last updated 12/16/2019
Perhaps the first example of social engineering was when the Greeks used the Trojan horse to conquer the city of Troy. Social engineering is “the use of deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes.” Social engineering attacks work because criminals understand human nature and how we react emotionally under different circumstances. It’s often easier to hack a human than to hack a computer system.
A more modern example of social engineering involved an upset new mother, a crying baby, and a Verizon representative. The hacker posed as a new mother and played recorded sounds of a crying baby while on the phone with Verizon. Using this ploy she was able to gain access to an account that wasn’t hers, without knowing the password. With the help of fake crying baby, she was able to social engineer her way past a human security control.
There are several types of social engineering attacks, and criminals often use a combination of these listed below.
Common Types of Social Engineering
- Baiting - a trap that takes advantage of human curiosity. A few USB devices loaded with malware could be planted where others will find them. Once curiosity sets in and the devices are plugged in the malware can do its’ dirty work.
- Tailgating - someone enters a secured area without valid credentials by closely following others as they enter. This person might be posing to be a UPS worker in uniform, or some other trusted person.
- Phishing - the attempt to gather sensitive information (usernames, passwords, credit card details) through the use of a fraudulent email.
- SmShing - similar to phishing, but with text messages instead of email.
- Vishing - a phone call where the attacker pretends to be a trusted individual in the hopes of gaining information, possibly even account login information. Seemingly innocent information gleaned in this way can be pieced together and used against others in the organization to present a more believable scam.
- Pretext - an elaborate story which allows the target to become a kind of hero. The attacker is asking for help, whether it is to get home from a foreign country, to claim their hefty inheritance, or to rebuild after a natural disaster.
- Quid Pro Quo - in this scam the attacker asks their target for something, and in return promises something much better. The victim is often asked to complete a form with lots of personal information in exchange for a $500 gift card or another prize; ultra-low home refinancing rates are sometimes promised. It’s any scenario where you’re asked to give information needed to steal your identity.