We’re willing to bet you’ve heard the word social engineering splashed across the news at least once or twice before — after all, it is by far the most common cause of cyber breaches.
But what does social engineering really mean? They’re just hackers, right?
What is Social Engineering?
Social engineering is when a cybercriminal obtains access, information, or resources that they shouldn’t have by manipulating people rather than technology. While you may think the most common way hackers breach a system is by breaking through a firewall or using a fancy password cracking algorithm, more often than not, breaches occur as the result of social engineering.
Instead of targeting technology barriers, hackers “engineer” a way to manipulate the people within your organization, under the assumption that they are the company’s biggest security weakness. The bad actors fabricate a “social” situation (usually a problem the hacker creates themselves!)— hence the name social engineering.
Simply put, the social engineer makes up a really convincing story to trick you into doing something for them or granting them access to private information.
How does it Work?
There are a variety of psychological techniques that cybercriminals use to win - and then betray - your trust. Here are a few.
Priming is when a social engineer emotionally charges the conversation to break the ice and read as more legitimate. This makes their victims more likely to answer their questions. Maybe they start the conversation by sharing how rough their morning has been or play an audio file of children running around in the background, then pretend to ask them to quiet down because Mom/Dad is on the phone. Kids, right?
Do you remember infomercials (back when we used to watch a 20-minute ad for OxiClean just because we loved Billy Mays)? They would never just straight-up tell you the price of the product. Instead, they would say “Only $49.99” or “Six easy payments of $12.99!” This is framing; the information is being presented in a way that manipulates the way that you will receive it. $78 might seem ridiculously steep, but six easy payments of $13 seems like a steal.
Cybercriminals do the same thing; they will present you with information or requests in clever ways designed to engineer the way that you will react. Next time you get an email from a stranger who can’t afford to feed his family unless you send him an iTunes gift card, think to yourself, “if he had just plainly asked me for this, would I have said yes?”
If at the height of the buzz around Tidying Up with Marie Kondo you set out on a decluttering spree only to find yourself unwilling to part with basically anything, you are not alone. Human beings are extraordinarily averse to parting with things that they own. Social engineers will use this to their advantage by dangling the loss of something - often money - in front of their potential victim, clouding their judgment and making them more willing to cooperate or share personal information.
How long did it take you to realize that your parents are not always right? People tend to reflexively trust the opinions of those with authority over them; they’re also much more likely to act against their own self-interest when asked to do so by an authority figure. Social engineers will often pose as an authority figure such as an executive to discourage potential victims from scrutinizing their requests.
You’re at a diner ordering a soda and the waitress asks if you want Coke or a Dacey Fizz. Which do you pick? The Coke, right? When faced with a choice, people are significantly more likely to choose (and trust) the most familiar option. Social engineers can use this to their advantage by laying out multiple courses of action and trusting that you’ll pick the most familiar - the one that they want you to pick.
What are some examples?
While you may think the most common way hackers breach a system is by breaking through a firewall or using a fancy password cracking algorithm, more often than not, breaches occur as the result of social engineering.
Phishing is by far the most common form of social engineering— with the most popular type being email scams. These emails bait you into sharing private information, clicking a link, or opening an attachment that infects your device with malware. We’ll be talking more about phishing next month.
Smishing and Vishing are versions of phishing that occur via text message and voice call, respectively. They can have caller ID display as whatever name they choose, so they can pose as someone you trust and tell you that they got a new number or need you to do something for them.
EXAMPLE: You receive an “urgent” voicemail from Janet from another branch saying her database is down and she needs account information about a particular customer ASAP. When you call “Janet” back, you share personal information with the phisher, who uses that data to compromise said customer’s bank account.
Social engineers sometimes pose as employees or friendly faces like delivery drivers to gain entrance into a building, then when left unattended inside, compromise computers or rummage through private paperwork.
EXAMPLE: Someone wearing a mail person uniform comes up behind you juggling a stack of packages. You kindly hold the door open for them as you enter your office, but it turns out the mail person was a cybercriminal in disguise. What’s in the packages? Hacking devices, which they plug into company computers and servers to compromise your network.
Knowledge is Power!
Social engineers are master manipulators, but they don’t practice mind control. Sure, hackers are going to try and trick you, but you hold the power to better protect your organization. By learning more about social engineering techniques, you’re equipping yourself with the knowledge you need to spot bad actors.
Pride yourself in your impact and spread your newfound know-how with your fellow employees (and your loved ones) so everyone can stay safe.