Social Engineering 

Definition

Social engineering is a manipulation technique that exploits human error to gain private information, access, or valuables. In cybercrime, these “human hacking” scams tend to lure unsuspecting users into exposing data, spreading malware infections, or giving access to restricted systems. Attacks can happen online, in-person, and via other interactions.

Scams based on social engineering are built around how people think and act. As such, social engineering attacks are especially useful for manipulating a user’s behavior. Once an attacker understands what motivates a user’s actions, they can deceive and manipulate the user effectively.

In addition, hackers try to exploit a user's lack of knowledge. Thanks to the speed of technology, many consumers and employees aren’t aware of certain threats like drive-by downloads. Users also may not realize the full value of personal data, like their phone number. As a result, many users are unsure how to best protect themselves and their information.

Generally, social engineering attackers have one of two goals:

1. Sabotage: Disrupting or corrupting data to cause harm or inconvenience.    
2. Theft: Obtaining valuables like information, access, or money.

This social engineering definition can be further expanded by knowing exactly how it works.

One of the many social engineering methods is pretexting. The attackers conducts thorough research on the victim (which in the age of social media is not so difficult). Then they can, for example, call claiming to be a representative of a company offering excellent BaaS solutions. They use phrases that awaken the caller’s interest (e. g. special deals). They then proceed to extract the necessary information by asking relevant questions, for example: "What server does the company use?" or "Where has the company stored data backups so far?". The final stage is to end the conversation, possibly by quoting a very high price so that the victim can reply that they are not interested in the offer.

Emotions are very often used when executing an attack. Under their influence, people tend to make irrational decisions. The sense of urgency makes the victim feel time pressure. This can be achieved by offering a reward only if the victim decides within a certain amount of time. Establishing trust is the basis of the whole process. It is for this reason that the attacker conducts thorough research on a company or individual.

However, there are many more social engineering examples. These can be:

• Phishing: The aim is to make the email recipient believe it is something they need or have been waiting for. The email may include dangerous links or attachments containing virus software. Types of phishing also include: spear phishing and whaling.
• Baiting: This is very similar to phishing. However, it uses bait to make the victim download malware. This can take place online or in the form of a package with a CD or USB stick. For example, in 2018, several U.S. state and local government agencies received envelopes with CDs and a letter with confusing content. Victims inserted the CDs into their computers out of curiosity and thus installed the malware. 1
• Shoulder surfing: This method involves stealing data (i.e. passwords) by looking “over the shoulder” when the victim is using their laptop or other device (on a mobile phone or even at an ATM). Awareness of the threat is particularly important for remote working companies, where employees often use their work devices in public places.
• Tailgating: This method involves physically getting entry into protected areas, like a company’s HQ, behind a person who has access. The criminal can impersonate a delivery driver and wait outside the building. When the victim opens the door, they ask him to hold it and thus get inside. To avoid such cases, it is extremely important to properly educate employees and to ensure physical security.
• Dumpster diving: In this case, the criminal is looking for important information in a rubbish bin. Many companies take great care with the security of virtual data, simply forgetting the basics. This is why it is so important to always use paper shredders, which can be located in different places within the office for convenience.
• Quid pro quo: With this method, the attacker calls random phone numbers claiming to be from tech support. Occasionally, of course, they run into a victim who just happened to need it. They offer “help”, gaining access to the computer and being able to install malicious software.