Emerging Threats

What is social engineering? Tips to help avoid becoming a victim


Authored by a Symantec employee

 

Social engineering is the act of tricking someone into divulging information or taking action, usually through technology. The idea behind social engineering is to take advantage of a potential victim’s natural tendencies and emotional reactions.

To access a computer network, the typical hacker might look for a software vulnerability. A social engineer, though, could pose as a technical support person to trick an employee into divulging their login credentials. The fraudster is hoping to appeal to the employee’s desire to help a colleague and, perhaps, act first and think later.  

6 types of social engineering attacks

1. Baiting

This type of social engineering depends upon a victim taking the bait, not unlike a fish reacting to a worm on a hook. The person dangling the bait wants to entice the target into taking action.

Example
A cybercriminal might leave a USB stick, loaded with malware, in a place where the target will see it. In addition, the criminal might label the device in a compelling way — “Confidential” or “Bonuses.” A target who takes the bait will pick up the device and plug it into a computer to see what’s on it. The malware will then automatically inject itself into the computer.

2. Phishing

Phishing is a well-known way to grab information from an unwitting victim. Despite its notoriety, it remains quite successful. The perpetrator typically sends an email or text to the target, seeking information that might help with a more significant crime.

Example

A fraudster might send emails that appear to come from a source trusted by the would-be victims. That source might be a bank, for instance, asking email recipients to click on a link to log in to their accounts. Those who click on the link, though, are taken to a fake website that, like the email, appears to be legitimate. If they log in at that fake site, they’re essentially handing over their login credentials and giving the crook access to their bank accounts.

In another form of phishing, known as spear phishing, the fraudster tries to target — or “spear” — a specific person. The criminal might track down the name and email of, say, a human resources person within a particular company. The criminal then sends that person an email that appears to come from a high-level company executive. Some recent cases involved an email request for employee W-2 data, which includes names, mailing addresses, and Social Security numbers. If the fraudster is successful, the victim will unwittingly hand over information that could be used to steal the identities of dozens or even thousands of people.

3. Email hacking and contact spamming

It’s in our nature to pay attention to messages from people we know. Some criminals try to take advantage of this by commandeering email accounts and spamming account contact lists.

Example

If your friend sent you an email with the subject, “Check out this site I found, it’s totally cool,” you might not think twice before opening it. By taking over someone’s email account, a fraudster can make those on the contact list believe they’re receiving email from someone they know. The primary objectives include spreading malware and tricking people out of their data.

4. Pretexting

Pretexting is the use of an interesting pretext — or ploy — to capture someone’s attention. Once the story hooks the person, the fraudster tries to trick the would-be victim into providing something of value.

Example

Let’s say you received an email, naming you as the beneficiary of a will. The email requests your personal information to prove you’re the actual beneficiary and to speed the transfer of your inheritance. Instead, you’re at risk of giving a con artist the ability not to add to your bank account, but to access and withdraw your funds.

5. Quid pro quo

This scam involves an exchange — I give you this, and you give me that. Fraudsters make the victim believe it’s a fair exchange, but that’s far from the case, as the cheat always comes out on top.

Example

A scammer may call a target, pretending to be an IT support technician. The victim might hand over the login credentials to their computer, thinking they’re receiving technical support in return. Instead, the scammer can now take control of the victim’s computer, loading it with malware or, perhaps, stealing personal information from the computer to commit identity theft.

6. Vishing

Vishing is the voice version of phishing. “V” stands for voice, but otherwise, the scam attempt is the same. The criminal uses the phone to trick a victim into handing over valuable information.

Example

A criminal might call an employee, posing as a co-worker. The criminal might prevail upon the victim to provide login credentials or other information that could be used to target the company or its employees.

Something else to keep in mind about social engineering attacks is that cyber criminals can take one of two approaches to their crimes. They often are satisfied by a one-off attack, known as hunting. But they can also think long-term, a method known as farming.

As the short form of attacks, hunting is when cyber criminals use phishing, baiting and other types of social engineering to extract as much data as possible from the victim with as little interaction as possible.

Farming is when a cybercriminal seeks to form a relationship with their target. The attacker’s goal, then, is to string along the victim for as long as possible in order to extract as much data as possible.

5 tips to help you avoid being a social engineering victim

  1. Consider the source. A found USB stick isn’t necessarily a good find. It could be loaded with malware, just waiting to infect a computer. And a text or email from your bank isn’t necessarily from your bank. Spoofing a trusted source is relatively easy. Don’t click on links or open attachments from suspicious sources — and in this day and age, you may want to consider all sources suspicious. No matter how legitimate that email appears, it’s safer to type a URL into your browser instead of clicking on a link.
  2. Slow down. Social engineers often count on their targets to move quickly, without considering the possibility that a scammer may be behind the email, phone call, or face-to-face request on which they’re acting. If you stop to think about the ask and whether it makes sense or seems a bit fishy, you may be more likely to act in your own best interest — not the scammer’s.
  3. If it sounds too odd to be true …. Seriously, how likely is it that a Nigerian prince would reach out to you for your help? Or, on the flip side, that a relative is texting you to post bail while traveling? Investigate any requests for money, personal information, or any item of value before handing it over. There’s a pretty good chance it’s a scam — and even if it’s not, better to be safe than sorry.
  4. Install an antivirus software or a security suite — such as Norton Security — and keep that software up to date. Also, make sure your computer and other devices are running the latest versions of their operating software. If possible, set the operating systems to update automatically. Having the latest versions of these software applications on your devices will help ensure they’re prepared for the most recent security threats.
  5. Your email software can help you. Most email programs can help filter out junk mail, including scams. If you think yours isn’t doing enough, do a quick online search to find out how to change its settings. The goal is to set your spam filters to high to weed out as much junk mail as possible.

Social engineering is everywhere, online and offline. Your best defense against these kinds of attacks is to educate yourself so that you’re aware of the risks — and to stay alert.
 


Symantec Corporation, the world’s leading cyber security company, allows organizations, governments, and people to secure their most important data wherever it lives. More than 50 million people and families rely on Symantec’s Norton and LifeLock comprehensive digital safety platform to help protect their personal information, devices, home networks, and identities.

© 2018 Symantec Corporation. All rights reserved. Symantec, the Symantec Logo, the Checkmark Logo, Norton, Norton by Symantec, LifeLock, and the Lockman Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the United States and other countries. Firefox is a trademark of Mozilla Foundation. Google Chrome is a trademark of Google, Inc. Mac, iPhone and iPad are trademarks of Apple Inc. Microsoft and the Windows logo are trademarks of Microsoft Corporation in the United States and/or other countries. The Android robot is reproduced or modified from work created and shared by Google and used according to terms described in the Creative Commons 3.0 Attribution License. Other names may be trademarks of their respective owners.