Project Bytesgate

How Does Social Engineering Work?

Most social engineering attacks rely on actual communication between attackers and victims. The attacker tends to motivate the user into compromising themselves, rather than using brute force methods to breach your data.

The attack cycle gives these criminals a reliable process for deceiving you. Steps for the social engineering attack cycle are usually as follows:

  1. Prepare by gathering background information on you or a larger group you are a part of.
  2. Infiltrate by establishing a relationship or initiating an interaction, started by building trust.
  3. Exploit the victim once trust and a weakness are established to advance the attack.
  4. Disengage once the user has taken the desired action.

This process can take place in a single email or over months in a series of social media chats. It could even be a face-to-face interaction. But it ultimately concludes with an action you take, like sharing your information or exposing yourself to malware.

It's important to beware of social engineering as a means of confusion. Many employees and consumers don't realize that just a few pieces of information can give hackers access to multiple networks and accounts.

By masquerading as legitimate users to IT support personnel, they grab your private details — like name, date of birth or address. From there, it's a simple matter to reset passwords and gain almost unlimited access. They can steal money, disperse social engineering malware, and more.

social engineering life cycle

Traits of Social Engineering Attacks

Social engineering attacks center around the attacker’s use of persuasion and confidence. When exposed to these tactics, you are more likely to take actions you otherwise wouldn’t.

Among most attacks, you’ll find yourself being misled into the following behaviors:

Heightened emotions : Emotional manipulation gives attackers the upper hand in an any interaction. You are far more likely to take irrational or risky actions when in an enhanced emotional state. The following emotions are all used in equal measure to convince you.

  • Fear
  • Excitement
  • Curiosity
  • Anger
  • Guilt
  • Sadness

Urgency: Time-sensitive opportunities or requests are another reliable tool in an attacker’s arsenal. You may be motivated to compromise yourself under the guise of a serious problem that needs immediate attention. Alternatively, you may be exposed to a prize or reward that may disappear if you do not act quickly. Either approach overrides your critical thinking ability.

Trust: Believability is invaluable and essential to a social engineering attack. Since the attacker is ultimately lying to you, confidence plays an important role here. They’ve done enough research on you to craft a narrative that’s easy to believe and unlikely to rouse suspicion.

There are some exceptions to these traits. In some cases, attackers use more simplistic methods of social engineering to gain network or computer access. For example, a hacker might frequent the public food court of a large office building and "shoulder surf" users working on their tablets or laptops. Doing so can result in a large number of passwords and usernames, all without sending an email or writing a line of virus code.

Now that you understand the underlying concept, you’re probably wondering “what is social engineering attack and how can I spot it?”


watch this to see a attack scenario

Examples of social engineering attacks

Perhaps the most famous example of a social engineering attack comes from the legendary Trojan War in which the Greeks were able to sneak into the city of Troy and win the war by hiding inside a giant wooden horse that was presented to the Trojan army as a symbol of peace.

In more modern times, Frank Abagnale is considered one of the foremost experts in social engineering techniques. In the 1960s, he used various tactics to impersonate at least eight people, including an airline pilot, a doctor and a lawyer. Abagnale was also a check forger during this time. After his incarceration, he became a security consultant for the Federal Bureau of Investigation and started his own financial fraud consultancy. His experiences as a young con man were made famous in his best-selling book Catch Me If You Can and the movie adaptation from Oscar-winning director Steven Spielberg.

Once known as "the world's most wanted hacker," Kevin Mitnick persuaded a Motorola worker to give him the source code for the MicroTAC Ultra Lite, the company's new flip phone. It was 1992, and Mitnick, who was on the run from police, was living in Denver under an assumed name. At the time, he was concerned about being tracked by the federal government. To conceal his location from authorities, Mitnick used the source code to hack the Motorola MicroTAC Ultra Lite and then sought to change the phone's identifying data or turn off the ability for cellphone towers to connect to the phone.

To obtain the source code for the device, Mitnick called Motorola and was connected to the department working on it. He then convinced a Motorola employee that he was a colleague and persuaded that worker to send him the source code. Mitnick was ultimately arrested and served five years for hacking. Today, he is a multimillionaire and the author of a number of books on hacking and security. A sought-after speaker, Mitnick also runs cybersecurity company Mitnick Security.

A more recent example of a successful social engineering attack was the 2011 data breach of security company RSA. An attacker sent two different phishing emails over two days to small groups of RSA employees. The emails had the subject line "2011 Recruitment Plan" and contained an Excel file attachment. The spreadsheet contained malicious code that, once the file was opened, installed a backdoor through an Adobe Flash vulnerability. While it was never made clear exactly what information was stolen, if any, RSA's SecurID two-factor authentication (2FA) system was compromised, and the company spent approximately $66 million recovering from the attack.

In 2013, the Syrian Electronic Army was able to access the Associated Press' (AP) Twitter account by including a malicious link in a phishing email. The email was sent to AP employees under the guise of being from a fellow employee. The hackers then tweeted a fake news story from AP's account that said two explosions had gone off in the White House and then-President Barack Obama had been injured. This garnered such a significant reaction that the Dow Jones Industrial Average dropped 150 points in under 5 minutes.

Who Are The Targets Of Social Engineering?

  • The target of any social engineering attack relies on the threat actors’ goal.
  •  If they’re looking to only gain credentials, then they may generally target anyone in the company.
  • However, more often you’ll see targeted spear phishing, or whaling attacks against department heads likes the VP of finance or executives like the CEO or CFO.
  • These targeted attackers will develop sophisticated social engineering campaigns by collecting freely available information online.
  • It may be through a company’s website. Or, a LinkedIn profile page.
  • This is a typical attack pattern and use case for business email compromise (BCE).
  • Once an attack is carried out the attacker may phish other employees to see if they can gain access to an account with system admin credentials.