Home»Cybersecurity Encyclopedia»Social Engineering: Definition, Types, Detection & Prevention

Social Engineering: Definition, Types, Detection & Prevention

social engineering

What is social engineering?

Social engineering is a manipulative technique used by criminals to elicit specific actions in their victims. These actions usually include revealing sensitive data or giving access to protected systems.

Social engineering is seldom a stand-alone operation. It is usually a step in various fraud schemes. This technique is especially efficient in cyberattacks.

Types of social engineering attacks

By location:

  • Online
  • Offline

By target action:

  • Data theft

Criminals pretend to be a trustable organizations like a bank. They use the gathered information to obtain immediate gain (e.g., money from a bank account) or use it for other social engineering types.

  • Malware infection

Victims are evoked to download malware or visit websites with drive-by-download technology, where the malware is automatically downloaded without the user’s consent. Another method involves persuading victims to connect removable hardware to their information system, which can lead to malware infiltration. The goals of malware infection might be to access acquisition and data theft.

  • Access gain

Criminals manipulate people into giving access to their cloud workspaces. That is how ransomcloud infects Google Drive.

By communication medium:

  1. Phishing technique is implemented via email.
  2. Vishing uses the telephone or, in some cases, video conferencing.
  3. Smishing also uses telephones, but instead of voice communication, it sends text messages (SMS).
  4. Water holing, also known as water holing social engineering, is a technique that utilizes websites frequently visited by users. These websites, such as social networking websites, forums, popular blogs, or trusted online media, are used to distribute malware links.

By the message customization:

  • General phishing has a general message that can be applicable to many people (e.g., a letter from a bank or Microsoft).
  • Spear phishing is much more customized. It requires the personal data of a victim like their title, company name, boss’ name, etc. A good example of spear phishing would be an email from Accounting or HR department or CEO fraud.

How social engineering works

Social engineers use some prominent psychological traits and peculiarities to attain their goals.

  1. Perception

Human perception doesn’t perform full force all the time, especially when we are emotionally imbalanced or busy doing some important tasks.

For example, our brain doesn’t read letter-by-letter but rather perceives a word on the whole. This fact makes it easy for criminals to forge senders in an email:

christopher@gmail.com vs. chirstopher@gmail.com vs. chrlstopher@gmail.com

  1. Emotion

When overwhelmed with feelings, humans find it hard to apply reasonable thinking. The messages of cybercriminals often aim at powerful emotions to bring down the guard:

  • A letter from “boss” demanding information ASAP:
    • Sense of urgency
    • Fear
  • An email promising a reward:
    • Greed
    • Despair
    • Sense of entitlement
  • A request from “HR” to fill out the form:
    • Social emotions
    • Fear of missing out
    • Interest
  1. Cognition

First, humans make cognitive mistakes all the time. Here are some basic examples that criminals exploit:

  • Trust to authorities like the government, international organizations, popular web platforms, or the company.
  • Trust to people on social media (“Joe is my colleague’s friend so I can trust him”)
  • The false sense of security (“It never happened to me or anyone I know; therefore it won’t happen”)
  • Reciprocity (“Peter treated me so nicely, I can trust him”)

Second, most people lack knowledge about social engineering and its means.

  1. Volition

Even though many people know about social engineering and cybercrime, they often lack the will to follow security requirements. For example, people don’t check the sender of the message or the link in the email.

Detecting social engineering attacks

  1. Check sender:
    • Look for spelling mistakes in the sender’s name (e.g., George vs. Goerge).
    • Check the domain name of the sender’s email address (e.g., microsoft.com vs. micirosoft.com).
    • Compare “from:” and “reply-to:” sections. Do they contain the same sender addresses?
  2. Check recipient. Too many recipients in CC signalize that it’s spam and probably a scam.
  3. Check content for the following red flags:
    • Multiple grammar mistakes.
    • Impersonal greetings (Dear Client, Madam, etc.).
    • A request for PII (personally identifiable information).
    • The presence of attachments you weren’t expecting.
    • The links with suspicious addresses.
    • The emotional tone of an email.

Learn more:

How to protect Office 365 from phishing?

Security Awareness Training

How to prevent social engineering attacks and handle the consequences

  1. Plan and conduct a regular training course for your employees. Alternatively, acquire one from a third-party provider
  2. Use spam filters to decrease the number of scam emails.
  3. Apply multi-factor authentication to prevent criminals from accessing your email.
  4. Create an action plan your employees can use in case of a successful phishing attack.
  5. Purchase antimalware software that protects your digital ecosystem from the most common types of malware.
Published on: Nov 12, 2021
Anastasia, IT Security Researcher at Spin Technology
AUTHOR Anastasia, IT Security Researcher at Spin Technology