What is social engineering? The cybercriminal’s secret weapon explained

Get the drop on cybercriminals

It’s often tempting to view hackers as employing highly sophisticated techniques to obtain information they shouldn’t have, but that’s not always the case.

Sometimes hackers can get their hands on vital information just by tricking people into handing it over.

This is called social engineering, and it can be very tricky to spot.

In this guide, we’ll give an overview of what social engineering is, how it works, how to spot some of the most common social engineering attacks, and how to avoid falling victim to them.

So…

What is social engineering?

In terms of web security, social engineering is when hackers manipulate a person into providing confidential information, or performing actions.

In some cases, social engineering will be used as part of a wider cyberattack – for example to obtain passwords which are then used to obtain other sensitive information.

On other occasions, it may be that social engineering is used as a stand-alone attack – this could include attacks where the victim is encouraged to send money, or when the attacker obtains sensitive data (such as customer information) which they then exploit without launching further hacking attacks.

Social engineering is so effective because it exploits human nature, and can often make it feel like you’re doing the right thing when you’re not.

What do social engineering attacks look like?

Social engineering attacks can take many forms, so let’s look at some of the most common types of social engineering attack and how they work.

Phishing emails

Oh no! You’ve been locked out of your account! Or perhaps there’s been an unauthorised transaction. Or maybe an unexpected windfall is coming your way.

These are all common themes for phishing emails, the most common form of social engineering.

When you get a phishing email pretending to be from your bank, or PayPal, or an ecommerce website the chances are the hacker is trying to get a hold of your login credentials for these sites.

They do this by redirecting you to a fake page they have control over, so when you try to login they can steal your details.

False claims, such as that you’ve been locked out of your account, or that a transaction that you don’t know about has been made, are used to pressure you into taking action quickly.

Then there are the phishing emails that promise you a windfall – after all who couldn’t do with a bit of extra money?

In this scam, you’ll be asked to pay a “small” admin fee to unlock the larger payment that has been promised to you, a payment that will never arrive.

There are almost endless variations of phishing emails, and this guide will help you spot phishing emails so you don’t become a victim.

Spear phishing emails

Phishing works by sending out the same email to hundreds of thousands of address and hoping a small percentage of recipients fall for it.

However, there is a more targeted form of phishing known as spear phishing.

Spear phishing emails are highly-researched, and highly targeted, and are usually aimed at businesses and their employees.

Often, they’ll appear to have come from a colleague, a contractor or perhaps even a client/customer.

These emails are usually aimed at getting you to disclose sensitive information, or getting you to open files containing malware. (This guide explains what malware is.)

Often, the hacker will try to create a sense of urgency in order to get you to do something.

For example, you might get an email purporting to be from a colleague claiming that they can’t access a file containing customer data which they need for a project that’s due tomorrow, and could you possibly send it over?

Or you might get an email that appears to be from a contractor with an attached invoice that needs to be paid urgently.

If you do as the email asks, you’ll probably find that in the first case you’ve sent sensitive information to a hacker, and in the second case you’ve downloaded and opened a file which has installed malware on your computer.

Spear phishing can be very hard to spot, and often the best way to defend against it is for a business to have strict data protection and IT security rules in place.

This includes things such as always encrypting and password protecting sensitive data, and not sharing sensitive data in an unencrypted/unprotected form no matter who is asking for it.

Any attachments should be scanned by up-to-date antivirus software before they’re opened, and if you have any doubts about the authenticity of an email, speak to the purported sender (in person if possible) to find out if it’s really from them.

When aimed at a senior member of staff, such as an CEO or board member, this type of attack is known as “whaling”.

Piggybacking

“Hold the door please!” seems a reasonable request, and isn’t it only polite to comply?

Well, politeness is something social engineering attacks can use to their own advantage.

Obviously it’s polite to hold a door for someone who has asked, but what if you need a security pass to open that door?

If that’s the case you shouldn’t be letting just anyone through. Making sure the door shuts behind you and you’re not followed through is good security.

Obviously this kind of attack is a threat to larger businesses with premises, but there is a related attack which can be used on businesses of all sizes.

It involves the attack asking to borrow someone’s laptop for a few minutes and, if permission is granted, quickly installing malicious software on the device.

So make sure only people you fully trust have access to your devices, and keep them password protected.

Baiting

Free movie downloads for life? Sounds good.

And what about that memory stick with the name of a rival business written on it in pen. There’s bound to be something interesting on that.

In this case, the social engineering attack is aimed at exploiting a person’s curiosity and our desire to get something for nothing.

In reality, if you try to access the free movie downloads, or open the data on the memory stick you’ll end up installing malware.

These kinds of attack feel like they should be easy enough to avoid when reading about them in an article like this, but in the real world they can be very tempting.

So again, make sure you scan any downloads or memory sticks for viruses using up-to-date anti-virus software.

Or better yet, don’t download files from sources you aren’t 100% sure are legitimate.

Quid pro quo attacks

You’re having PC trouble. Isn’t everyone? Then you get a phone call from an IT expert offering help, or free software.

All you have to do to get it is provide login details.

Of course, reading this you’ll have already guessed what will happen if you hand those details over, but in the heat of a moment it can feel like a perfectly sensible deal.

Never hand out your login details – even to the head of IT. If someone should have access to something, they should have their own login.

This kind of attack is closely related to pretexting attacks, where the attacker pretends to have a good reason to need your login credentials, or have you carry out certain commands on your PC.

Perhaps the most well-known form of pretexting is from cybercriminals pretending to be from Microsoft, and asking people to give them remote access to their PC.

Keep your wits about you, don’t allow anyone access to your devices unless you know who they are, and what they’ll be doing.

Data gathering via social media

The more data a hacker has, the more effective they can make their social engineering attacks.

Social media is a gold mine for anyone looking to gather this kind of information.

In many cases, they’ll be able to gather a lot of data because their target has made all their social posts public.

However, even if someone’s profile is on lockdown, there are ways to get access to the data it contains.

One of the most popular of these is cloning the social media profile of one of the target’s existing friends and then sending a new request, claiming they’ve been locked out of their previous profile.

If the request is accepted, the owner of the fake profile then has access to all the information on the target’s profile, even if it isn’t public.

Never share sensitive data on social profiles, even if you’re not sharing it publicly.

Even seemingly innocuous data can help hackers build a better social engineering attack, so keep posts private if you can – and remember if you get an email out of the blue from someone who appears to know you, it may be that they’ve gained their knowledge via social media.

You should also be careful when accepting friend requests from people you don’t know, or from people with an existing account.

A look at the psychology behind social engineering attacks

We’ve looked at some of the most common types of social engineering attacks, and touched on the psychological concepts that help make them work.

In this section, we’ll look a bit more at the psychological underpinnings of social engineering, which should help you recognize any attacks not on the list above.

Fear

If someone can make us scared, they can motivate us to take action. Fear is the principle behind social engineering attacks which tell you you’ve been locked out of an important account, or that you’ve order a product when you know that you haven’t, or that your latest TV licence payment has failed.

The emotion of fear is used to convince you to take action quickly, making it less likely that you’ll spend time thinking about what you’re actually doing.

In most cases, spending a few minutes to look over the email you’ve received will reveal it to be a clever (or not so clever) fake. (Look out for poor spelling, an email address that isn’t related to the organisation it should be, or links to web addresses that aren’t legitimate.)

However, some social engineering attacks can look very convincing, so if you are worried there might be a problem you should visit the organisation’s website by typing it into your address bar, or by finding it via a search engine (so as to avoid clicking on links in the email, which could direct you to a fake site.)

Doing this will stop you visiting a malicious site and giving away your login or payment details.

And if you’re really worried, pick up the telephone and ring the organization in question.

Greed

Who wouldn’t want free stuff? Or a bit of extra money? Or even a lot of extra money.

Greed is a powerful motivator, and one that we like to pretend doesn’t affect us.

This is something people using social engineering rely on to make these kinds of attack work.

If you accept that greed is a motivating factor in you making a particular decision, you’ll be better able to judge whether that action is wise.

This includes emails offering you a £500,000 windfall, a web link promising unlimited free movie downloads, or someone ringing you up and promising £100 if you take part in their IT security research project.

All these offers seem too good to be true, but all of them appeal to that sense of greed we’d like to pretend we didn’t have – that means it’s possible for us to trick ourselves into thinking we’re taking up such an offer for the right reason.

Getting something for nothing is very uncommon, so asking yourself if you’re being greedy is a good way to avoid falling victim to one of these attacks.

Helpfulness

We’re taught to be helpful and polite from a very early age. Being helpful makes us feel good, while refusing to be helpful makes us feel bad.

Unfortunately, people launching social engineering attacks know this and look to take advantage of our good natures.

The good news is that it’s hard to carry out this kind of attack via email, or even over the phone – it tends to work best in person.

The bad news is that forcing yourself to say no to a polite request is hard.

Just remember that good cybersecurity is more important than being polite, and anyone who has your business’s best interests at heart will recognize that.

Respect for authority

If someone in a position of authority asks you to do something, it feels natural to comply.

But is that email asking for sensitive customer details to be sent over unencrypted really from your manager?

Or does the head of IT really need your login details to fix your computer problems?

As with social engineering attacks that exploit our need to be helpful, attacks that exploit our respect for authority can be hard to resist.

But you’re less likely to fall victim to them if you stick to cybersecurity guidelines about how sensitive data should be shared.

Time pressure

Being under pressure gives you less time to think, and that’s why most social engineering attacks will try to introduce an element of time pressure – so you act before you can figure out  something is up.

Time pressure isn’t a tactic on its own, instead attackers will use it to make the other tactics we’ve looked at here more effective.

So if you’re being asked to do something urgently, consider it a red flag indicating a possible social engineering attack.

Summing up

Almost everyone will be targeted by a social engineering attack at some point in their time online.

Employing caution when it comes to unexpected requests will help ensure that you don’t become the victim of this kind of hacking.

When it comes to social engineering, the old adage of “better safe than sorry” rings true.

On top of this, you should strongly consider using Website Security from GoDaddy to make sure your site isn’t an easy target for cybercriminals.

Will Stevens
Will joined the GoDaddy EMEA team in 2017, following the acquisition of HEG. He covers all aspects of digital marketing, from SEO to email, for the GoDaddy UK blog. Previously, he has worked in online journalism and also conducted online marketing campaigns for a number of well-known brands.