human Behavior Against You

Crime

What Is Social Engineering? How Fraudsters Use Human Behavior Against You
Graphic: Nathaniel Blum

January 3, 2020

In the early days of internet connectivity, computer hacker Kevin Mitnick figured out that the easiest way to bypass security efforts and gain access to sensitive information was to exploit human weaknesses. Using psychological manipulation to trick people into sharing information—a tactic called social engineering—was an easier method of hacking than using technical know-how.

“Mitnick’s message is simple: Humans are the weakest link in any security system,” wrote Simson Garfinkel, the U.S. Census Bureau’s senior computer scientist for confidentiality and data access.

Mitnick became famous for his criminal efforts, then went legit after serving time in prison, building up a career as a prominent computer security consultant, author and speaker. He now helps businesses and individuals learn that social engineering is common, frequently effective and can be resisted if people are empowered with the right information.

What is social engineering?

Social engineering is a deceptive attack in which a bad actor exploits human social tendencies to obtain or access information about an individual or organization. These attackers commonly pose as people we trust or know. When targeting businesses, they may pose as those we all expect to interact with, such as a new employee, a repair person or a researcher. The person may contact just one or multiple people within an organization, gathering enough information from various sources over time to succeed in breaching the network.

Social engineering in cybercrime reaches back to the late 1970s, when computer technician Stanley Mark Rifkin used deception to get access to the wire transfer facility of a bank in California where he worked as a contractor. He stole the numerical code used to authorize wire transfers between banks. Then, he called the bank in the guise of an employee from the international division and requested to have $10 million transferred to an offshore account.

Mitnick pushed this approach to a new level in the 1980s and 1990s with such crimes as hacking Pacific Bell’s voicemail computers and copying proprietary software from several cellphone and computer companies. He claims that he was able to do all of this by deceitfully manipulating company employees to provide him passwords and codes.

The practice has become increasingly widespread since then, with criminals constantly finding new ways to get people’s attention and trust. Proofpoint’s Annual Human Factor Report for 2019 reveals that more than 99% of cyberattacks depend on a human user clicking on something that gives the hacker the access they’re looking for.

How does a social engineering attack work?

Social engineering attacks take various forms, but in many cases they come as a communication that looks like it’s from a friend, colleague or other trusted source. The message usually contains a link or attachment to download, or a request for some type of information that you may not normally share with others, such as a password or account info. The person contacting you may ask you to make payments for something you want to buy with a gift card or through a money transfer service.

“The most important thing for people to know about social engineering is that no hardware or software can completely protect you,” said Mason Wilder, research specialist at the Association of Certified Fraud Examiners. “These attacks succeed because they target human vulnerabilities rather than systems or networks.”

What are the types of social engineering attacks?

Phishing attacks are a common type of social engineering attack. A phishing attack is a form of deception in which an attacker uses email or a malicious website to pose as a trustworthy person or organization and solicit sensitive information.

A common example of a phishing attack is a hacker posing as a representative from a bank or other financial institution and calling a victim with the news that there’s a problem with their card or account. They request information such as passwords and account numbers, which they then use to access the accounts illegally. Attackers are also apt to leverage current events such as national disasters, epidemics or elections to gain traction with victims.

There are many variations on phishing, with amusing names such as vishing, smishing, spear phishing and pharming.

  • Vishing is a social engineering attack that uses voice communication, such as a phone call from a purported bank rep. This can be combined with digital techniques, such as an email instructing a victim to call a certain number.
  • Smishing is a social engineering attack that uses voice communication, which often contain links to webpages, email addresses or phone numbers.
  • Spear-phishing is a targeted and refined form of phishing, in which the attacker creates custom emails directed at well-researched victims.
  • Pharming is a social engineering attack that uses malicious code and fraudulent websites. Attackers use digital communications to make you click on a link that installs malicious code designed to automatically direct your browser to bogus websites.
  • Scareware is a social engineering attack that scares a user into clicking on a link. The attack often comes in the form of a pop-up that informs a user that their computer is being taken over by a virus, which can be stopped by clicking a link.

“Information gained from these attacks allow bad actors enough information to successfully pull off romance scams, identity theft, business email compromises, employment scams and the like,” said Dorothy Riggs, senior financial crimes investigator with the Financial Crimes Unit of Synovus financial services company.

How can I protect myself from scams?

The best way to try to protect yourself from social engineering scams is to be suspicious of online communications in general, and of calls or emails from those you don’t know in particular.

“The best way for consumers to protect themselves is to stay skeptical,” said Wilder. “Take your time and double-check things like email addresses and URLs, think twice before opening any attachments, and beware of any message that tries to instill a sense of urgency. Social engineers are banking on victims reacting instantly and reflexively.”

It’s important to follow your gut when evaluating the communications you receive online. These types of scams will often elicit feelings in you—whether panic, fear, excitement or anticipation. Check in with yourself before moving forward.

“If it sounds too good to be true, it is probably a fraud,” said Dr. Robert K. Minniti, president of Minniti CPA LLC. He offers some of the following tips for staying safe from social engineering attacks online.

  • Be wary of people you don’t know sending connection requests, and be suspicious of recently added profiles or profiles with few connections.
  • Never post personal information on the internet or answer questions of a personal nature online.
  • Do not give passwords, account information, or social security numbers to anyone unless you have initiated the communication.
  • Don’t click on links contained in emails that come from unfamiliar sources.
  • Never make payments for an online transaction with a gift card or through a money transfer service.
  • Pay attention to each website’s URL to make sure it is correct; look for spelling mistakes or anything else suspicious. A secure website will start with https, instead of just http.
  • Make sure you have good, up-to-date antivirus, antimalware, and antiransomware software on all of your electronic devices.
  • Sign up for any anti-phishing features that your email client or web browser offers.[KG13]
  • When in doubt, arrange to speak to a person on the phone — or better yet on a video chat or in person—before sharing any personal information.
  • If you’re skeptical of the origin of a certain communication, use reverse phone/email search services to try and potentially get more information about where the calls or emails originated.

It’s important to realize that these attacks can get quite sophisticated, in some cases being almost impossible to detect as fraud. It’s possible to get tricked even if you maintain a healthy skepticism and have all the protective software in place.

“Fraudsters are good at what they do,” said Riggs. “Many scammers or hackers are master manipulators. They troll social media profiles and websites to gather enough information to successfully draw intended marks into their webs of trickery and deceit.”

That’s why one of the best defenses is staying up-to-date on the latest creative scams that cybercriminals are using to fool unsuspecting victims.

“When you hear about the latest incident, don’t brush it off and think, ‘that could never happen to me,’ or ‘I wouldn’t fall for that,’” said Riggs. “Listen and take note.”

Disclaimer: The above is solely intended for informational purposes and in no way constitutes legal advice or specific recommendations.