What are Common Methods of Social Engineering

Methods of Social Engineering

If computers can be hacked, why can’t people be hacked as well? In fact, some scammers do hack people by manipulating them into divulging confidential information, unknowingly performing harmful tasks for the manipulator, and often spreading malware that perpetuates the issue.
Hacking people, essentially hijacking their ability to discern between harmful and harmless activities, is known as social engineering. The objectives of social engineering campaigns may include:

  • causing harm, chaos, or disruption
  • gaining access to account information

What is Social Engineering?

There are many types of social engineering that use various techniques to get people to do the bidding of scammers. The perpetrators of the attacks generally employ tactics like a voice of authority, pressure to act immediately, or a prize of some sort.
These include:

  • email hacking – gaining access to your email in order to send malware to everyone in your contacts, this one often begins with a greeting that makes the victim assume they can trust the message or makes a short-term, “irresistible” offer;
  • many forms of phishing, including spearphishing, whalephishing, and vishing – these all try to gain access to personal information by getting you to click on a scam email or SMS message that appeals to emotions (phishing is a widely broadcast scam, spearphishing targets specific individuals, whaling singles out high-value targets like celebrities, and vishing is a way of collecting information through the microphone of your smartphone, including passwords);
  • scareware – these are generally pop-up ads that purport to offer a solution to an immediate issue (often announcing that your account has been hacked or your computer hijacked);
  • pretexting – this uses an interesting story to convince the victim to provide sensitive information, oftentimes in the form of assistance to the perpetrator, such as a sad story that seeks donations;
  • physical breaches – sometimes called access tailgating this involves an individual physically entering a place of business under the guise of an IT contractor or employee in order to gain access to computers and accounts and may involve adding keyloggers to machines in order to derive confidential information from them;
  • watering hole attacks – fake pages filled with malware may be inserted into popular social media sites in order to launch widespread attacks on anyone who clicks on it;
  • hardware attacks – some scammers actually load malware onto thumb drives then leave them in conspicuous places with labels like “bonuses” or “accounts” in order to take advantage of the curious and/or greedy. When plugged into a computer the malware infected drive spreads through the victim’s account information and may then jump to infect the person’s contacts as well.

What isn’t Social Engineering?

Social Engineering

Scams that don’t rely on an emotional response are not social engineering. These scams are widespread and do not target specific people or segments of the population. Elderly and less sophisticated

  • DNS spoofing – is a way of rerouting internet traffic to an alternative website in order to collect valuable log-in information that can be used to drain accounts;
  • software attacks – scammers are sometimes able to piggyback malware on downloads or apps that allow them to launch attacks on devices without the use of an emotional appeal;
  • security flaws – some hackers are able to take advantage of flaws in computer code that allows them entry into user’s accounts, and
  • keyloggers and skim machines – these are hardware devices that can be attached to computers and point of sale credit card readers to record keystrokes such as PIN and account numbers, giving hackers access to personal information and accounts. It is crucial to implement robust security measures to protect POS systems from these threats.

Most Common Forms of Social Engineering

Phishing, trojans, and ransomware are the most common forms of social engineering scams according to one security company’s 2020 report. The top four computer and phone hacking techniques represented 100 million “query volumes” per month. The fourth – and most active according to query volume – was cryptomining, which involves malicious actors taking over part or all of a victim’s computer capacity in order to create cryptocurrency, but such hacking is rarely limited to benign use.
Phishing, the primary technique of social engineering hackers, employs messages that appeal to the recipient’s emotions and can be personalized enough to make it appear to come from a trusted source. Phishing attacks can appear to be sent from an institution like a bank, one’s employer, a work colleague, a friend, or a social acquaintance. Such messages may:

  • give you a short period to click on a link to claim a prize
  • tell you a bank account has been hacked and you must verify your account number and PIN immediately
  • offer illicit photos of someone you know
  • pretend to be your boss asking for the passwords for certain accounts.

How to Prevent Social Engineering 

Verifying the source of information is key to blocking most social engineering attempts. Always:

  • stop and think before clicking on a link or download to ensure you requested it;
  • never respond to an email request to verify a bank account PIN number without calling the institution first, use email lookup;
  • check the source of emotional requests for money to ensure they’re legitimate.

Don’t be a victim of wateringhole attacks – don’t fall for clickbait ads or other pop-ups that appear on popular social media. These are designed to scoop up as many victims as possible before the hacker is discovered.