How do hackers use social engineering?
Social engineering is a method in which a scammer will try and entice or trick a victim into doing something that might compromise their security. Whether it’s accidentally revealing their real name and address or unwittingly giving away sensitive banking details, social engineering scams look to gather as much incriminating information as possible.
Once the ill-gotten data has been collected, it can be repurposed for a whole suite of criminal activities, like online identity fraud or blackmail. Socially engineered attacks are insidious in nature and specifically created to look as legitimate as possible.
The most common forms of social engineering scams
Socially engineered scams come in many forms but all have one thing in common: they’re faking legitimacy. Whether masquerading as a government agency or a bank, a socially engineered scam will try their hardest to fool the victim. Their efforts can go as far as recreating a banking website or login page to trick a victim into willingly entering important login details.
A lot of social engineering scams rely on a phishing email to initiate operations. The purpose of a phishing email is to get the recipient to click on a link that leads to a malware-ridden website or unwittingly download a virus.
The point of a social engineered attack is to get you to follow a link or sign up to something. The best way to recognize a socially engineered attack is to analyze the language of the message. Is the language desperate? Does the message imply there’s a time limit to whatever request it’s asking for? Does the message sound urgent? Remember that most banks will never text you and ask for your login credentials. In fact, any text message or email you receive that requests any kind of login details is probably best suited for the trash bin.
How many people have been affected by socially engineered scams?
NordVPN researchers wanted to find out just how much social engineering has affected Americans. In a survey of just over 1,000 people, we came to some interesting and somewhat alarming results.
84% have experienced social engineering behavior
While only 46% of Americans have heard of the term “social engineering,” they certainly recognize the types of attack that utilize this methodology. When the data has been further broken down, here are the types of socially engineered attacks that Americans have experienced.
- 48% – Suspicious emails with links and attachments and/or asking for their personal information
- 39% – Suspicious texts with links and attachments and/or asking for their personal information
- 37% – Pop-up advertisements that were difficult to close
- 37% – Suspicious email(s) containing links, attachments or asking them to reply and divulge work/business information
- 32% – Suspicious email(s) from someone posing as an important personal who was asking them to wire them funds
- 27% – Suspicious voicemail(s) asking the recipient to divulge personal information
- 26% – A virus on their computer or phone
- 19% – Malware on their device that redirected them to a fake version of a website
36% have fallen victim to phishing emails
With over 300 billion emails sent every year, it’s become increasingly difficult to identify malicious messages. Over a quarter of people surveyed have fallen for phishing attempts, and here’s what they lost:
- 18% – Email, social media, or financial accounts locked
- 14% – Personal login details (username + passwords) stolen, or items paid for not received
- 11% – Scammed into investing their money by bogus promises of quick riches, work login details stolen
- 10% – Financial data or money stolen online
- 9% – Financial data, credentials, and money stolen from work computers
With some of the attacks originating from work computers, it’s the responsibility of employers to educate their workers with up-to-date cybersecurity measures.
Only 51% can identify social engineering as a cybersecurity issue
Despite social engineering scams becoming more widespread, public knowledge on the matter is unfortunately lacking. In fact, while just over half of the people surveyed could understand the threat of social engineering, an alarming 31% thought “social engineering” referred to a job title at a social media platform.
Luckily, however, not all is lost on the cybersecurity front. While the methodology of social engineering isn’t widespread knowledge, the threat of phishing is certainly becoming infamous.
69% are aware of phishing methods
Just over two-thirds of Americans surveyed know of phishing, with 85% able to properly define the term. Unfortunately, 6% believed phishing was a form of illegal fishing, and 5% believed phishing was a type of dance move.
Nonetheless, the results show that more than half of those surveyed know of the cybersecurity threat and what to do to avoid phishing attempts. Here are some of the measures that people indulged in to protect themselves.
- 61% – Cautious about clicking links
- 50% – Reject requests for financial data
- 50% – Limit the information they share on social media
- 48% – Reject requests for passwords
- 48% – Actively use anti-virus software
- 29% – Use spam filters for their inbox
- 23% – Browse the internet with private mode settings active
PRO TIP: If someone tries to create a sense of urgency — “claim this prize now before time runs out!” — be on your guard. This is a classic technique used by social engineering attackers to stop you from questioning their claims.
What can you do to avoid falling victim to social engineering?
To stay ahead of socially engineered attacks, you need to first recognize the signs. Once you pick up on the illegitimacy of the attack, you can send all attempts straight to the trash bin.
The best way to stay safe from any online threats is to maintain healthy, everyday cybersecurity hygiene. This means keeping all your software up to date, using strong anti-virus software, and investing in a VPN. Of all the people surveyed, only 1 in 5 used a VPN to protect themselves online.
NordVPN doesn’t just keep your online activity hidden from prying eyes, it also comes bundled with the Threat Protection feature. With Threat Protection active, you’ll automatically block invasive ads and even prevent malware-ridden websites from loading altogether. It’s the perfect tool to combat website-phishing.