What is social engineering?
Social engineering is a psychological manipulation technique that cybercriminals use to get people to give away confidential information or perform a certain action. Trust, stress, and greed are natural feelings that social engineers use against people to cloud their judgment.
Read on to learn more about the most common social engineering attacks and how to protect yourself against them.
Social engineering examples
Phishing is when a cybercriminal uses emails to impersonate someone else. They’ll usually pretend to be your bank, the government, a delivery company, or any other organization you trust. Their goal is to have you open a phishing email and unwittingly download malware, or click on suspicious links that leads to a bogus website. They want to trick you into disclosing sensitive information such as your login credentials, social security number, or your bank card number such as credit card cvv code.
Phishing can take different forms and use different methods. The most common ones include:
- A spoofed display name. The email will appear to have been sent from a legitimate organization but the domain name will be entirely different.
- Embedded links. The social hackers might send an email asking you to click on a link and log back into your account (even though you haven’t changed your activity on that site). The spoofed URL will lead to an infected website.
- Email attachments. Invoices, order confirmations, event invitations, etc. can be used to disguise viruses or malware. Don’t open them or reply to the sender if they seem suspicious.
Angler phishing attacks
Angler phishing attacks target social media users via spoofed customer service accounts. In an angler phishing attack, the hacker will reach out to customers who have recently complained, and try to get their personal information or account credentials in the midst of their elaborate scheme.
Here’s an example of an angler phishing attack:
- The attacker monitors social media feeds and waits for someone to tag a particular company with a complaint or question about their account.
- The attacker answers back posing as the company’s customer support team using a fake social media account.
- A few messages later, trust is gained and most people willingly hand over their passwords and other confidential information to try and help solve their issue.
Spear phishing attacks
Spear phishing is a type of phishing that requires more effort but also has a higher success rate. This data exfiltration attack targets individuals and small groups. They usually pretend to be a specific person you trust or, in a work environment, report to.
For this social engineering attack to work, hackers need to do some research about their victim(s) and use that information against them. Hackers can gather almost any information from social media: email addresses, the brands you trust and follow, your friends, and more. Once the research is done, the hacker will email the victim with a realistic pretext to get more information.
Spear-phishing attacks are difficult but not impossible to recognize. To protect yourself:
- Check the source of the email.
- Ask yourself whether it sounds like a normal request.
- If it sounds suspicious, do not reply to the email and contact the person directly. Do this by sending them a separate email, giving them a call, or waiting to speak to them directly.
Smishing attacks use SMS text messaging, unlike phishing attacks that use email. Smishing has proven to be quite effective as it tends to be a personal and targeted type of attack.
A smishing scammer probably stole your phone number through hacked databases or purchased it on the dark web. If it’s personalized smishing, the culprit could have gotten your phone number from a dumpster diving attack.
A common smishing attack might look like a text message asking you to rearrange delivery of a parcel by clicking a link. Or it could come in the form of a message from a bank you aren’t even with, asking you to confirm your identity by following the link.
These smishing links are dangerous. They often direct you to malicious websites that could steal even more of your data, or the link itself could download malware onto your device if you click on it.
These scammers will pretend to be contacting you from a trustworthy organization using a phone call instead of a message or email. First, they will spoof their phone number to impersonate you or a company you trust. Hackers might use pre-recorded voice messages, text messages, or voice-to-text synthesizers to mask their identities. Others will even use humans from scam call centers to make the attack more convincing.
Vishing hackers will use a compelling pretext, such as suspicious activity on your bank account, overpaid/underpaid taxes, contest winnings, etc. Regardless of the technique, their primary goal is to get your sensitive information, which can be used for other social engineering attacks, or to steal your identity.
Check out this great example:
To determine if the call you’re receiving is a vishing attempt, follow these tips:
- Question the company and the reason of their phone call. Have you ever heard of this company or have you ever done any business with it?
- Are they offering unrealistic financial gains from contests you’ve never entered or are they offering to help you with debt you’ve never heard of?
- Are they using hostile language to pressure you to give up your personal information?
All of these are warning signs of vishing.
What is the difference between phishing and vishing attacks?
In a vishing attack, scammers use voice phishing to get your personal or financial information. That information could be your bank account number and sort code, phone number, email address, or home address. Even one or two small pieces of information can help a hacker to steal your entire identity.
Phishing attacks are carried out on platforms like email or spoofed URLs. In these cases, a scammer will send you an email with some kind of urgent but totally nonsensical scenario to manipulate you into sending them sensitive data.
Pretexting is a social engineering attack that can also be compared to phishing, as it also uses a catchy and exciting pretext. However, if phishing is based on fear and urgency, then pretexting is the opposite – it’s based on trust and rapport.
Pretexting requires a lot more research than other social engineering techniques. Cybercriminals will pretend to be your friend or your colleague. They won’t just lie, they’ll come up with a whole scenario to fool you. In a company environment, these hackers will work their way up and won’t stop with a single attack. Their goal is usually to get information from someone at a certain level of seniority.
It can be difficult to spot pretexting scammers due to the amount of research and effort they put into creating their fake persona. However, if someone seems to be too friendly and asks for data you shouldn’t be sharing with anyone, don’t be afraid to question them as it could be a social engineering attack.
Here’s a pretexting example of a tech-support scam:
- A tech-support representative from a well-known company calls you.
- They ask you to help them check whether an internal money-transfer system is working accurately, to help improve the customer experience.
- If you agree, they ask you to transfer money into a designated bank account as well as for your login information for this company.
- Once you transfer the money, the hacker steals the money and your login credentials.
Of course, pretexting hackers will assure you that the money transfer will be held temporarily and that it’s all part of their routine company checks. Having identified themselves with bogus credentials, these cybercriminals sound confident, trustworthy, and professional.
Catfishing is when scammers create fake social media profiles by using other people’s photos, videos and personal information. These fake identities are typically used to cyberbully or seek attention. Sometimes, they can also be used to extract money or the victim’s personal details.
If you’ve made an online friend who is extremely nice but constantly finds excuses to not meet in person or to share information about themselves, it’s very likely that you’re being catfished. Here are some warning signs:
- Pity stories and requests to donate money
- Strange excuses such as why their webcam or phone doesn’t work
- Excuses not to meet up or last minute cancellations due to personal emergencies
- Offering to meet somewhere private rather than in a public place
If you ever find yourself being bombarded with false alarm messages or fictitious threats, it could be scareware. Scareware can be referred to as deception software, rogue scanner software, or fraudware.
In a scareware attack, you’re tricked into thinking your device is infected with malware, prompting you to install software that downloads real malware onto your device.
Scareware can look like a popup banner that suddenly appears while you’re browsing, saying something similar to: “Your computer may be infected with a virus.” If you click on this banner, you’re either offered to install a tool that will purge the virus, or you’re directed to a malicious website that could further infect your device.
It’s also worth noting that in these kinds of social engineering attacks, scareware can also be distributed via spam email that may attempt to convince you to buy worthless or harmful services.
Diversion theft attacks
Diversion theft attacks are designed to trick you into sending sensitive information to a scammer. By spoofing their email address, a diversion thief will pretend to be from an auditing firm, financial institution, or even someone from your workplace.
If a diversion theft attack is successful, the thief could get hold of highly confidential information about a company, files that contain company forecasts and plans, client information, or even personal information about the company’s employees.
This social engineering attack uses bait to persuade you to do something that allows the hacker to infect your computer with malware. Many social engineers use USBs as bait, leaving them in offices or parking lots with labels like ‘Executives’ Salaries 2019 Q4’.
People who find them are tempted by curiosity and insert them into a computer. The virus hidden within quickly spreads to their device. However, the use of USBs is decreasing, so baiting is now mainly used on P2P websites.
Social engineers create false mirroring sites, and while someone might think they are downloading a movie, they’ll actually be downloading malware. You’re always at risk downloading any files from an untrusted source, but to avoid being hacked, you can take precautions. Always double check the type of file you are getting, and make sure your antivirus is up to date.
Here are two quick tips to avoid being baited:
- Use anti-malware, ad blockers, and tracking blockers: NordVPN’s Threat Protection feature can help you with all of these areas.
- Stick to websites and retailers you know and trust: always research companies before you buy from them. Check their website and its URL for spelling mistakes and whether or not they’re a registered company. You can also read customer reviews published by unbiased reviewing companies.
Quid pro quo
A quid pro quo attack happens when a scammer offers you a service in exchange for your personal information. A few years ago, quid pro quo attacks consisted of emails telling you that a Nigerian Prince has died and you inherited all his money. All you needed to do was provide them with your bank details or send them a small “handling fee” so they could transfer you the money.
The most common quid pro quo attacks happen when hackers pretend to be IT support specialists. The victim usually has a minor problem with a device, or it needs a software update, so they don’t question the caller. The impersonator tells them that they need to access their computer to fix the problem. Once they gain access, they install malicious software or steal other sensitive information.
Contact spamming attacks
Contact spamming is one of the oldest techniques still used. A cybercriminal will hack into your email, or your social media account, and reach out to your friends with a message like: “I’ve seen this amazing video, check it out!”
Unfortunately, we tend to trust messages that seem to come from our close friends. But if you click on this link you will end up infecting your device with malware. What’s even worse is that once these viruses spread to your device, they can spread the same message to your contacts, too.
Worryingly, xHelper – a malicious application that was discovered in 2019 – can even reinstall itself if uninstalled. So while it’s easy to think you’d never fall for a phishing email or any other kind of social engineering attack, it’s better to stay extra vigilant as the aftermath can be irreversible.
7 ways to protect yourself from social engineering attacks
- Learn about different types of social engineering tactics. If you know what to expect, it will be easier to avoid the trap. If you run a company or manage a team, it’s essential to educate your team about social engineering attacks too. Penetration testing is a great way to find vulnerabilities in your network and educate your employees.
- Be vigilant. Double check the identity of whoever you’re communicating with, especially if it’s an email, text or call you weren’t expecting. Remember that if it sounds too good to be true, it probably is.
- Keep an eye out for mistakes. Legitimate businesses tend to triple-check their content before sending it out. Hackers, on the other hand, leave countless grammatical and spelling errors, and may indicative of social engineering attacks.
- Don’t be afraid to ask questions. If you think someone is trying to scam you over the phone, feel free to question their friendliness or their authority. Most importantly, listen for answers that don’t match their story.
- Limit the information you share online. Leaving easily accessible data can help someone gather information about you and use it for social engineering attacks.
- Take care of your software – install regular updates, invest in antivirus software, install spam filters, and use browser extensions.
- Use a VPN. A VPN will help mask your identity and prevent would-be hackers from intercepting your communications, especially on public Wi-Fi. NordVPN’s Threat Protection feature will also help to prevent you from visiting malicious websites and promote a positive security culture.