What is Social Engineering?

A student’s perspective of the manipulative cybercrime.

6 min readJun 3, 2022

So- What is it?

Social engineering is the use of deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes. That’s just what google tells you. But ofcourse, there’s a lot more depth to it. In this article, I talk about Social Engineering as a whole (Not too in-depth) and talk about some of the most common tactics that are used to trick users, and a few helpful pointers to help you save your skin online.

Abstract

Today, social engineering techniques come under the vast line of cybercrimes through the intrusion and infection of computer systems. Cybersecurity experts use the term “social engineering” to highlight the “human factor” in digitized systems, as social engineering attacks aim at manipulating people to reveal sensitive information. In-short, it is the practice of using psychology to manipulate your most vulnerable cybersecurity element — the human. They target emotionally vulnerable and gullible individuals, their relationships and so on. Ask any security professional and they will tell you that the weakest link in the security chain is the human who accepts a person or scenario at face value.

Introduction

Social engineering is a manipulation technique that exploits human error to gain private information, access, or valuables. In cybercrime, these “human hacking” scams tend to lure unsuspecting users into exposing data, spreading malware infections, or giving access to restricted systems. Attacks can happen online, in-person, and via other interactions.

Scams based on social engineering are built around how people think and act. As such, social engineering attacks are especially useful for manipulating a user’s behavior. Once an attacker understands what motivates a user’s actions, they can deceive and manipulate the user effectively.

In addition, hackers try to exploit a user’s lack of knowledge. Thanks to the speed of technology, many consumers aren’t aware of certain threats. Users also may not realize the full value of personal data, like their phone number. As a result, many users are unsure how to best protect themselves and their information.

Sometimes all we really need to do is control the human.

Most social engineering attacks rely on actual communication between attackers and victims. The perpetrator tends to motivate the user into compromising themselves, rather than using conventional methods to breach your data. This could be by taking the time to formulate relationships with their victim, making them even more vulnerable, or it could be by simply just exploiting the mind of a victim through provocative media.

It is easier to ask for passwords directly from a manipulated individual than it is to hack it conventionally (which may take an unprecedented amount of time, years, even!). It would just take a minute for the user to give out extremely sensitive information once manipulated.

Now how does this even happen?

This process can take place in a single email or over months in a series of social media chats. It could be via video-calling. It could even be a face-to-face interaction. But it ultimately concludes with an action you take, like sharing your information or exposing yourself to malware.

Now let’s talk about a few tactics commonly used in this Cybercrime.

Most Common Social Engineering Tactics

1) Phishing

Phishing is probably a cyber attack you have heard of before. It is an email that impersonates a trusted source to get you to take an action, like click a link or reply with confidential information.

If a criminal manages to hack or socially engineer one person’s email password they have access to that person’s contact list–and because most people use one password everywhere, they probably have access to that person’s social networking contacts as well.

2) Baiting

Baiting is a social engineering tactic with the goal of capturing your attention. Baiting can be found in search results, social media or emails. During the baiting attempt, victims are asked to verify credentials and confidential information. This information can lay the foundation for future interactions with the social engineer, which will later be repurposed for extortion.

3) Rogue Security

Rogue security is a form of malware which impersonates a fake or simulated anti-spyware or security scanner. It tricks you into believing you are getting protection, when in fact you are infecting your network with malware and the social engineer is stealing your data.

It is possible to protect yourself against a rogue security attack. Knowledge is power. Understanding who your anti-virus provider is and how often updates occur can protect you from falling victim to a rogue security attack.

Even TechRadar wrote a whole article about this one.

4) Phones & Vishing

Phones are vulnerable to vishing (voice phishing) and texting phone scams. Vishing is a phone scam that pretends to be a trusted authority to get exploitable information. Social engineers are clever. They can mimic recognizable phone numbers and caller ID names to gain trust.

Social engineers are even using texting. Texting is more and more integrated into technology. Social engineers are using texts to send phishing links to open the door into your network.

A convincing tone and a very authoritative voice can easily be mistaken as trustable.

4) Social Media

The second most common form of Social Engineering, social media. Social engineers create fake profiles which impersonate celebrities or attractive people, to trick you into accepting their offer to chat and connect.

They usually ask users to get on video calls/voice calls where they further extract confidential information or record screens for extortion/blackmailing purposes. A very realistic example is a fake instagram account of an attractive female which is used to lure the male audience and then socially engineer them via malicious links and leaking their private information.

The most commonly used social medias for social engineering.

But… how do you protect yourselves?

Social engineering attacks are particularly difficult to counter because they’re particularly designed to play on natural human tendencies, such as curiosity, respect for authority, and the desire to help people. There are a number of tips that can help detect social engineering attacks…

Always question the source of emails that request something from you. Pay especially close attention to the sender’s details, and to any URLs that look suspicious.
Be suspicious of unsolicited contacted from individuals seeking internal organizational data or personal information. Do not provide personal information or passwords over email or on the phone.
If the message appears urgent, take your time and don’t let yourself be pressured into taking immediate action. This is one of the most common ways social engineers force people to act first and think later.
Use multi-factor-authentication (also known as 2-Factor Authentication or 2FA), which uses your smartphone, or another device, along with your password to access your accounts.
Don’t use the same password for different accounts. If a social engineering attack gets the password for your social media account, you don’t want them to be able to unlock all of your other accounts too.
Think about your digital footprint. You might also want to give some thought to your digital footprint. Over-sharing personal information online, such as through social media, can help attackers.

How do I keep myself aware?

Frequently read Kaspersky’s Resource Center, for any updates in the Cybersecurity field, check out/subscribe to The Hacker News .

Oh and also, head to Cybersecurity Insiders for more!