4 Frighteningly Common Social Engineering Attacks People Keep Falling For
By Hannah Meinke on 01/27/2020
You probably know that hackers aren’t all the brooding hoodie-wearing shut-ins they’re typically portrayed as. But what might surprise you is the fact that many “hackers” aren’t spending hours on end seeking out software exploits and network security holes—they’re focusing their energy on social engineering tactics.
This common practice turns the introverted hacker stereotype on its head. These underhanded methods rely on a strong understanding of human nature in order to attack and manipulate victims into willingly handing over valuable information. Some of these approaches are as old as con-artistry itself, but don’t let their tried and true nature lull you into a false sense of security—these tactics can cause catastrophic issues when used on the gatekeepers of modern technology systems.
In this article, we’ll explore what exactly social engineering attacks are and why they are one of the most challenging issues to combat in the field of cyber crime. We’ll also ask the experts how you can help protect your family and friends from being duped by these sophisticated criminals.
What is social engineering?
Social engineering is an approach to cyber crime that utilizes social manipulation to target security’s weakest link: the user. By tapping into what most commonly motivates us, cyber criminals can bypass even the best planned security measures altogether. Rather than steal information, they simply get their victim to hand it over. After all, "Hacking the human is much easier than hacking a system or network,” points out cyber security consultant Eric Jeffery.
Though social engineering is primarily a form of cyber attack, it originates in a lot of ways—including over the phone, snail-mail and in person. Any means by which cyber criminals can get sensitive information like a full name, birth date, license plate, username, password, etc. is an opportunity for them to sell it or exploit it through the internet.
Digital forms of social engineering include:
- Phishing—a broad category of deception that includes masquerading as a legitimate source, most commonly through email
- Quid pro quo—using an exchange of services to persuade a victim into complying
- Baiting—using fake deals or downloads to bait a victim into providing information
- Pretexting—creating a false sense of trust to lower a victim’s guard
Whether it’s to steal their identity, drain their bank account, access restricted servers or simply cause chaos, cyber criminals are all after the same thing—information. And of all the ways to get someone’s information, social engineering is the most common—which is why Jeffery ranks it as the "#1 risk in cyber security.”
How cyber criminals prey on human psychology
By understanding the motivations that cyber criminals target, we can more easily identify real situations from those that are fabricated. Here are some of the common ways that scammers use psychology to do the work for them.
Urgency and fear
“Creating a sense of urgency is the number one tactic that social engineers use to collect confidential information from victims,” says Ajay Chandhok, co-founder of LedgerOps. He points out that these criminals will use quick deadlines to rush bad decisions. “The added pressure of the time box causes many victims to hand over their information without thinking twice about it.”
If you’ve ever gotten an email with an urgent subject line, you know that just reading it can get your heart to race. Criminals are banking on this feeling to compromise critical thinking before users have a chance to consider the consequences.
Phishing scams often use this method. Emails made to look like credible sources ask the user to verify their credentials, log in to their accounts or transfer money. Often an embedded link will take them to a fake page that will send their information directly to the criminal. Below are some common scenarios that use urgency and fear to trick someone into giving up their info.
Common tactics
- Posing as a cyber security company
- Companies threatening sudden account closure or asking you to dispute unauthorized purchases
- Impersonating important HR issues
- Phony bank notices for expiring passwords, late payments, missing funds, etc.
- Authority figures such as the IRS or FBI demanding immediate cooperation
Courtesy and kindness
When a pregnant woman has her arms full and drops something, the natural reaction for most people is to lend her a hand and pick it up for her. While that’s a commendable tendency our society and human nature has engrained in us, our desire to be helpful can also be manipulated by cyber criminals.
“They play on our emotions and our innate sense to want to trust others and be helpful,” says Robert Siciliano, security expert for Porch. We don’t like to believe that others would take advantage of our kindness, but there is a way to be kind without being naïve. Helping a pregnant woman is one thing, but anything that involves giving out personal information is another.
Quid pro quo scams are a good example of this kind of social engineering. Instead of demanding cooperation, scammers will simply ask their victims, pulling on heartstrings with stories about losing their job and promising to do something in return. This may be the hardest form of scamming to recognize and resist.
Common tactics
- Fake charities soliciting money for humanitarian crises
- Tailgating into secure locations using excuses such as a forgotten key card
- The classic Nigerian prince scam, asking for help to wire money out of a war-torn country
- Social security personnel asking for verification of an SSN because their computer is down
Curiosity and excitement
“Everyone wants to feel lucky at least once in their life,” says Shayne Sherman, CEO of TechLoris. “Most of us simply won't win the lottery—but what if we suddenly did? It's this unlikely hope that many social engineering hacks prey on—the off chance that today you really might be lucky.”
We all like to think we can’t be bought, but studies have shown that it doesn’t take much—especially if someone doesn’t know the value of what they're giving up. When gratification is just a click or login away, it’s easy to think “What’s the harm?” and proceed anyway.
Baiting scams bank on that question. Curiosity is what drives the internet, after all, and if the last five links to “Never Before Seen Pictures of The Titanic” have been credible, what are the chances this one isn’t?
Common tactics
- Leaving USBs in public places marked with luring labels such as “Q1 Layoffs” or simply “Confidential”
- Links to clickbait videos and photos
- Anything that seems too good to be true—i.e. prize money they didn’t apply for, free cruises or airline tickets
- Virtual ads for drastically discounted items that can’t be found anywhere else on the internet
Ignorance and trust
To many of us, it may seem silly that people are still falling for these hoaxes, but if you didn’t know any better, you’d fall for them too. Social engineers “rely on the fact that many of us are not aware of the value of the information we possess and are careless about protecting it,” says Siciliano.
Even if users only engage with senders they trust, scammers can still take advantage. By using tactics like pretexting, they can take little bits of information about their victim and use it to establish trust. For example, if you receive an email addressed to your full name with information about a product you frequently buy, you’re much more likely to trust its sender.
Like kindness, this doesn’t mean we should all stop trusting one another, but simply pair trust with vigilance. Just because someone has information about a user, doesn’t mean they came by it honestly. Though it’s scary to admit, there is a complex network of cyber crime in which one scammer could take personal information and sell it to another. More than anything, social engineers target those who don’t know any better.
Common tactics
- Spear phishing—individually targeted scams using data specific to the victim
- Romance scams such as catfishing
- Survey scams, typically over the phone
- Social media messaging
Advice from the experts
At this point, it may feel like everyone is a cyber criminal in disguise, but getting educated about cyber crime is not about throwing away our computers and never leaving the house again. “Knowing, understanding, and paying attention are the best defenses to social engineering threats,” reports Jeffery.
Social engineers may seem like evil geniuses, but Siciliano reminds us that “social engineering has been around as long as the con artist.” Being safe on the internet is much like being safe anywhere else. If you think before you act and balance your emotions with a little logic, you’ve done your part.
That being said, Siciliano provides some simple steps to put those principals into action. Here’s what the long-time security expert has to say:
- Never respond to a message from someone you don’t know and never click on a link in an unsolicited message, including instant messages. Any time the phone rings and they are requesting personal information, consider it a scam.
- Be suspicious of any offer that seems too good to be true, such as the lure of receiving thousands of dollars just for doing a wire transfer for someone else.
- If you are unsure whether a request is legitimate, check for telltale signs that it could be a fake, such as typos and incorrect grammar. If you are still unsure, contact the company or organization directly. Financial institutions and most sites don't send emails or text messages asking for your username and password information.
- When using social networking sites, don’t accept friend requests from people you don’t know, and limit the amount of personal information you post to your profile.
- Consider using a safe browsing tool software, which tells you whether a website is safe right in your search results, helping you navigate away from phony sites.
- Make sure all your devices are protected with comprehensive security that protects all your PCs, Macs, smartphones and tablets.
Additionally, it never hurts to take some time honing your critical thinking skills—these broadly applicable skills will help you navigate more than just social engineering scams.
Protect what matters
You won’t be able to convince social engineers to stop manipulating vulnerable users, but you might be able to help join the fight to stop them from striking. Find out if you’d be a good fit for the cyber security field in our article, “Signs You’re Wired to Work in a Cyber Security Career.”