Everyone probably thinks they’re too clever to fall for a scam – even the people who fall for them. Social engineering attacks consist of a powerful set of techniques that hackers, scammers, and thieves use to compromise your security and steal valuable data. Learn their strategies so you don’t fall into their trap.
Dec 31, 2021 · 10 min read
Social engineering attacks are the art of using psychological manipulation to get you to divulge confidential information, or perform a certain action. Trust, stress and greed are natural feelings that social engineers use against you to cloud your judgment. In a digital world, social engineering attacks differ from social engineering in a social science context, where the latter doesn’t concern the divulging of confidential information.
Read on to learn more about the most common social engineering attacks and how to protect yourself against them.
Phishing happens when a cybercriminal uses emails to impersonate someone else. They’ll usually pretend to be your bank, the government, a delivery company, or any other organization you trust. Their goal is to have you open a phishing email and download an attachment that hides malware or click on suspicious links. They want to trick you into disclosing sensitive information such as your login credentials, social security number or your bank card number.
Phishing can take different forms and use different methods. The most common ones include:
Angler phishing attacks target social media users via spoofed customer service accounts. In an angler phishing attack the social engineering scammer hacker will reach out to customers who have recently complained, and try to get their personal information or account credentials in the midst of their elaborate scheme.
Here’s an example of an angler phishing attack:
Spear phishing is a type of phishing that requires more effort but also has a higher success rate. Phishing emails can be sent to thousands of people, while spear phishing targets individuals and small groups. They usually pretend to be a specific person you trust or, in a work environment, report to.
For this social engineering attack to work, hackers need to do some research about their victim(s) and use that information against them. Social media is a gold mine for this task. Hackers can gather almost any information: email address, the brands you trust and follow, your friends, and more. Once the research is done, the hacker will email the victim with a realistic pretext to get more information. he hacker will email the victim with a realistic pretext to get more information.
For example, on an individual level, hackers might pretend to be your best friend and ask for access to your Facebook account. On a business level, they could pretend to be a CEO of a company you work for and request to immediately transfer funds for a “new project.”
Spear-phishing attacks are difficult but not impossible to recognize. To protect yourself:
Smishing attacks use SMS text messaging, unlike phishing attacks that use email, for instance. Smishing has proven to be quite effective because it tends to be a personal and targeted type of attack. People are also much more likely to fall for smishing attacks than other types of attacks since people commonly think that anyone who has their mobile number is bound to be a trusted contact.
In reality, a smishing scammer has probably stolen your phone number through hacked databases or purchased it on the dark web. A common smishing attack might look like a text message asking you to rearrange delivery of a parcel by clicking a link. Or it could come in the form of a message from a bank you aren’t even with, asking you to confirm your identity by clicking a link.
These smishing links are dangerous. They often direct you to malicious websites that could steal even more of your data, or the link itself could download malware onto your device if you click on it. Always be careful of social engineering attacks like these.
NordVPN warns you before you visit malicious websites to help protect you against infections. Try it risk-free with a 30-day money-back guarantee!
Vishing is yet another type of phishing in the social engineering world. These scammers will pretend to be contacting you from a trustworthy organization using an old-fashioned route – the phone. First, they will spoof their phone number to impersonate you or a company you trust. Social engineering hackers like these, might use pre-recorded voice messages, text messages, or voice-to-text synthesizers to mask their identities. Others will even use humans from scam call centers to make the attack more convincing.
Vishing hackers will use a compelling pretext, such as suspicious activity on your bank account, overpaid/underpaid taxes, contest winnings, etc. Regardless of the technique or the pretext, their primary goal is to get your sensitive information, which can then be used for other social engineering attacks or to steal your identity.
Check out this great example:
To determine if the call you’re receiving is a vishing attempt, follow these tips:
All of these are warning signs of vishing.
Pretexting is a social engineering attack that can also be compared to phishing as it also uses a catchy and exciting pretext. However, if phishing is based on fear and urgency, then pretexting is the opposite – it’s based on trust and rapport.
Pretexting requires a lot more research than other social engineering techniques. These cybercriminals will pretend to be your friend or your colleague. They won’t just lie, they’ll come up with a whole scenario to fool you that might include fake personalities, product images and even industry lingo. In a company environment, these hackers will work their way up and won’t stop with a single attack. Their goal is usually to get information from someone at a certain level of seniority.
It can be difficult to spot pretexting scammers due to the amount of research and effort they put into creating their fake persona. However, if someone seems to be too friendly and asks for data you shouldn’t be sharing with anyone, don’t be afraid to question them as it could be a social engineering attack.
Of course, pretexting hackers will assure you that the money transfer will be held temporarily and that it's all part of their routine company checks. Having identified themselves with bogus credentials, these cybercriminals sound confident, trustworthy, and professional. Their approach is perfect for making you believe they’re the real deal.
Catfishing is when scammers create fake social media profiles by using other people’s photos, videos and even their personal information. These fake identities are usually used to cyberbully or seek attention (as well as romantic relationships). Sometimes, they can also be used to extract money or the victim’s personal details, which later could be used in other social engineering attacks or to steal their identity.
If you’ve made an online friend who is extremely nice but constantly finds excuses to not meet in person or to share information about themselves, it’s very likely that you’re being catfished. Here are some warning signs:
If you ever find yourself being bombarded with false alarm messages or fictitious threats, it could be scareware. Scareware can be referred to as deception software, rogue scanner software, or fraudware.
In a scareware attack, you’re tricked into thinking your device is infected with malware, prompting you to install software that downloads real malware onto your device.
Scareware can look like a popup banner that suddenly appears while you’re browsing, saying something like, “Your computer may be infected with a virus.” If you click on this banner, you’re either offered to install a tool that’ll help get rid of the supposed virus, or you’re directed to a malicious website that could further infect your device.
It’s also worth noting that in these kinds of social engineering attacks, scareware can also be distributed via spam email that may attempt to convince you to buy worthless or harmful services.
Diversion theft attacks are designed to trick you into sending sensitive information to them. By spoofing their email address, a diversion thief will pretend to be from an auditing firm, financial institution, or even someone from your workplace.
If a diversion theft attack is successful, the thief could get hold of highly confidential information about a company, like account information, files that contain company forecasts and plans, client information, or even personal information about the company’s employees.
This social engineering attack uses bait to persuade you to do something that allows the hacker to infect your computer with malware and therefore get your personal details. Many social engineers use USBs as bait, leaving them in offices or parking lots with labels like ‘Executives’ Salaries 2019 Q4’.
People who find them are tempted by curiosity and insert them into a computer. The virus hidden within quickly spreads to their device. However, the use of USBs is decreasing, so baiting is now mainly used on P2P websites.
Social engineers create false mirroring sites, and while someone might think they are downloading a movie, they’ll actually be downloading a virus. You’re always at risk downloading any files from an untrusted source, but to avoid being hacked, you can take precautions such as always double checking the type of file you are getting or having an up to date antivirus.
Here are two quick tips to avoid being baited:
A quid pro quo attack happens when a scammer offers you a service in exchange for your personal information. A few years ago, quid pro quo attacks consisted of emails telling you that a Nigerian Prince has died and you inherited all his money. All you needed to do was provide them with your bank details or send them a small “handling fee” so they could transfer you the money.
Even though social engineering attacks like these now sound funny, quid pro quo attacks are still relevant.
The most common quid pro quo attacks happen when hackers pretend to be IT support specialists. The victim usually has a minor problem with a device, or it needs a software update, so they don’t question the caller. The impersonator tells them that they need to access their computer to fix the problem. Once they gain access, they install malicious software or steal other sensitive information.
Contact spamming is the oldest social engineering tactic in the book. A cybercriminal who uses this technique will hack into your email or your social media account and reach out to your friends with a message such as “I’ve seen this amazing video, check it out!”
Unfortunately, we tend to trust messages that seem to come from our close friends. But if you click on this link you will end up infecting your device with malware. What’s even worse is that once these viruses spread to your device, they can spread the same message to your contacts, too.
Emotet was one of the biggest trojans of 2020, used to distribute malware to people’s devices. Spread through phishing spam emails containing malicious attachments or links, Emotet is similar to trojans like Ramnit, Formbook, and Lokibot. These trojans can steal banking credentials, passwords, personal data, and crypto wallets. They do so by monitoring keystrokes, downloading and executing files onto your device, and various other techniques.
Worryingly, xHelper – a malicious application that was discovered in 2019 – can even reinstall itself if uninstalled. So while it’s easy to think you’d never fall for a phishing email or any other kind of social engineering attack, it's better to stay extra vigilant as the aftermath can be irreversible.