What is Social Engineering?

Social engineering definition

Social engineering is a technique used by cyber-criminals to manipulate the humans behind machines rather than exploiting code-based vulnerabilities. This can be done by impersonating legitimate parties, targeting vulnerable individuals, building trust with a victim, creating a sense of urgency in a message, and more. Social engineering can be used to enhance phishing, smishing, spoofing, or other cyber-attacks that target humans. Because humans are susceptible to trusting other humans, the goal of social engineering is to present the victim with a seemingly legitimate situation.

A man explaining how social engineering works in a cybersecurity training session.

How does social engineering work?

Social engineering works by establishing a relationship between the victim and the threat actor. This can take place over days or even several months. To successfully do this the threat actor will:

Research: The threat actor will conduct research on their target. For example, they might be targeting a specific organization and will identify several key figures, recent news or reports, or specific individuals in an attempt to develop a plan of action given what they find.

Building a relationship: The threat actor will leverage their knowledge of the victim to build a relationship. This can be through a series of messages on social networks like LinkedIn, Facebook, etc.. establishing trust between the threat actor and the victim. In these scenarios the threat actor is usually using a false identity, sometimes masking themselves as someone within the company or from a related party. 

Action request: After establishing their credibility with the victim, a threat actor will make a request either for money, account details, or other sensitive information in a confident and persuasive manner. At this point the victim will already believe that this is a trusted individual and give the threat actor what they desire. 

People checking their electronic devices while standing in line on the street at night.

Types of social engineering

CEO Fraud

CEO fraud is a form of impersonation where a threat actor will falsify their identity, acting as a CEO at an organization and attempt to communicate with other employees, such as members of the finance department, to trick them by using a falsified version of a high-ranking official’s credentials. Often urgently requesting the transfer of money. These attacks are specifically focused on financial gain.

Business Email Compromise (BEC)

This is a type of email cyber-attack where a threat actor attempts to trick someone into sending them money or valuable information by impersonating a valuable or high-ranking individual within a trusted business. 

Phishing or Smishing

This involves a cyber-criminal sending a fraudulent email or SMS message that contains malicious content. When the malicious content is downloaded or clicked on, the cyber-criminal will compromise the device. In some cases, cyber-criminals will use phishing or smishing tactics to solicit information while posing as a trusted organization like an e-commerce site. 

Spear phishing

Spear phishing is a type of cyber-attack that targets a specific individual or organization rather than a broad audience. This usually involves an attacker conducting a significant amount of research on an organization or individual to make their attack seem more credible by contextualizing its message with relevant information. 

Vishing

Vishing (voice phishing) uses voice communication to get people to reveal their sensitive information. Attackers will often have an automated voicemail ready that asks individuals for their social security number or bank account information. They sometimes mask their identity as a loan provider or banking institution. 

Watering hole

A watering hole attack is a type of cyber-attack in which the attacker targets a specific group of individuals by infecting websites that they are known to visit.

Baiting

This is an attempt by a threat actor to trick a victim by appealing to a person’s sense of curiosity. For example, they might drop a USB at a location or send fraudulent emails with offers for rewards or money. A successful attack can result in compromised account credentials or instillation of malware on a device.  

Quid pro quo attacks

This refers to a method of communication an attacker might use which involves an exchange of information. This can be information like account credentials in exchange for a reward of some sorts that seems low stakes to the.

Tailgating and piggybacking

This is a physical security concern involving unapproved attackers following legitimate personal into private or restricted areas. In tailgating, the real employee is not aware of someone following but in piggybacking they are. They may ask the employee up ahead to ‘hold the door’ or ‘I’m in a rush can you scan for me?’. This can lead to hardware destruction, data exfiltration through removable media or hardware theft such as a sensitive laptop.

Why is social engineering effective?

Social engineering is an effective tactic for cyber-criminals and can be difficult to spot. With the proliferation of generative AI technology, phishing scams are becoming increasingly difficult to identify and traditional security tools often cannot differentiate between actual business and fraudulent activity.

AI-powered attacks: Openly available generative AI tools make it possible for attackers to generate believable, even targeted messages in seconds that they can then send out at scale. 

Easier to trick a person than hack a system: A hardened security system might take a bad actor more effort and time to get through as opposed to an employee. Social engineering targets people and uses emotional appeals to trick them into divulging sensitive information. An attacker no longer needs to use brute force attacks. They simply need to gain the trust of a single employee. 

Multi-medium communication: The modern worker controls a variety of profiles across a multitude of accounts, and including social media, where workers may publicly post about their jobs. Cyber-criminals will take advantage of open social networks and attempt to infiltrate businesses by initiating communication through business-related social profiles.

A person engrossed in their Internet of Things (IoT) device, surrounded by others engaged in similar work.

How to spot a social engineering attack?

Look for emotional triggers: Attackers will typically use a tone of urgency when trying to get a response from their victims. This is an attempt to speed up the process of a request and not allow targets time to investigate the legitimacy of the account or message.

Be conscious of the medium: Communicating about business on public profiles such as LinkedIn is riskier than communicating through a secure email gateway. Be conscious of where the communication is taking place so that you can be on high alert in mediums where there are fewer security measures in place.

Asking for donation: Cyber-criminals will sometimes mask themselves a righteous cause, like a charity, to appeal to targets’ emotions. Through this, they will attempt to solicit money or other valuable information. 

Asking for identity verification: A cyber-criminal will generate a message that asks you to verify your account credentials. They will sometimes construct a fraudulent issue with your account and make you believe that verifying your identity will solve the issue. Once you have sent them over your credentials, your account will be compromised. 

Suspicious links: Be weary of any email that contains links to unknown websites. Always verify a sender’s identity and do research on the organization or party they are posing as before interacting with emails. Some attackers will impersonate large organizations like Google or Apple, so be especially cautious around these sorts of communication.

Social engineering security solutions

Social engineering can happen on any medium from emails to social media messages, making them particularly difficult for security teams to monitor. Having visibility into your entire network will increase your chances of catching socially engineered attacks. However, the security team cannot monitor what happens on personal social media accounts. This makes it essential to train employees on how to spot socially engineered attacks and make them knowledgeable on what information should never be shared.

Email security: AI-powered email solutions can level up security teams in numerous ways. Traditionally, email security is trained on historical attack data, only alerting to previously seen threats making it difficult to spot socially engineered attacks. With an AI based model, it is possible to better prepare and stop socially engineered threats. 

Self-Learning email security will understand behaviors of end users, how each individual operates within their inbox. Darktrace's Self-Learning email security is able to detect and respond to threats that deviate from normal activity, making it adept to fight against socially engineered attacks.