Social engineering in computing refers to the techniques cybercriminals employ to persuade victims to do a dubious action, which frequently entails a security breach, the transmission of money, or the disclosure of personal information. These activities frequently challenge logic and go against our better judgement. However, fraudsters can convince us to stop thinking logically and start acting on instinct without thinking about what we're actually doing by manipulating our emotions—both positive and negative—like rage, fear, and love.
Simply defined, social engineering is how hackers compromise our minds, just as they do with malware and viruses to compromise our machines.
Because the criminals and their victims never have to interact in person, social engineering is always a component of a broader con. Getting the victims to is generally the major goal.
- Give up usernames and passwords.
- Install malware on their device.
- Send money via electronic fund transfer, money order, or gift cards.
- Authorize a malicious software plugin, extension, or third-party app.
- Act as a money mule for the purpose of laundering and transferring illicit funds.
What is the process of social engineering?
Social engineering is merely a small component of a bigger scam. Consider the Nigerian Prince or 419 scam, for instance (so named for the section of the Nigerian Criminal Code dealing with fraud). A cybercriminal emails you in this scam and claims to be a deposed Nigerian royal with a large sum of money stashed away in a foreign bank account. The prince requires you to give him a down payment for bribing the bank manager in order to release the money. The prince will give you a portion of his wealth in return. However, this prince charming ends up being a frog. Money is non-existent. The trick is to persuade you to transfer cash to the fraudster.
Once you realize you’ve been scammed, the money is gone. So, where does social engineering come in to play?
By claiming to be a Nigerian prince, the scammer gives his con a degree of authority and victims are more inclined to respond.
The theory that people will respond positively to someone they perceive as an authority is just one of psychology professor and noted expert on influence Dr. Robert Cialdini’s Principles of Persuasion. Dr. Cialdini wrote the book on how to get people to say “yes” after years of research working as a used car salesman, telemarketer, and door to door salesman.
Dr. Cialdini breaks the techniques of social engineering down in to six principles.
Reciprocity
Even a tiny present from someone increases your probability of returning the favour with a gift of your own. The scammer in the Nigerian scam has almost handed you millions of dollars; the least you can do is contribute to the little processing charge.
Scarcity.
In 2019 Americans caught a glimpse of the end times when Popeyes sold out of their popular chicken sandwiches. People fought over the sandwiches. One man threatened Popeyes employees with a gun. Another man sued the fast food chain for deceptive business practices. People killed for the sandwiches. Literally. That, in a nutshell, is scarcity. If consumers can’t have something, they just want more of it.
Authority.
One method thieves use power to influence their victims is by pretending to be king. Malwarebytes Labs has documented a variety of scam calls in which the caller claims to be from a US government organisation. Callers claim that the victims owe unpaid taxes or penalties and that they would go to jail if they don't pay up right away.
Consistency.
Generally speaking, no one wants to come off as indecisive. When we say we’re going to do something we try to follow through. And if you can get someone to agree to something small first, then they’ll feel pressured to agree to something bigger. Take, for example, money mule scams. Working on behalf of the scammers, money mules accept illicit funds from one account then transfer it to the scammer. Even when the legality of the operations comes into question, victims tend to follow through, not wanting to go back on their word.
Liking.
The Ellen DeGeneres scam is a great example of liking. In social media posts supposedly from Ellen herself, scammers cut together videos of the popular daytime talk show speaking about her favourite charities along with a request to share the posts. Because the victims like Ellen, they’re more inclined to share. “Ellen” then reaches out directly to those who shared the post and asks them to download one of her films for a chance at winning a million dollars. Of course, there is no million dollars and all victims have to show for their effort is a subscription to an illegal streaming site and a pirated copy of Mr. Wrong.
Consensus.
You’ve probably heard the expression: “If everyone else jumped off a bridge, would you?” If you have, then you’re familiar with the concept of consensus. People are more inclined to respond affirmatively if they think everyone else is doing it. As it applies to online scams, Malwarebytes Labs has reported on fake charitable organizations emerging in the aftermath of a natural disaster. Criminals use the groundswell of support that typically follows to pressure people in to donating money.
social engineering attack types
Here are six prevalent internet frauds that use social engineering in some way.
Email phishing
is the most prevalent form of social engineering attack. A spam email that has been faked to appear as though it was sent by a business or organisation the target trusts is received by the target. These days, it's very simple to produce these emails using pre-made email templates that impersonate the appearance and feel of being sent by a well-known organisation, such as Apple, Amazon, or another. A username and password collection website URL is included in the email.
Trojan.
refers to any kind of malware pretending to be something it isn’t. Just like the Trojan horse of Greek fame, computer Trojans contain a destructive payload. Email attachments containing hidden malware are a form of Trojan. The trick, as it applies to social engineering, is when the email appears to originate from a trusted sender such as a co-worker, friend, family, or company you do business with.
Spear fishing
is a kind of phishing assault that goes after a single person or a small group of individuals. A spear phishing assault takes some due research on the side of the scammer, as opposed to a standard phish, which is purposefully generic and sent out to as many emails as possible. Scammers will search for the target on social media and utilise data including photographs, relationship status, birthdates, residences, employment history, and any other publicly available information to support the con.
SMS text message phishing (smishing)
is a type of phishing that occurs over your tablet, smartphone, or smartwatch. It’s true, phishing happens outside of email. Victims typically receive a text message from an unknown sender informing them of some special offer or contest they’ve won. The text includes a link to a spoofed site designed to harvest login credentials.
Scam calls
are the telephone equivalent of spam. Also known as vishing (voice phishing) or robocalls, scam calls are made using a computerized telephone dialing system. When the call is answered, the autodialer connects the call to a live person or plays a pre-recorded message. Both are considered robocalls. While robocalls can be legal under certain limited circumstances, most are illegal and involve some ploy to steal the victim’s money, user credentials, or identity.
Tech support scams
are an advanced form of social engineering designed to make you think your computer is infected with malware, when it actually isn’t, then extort money from you to “fix” it. The scam starts when victims land on a malicious website run by the scammers. These sites include malvertising designed to lock your browser and prevent you from closing out or navigating to another site. The malvertising generally includes some warning that your computer is infected with malware or your software is pirated along with a phony tech support number you can call to get help—but it will cost you. As it happens, Malwarebytes Browser Guard is the first browser extension smart enough to block tech support scams and it’s completely free to download for Firefox and Chrome.
Scammers that use social engineering search for the ideal target and emotional trigger.
