How Not to Fall Victim to Social Engineering Scams

How Not to Fall Victim to Social Engineering Scams
Joe Michalowski
Posted: April 11, 2019

If you’re trying to improve your cyber defenses, then understanding the threat of social engineering should be a top priority. Studies show that 84% of attackers use social engineering as an important part of their infiltration strategy against both individuals and businesses.

So what exactly is social engineering?

Utilizing antivirus security tools will be for nothing if you can’t mitigate the damages of social engineering. And that starts with understanding exactly what you’re up against.

What Is Social Engineering?

What Is Social Engineering?

“I’ve never found it hard to hack most people. If you listen to them, watch them, their vulnerabilities are like a neon sign.”—Sam Esmail, Mr. Robot

This quote perfectly sums up the challenge that social engineering presents. Unlike cyber attacks that strictly exploit technical weaknesses, these threats revolve around a deeper vulnerability—human behavior.

Social engineering is when attackers manipulate people to willingly give up confidential information. Cybercriminals use a variety of techniques to trick unsuspecting individuals into opening malicious links, downloading infected attachments, or visiting compromised websites in an effort to directly steal banking credentials, network logins, and intellectual property, or even gain administrative access to launch larger campaigns.

Attackers know that something as simple as a convincing email could give them login credentials that lead to footholds in business networks or the means to lucrative identity theft.

But not all social engineering threats are created equal. If you want to protect yourself (and your network), you need to know the different techniques that fall under social engineering.

What Are Social Engineering Techniques to Look Out for?

What Are Social Engineering Techniques to Look Out for?

The most common form of social engineering is phishing. Attackers launch phishing scams that use cleverly-crafted emails to capture personal information using malicious URLs or attachments and by creating a sense of urgency for victims to respond.

However, not every attacker is going to conduct social engineering by pretending to be an authority figure, customer service rep, or other trusted source.

You also have to beware lesser-known social engineering techniques, including:

  • Pretexting: Attackers using this technique create a fake scenario and reason for needing the personal information of victims. In many cases, scammers will pretend there’s a reason they need small amounts of personal information to confirm a victim’s identity. While phishing relies on fear and urgency, pretexting aims to create a deeper sense of trust between the attacker and victim.
  • Baiting: For the most part, baiting follows the same principles as a phishing campaign. However, phishing aims to trick attackers into interacting with malicious links and entering login credentials whereas baiting promises the victim a reward. For example, an attacker might bait the victim into downloading a malicious attachment by promising a new piece of software or an update.
  • Whaling: An evolution of phishing attacks that still involves stealing confidential information and login credentials. Unlike phishing campaigns, whaling exclusively targets high-value victims—business executives, government agencies, etc.
  • Watering Hole: In most cases of social engineering, attackers look to capitalize on unsuspecting individuals. But in the case of watering hole techniques, attackers compromise public web pages by injecting malicious code into them. When a victim visits the infected web page, a backdoor Trojan is installed so attackers can gain access to the victim’s computer. This technique is most common amongst state-sponsored attackers and other espionage campaigns.

The reason social engineering is such a universal component of cyber attacks is that, when done successfully, it provides direct access to a core network or user account. All the perimeter defenses in the world won’t stop an attacker that can simply log into an admin account with the proper credentials.

That’s why, in addition to having the right tools for prevention, detection, and response, you need to focus on education and awareness to stop social engineering.

Being able to spot suspicious emails, URLs, and web pages effectively is the first line of defense against social engineering. That means being vigilant to warning signs of phishing scams and not blindly clicking on every link and attachment that reaches your inbox.

But human error is a fact of life and you still need an underlying layer of cybersecurity to stay safe. Check out our antivirus comparison tool to see which solution will best support you against the dangers of social engineering.

About the Author

Joe Michalowski
Joe Michalowski

Joe Michalowski covers B2B tech topics including cybersecurity, digital transformation, IT infrastructure, and more.