Social engineering is a commonly used tactic that was used in 33% of data
breaches in 2018, according to Verizon’s 2019 Data Breach Investigation Report
— here’s what social engineering hacking looks like in real life
My mom used to always joke that if you left my dad alone with a stranger, he could find out that person’s underwear size within a matter of minutes. He’s someone who’s extremely intelligent, fun, engaging, and has always had a knack for making people feel comfortable and open up to. Frankly, if my dad had the desire to carry out social engineering attacks — and was a schmuck that enjoyed ripping people off — he’d make a great social engineer.
Thankfully, that’s not the case, and my dad doesn’t have the technical know-how to craft believable phishing emails or to create malicious websites (after all, this is the same man who argues with Siri on a daily basis). But just because my dad doesn’t have the technical know-how (or interest) to engage in such activities doesn’t mean that there aren’t others who don’t or wouldn’t be willing to do so — namely cybercriminals.
So, what are social engineering attacks and why are they so
successful? We’ll take a look at the definition of social engineering, walk you
through why social engineering hacking is such an effective method of attack
for hackers, and show you a few key social engineering examples.
Let’s hash it out.
What is Social Engineering?
Social engineering is, hands down, one of the most dangerous threats to businesses and individuals alike. In a nutshell, a social engineer is someone who uses social interactions with individuals to either get something from you (such as your password) or get you to do something (like make a wire payment). They may be disarming in their approach and make you feel comfortable, or they may present themselves as someone of authority and convey a sense of urgency.
Either way, social engineering attacks are about getting you
to like and trust them, or to make you feel like they’re a person of authority
and you must comply with whatever they ask for.
Imperva, a world-renowned cybersecurity organization, describes social engineering as:
[…] a broad range of malicious activities accomplished through human interactions. It uses psychological manipulation to trick users into making security mistakes or giving away sensitive information.”
Or, as the FBI puts it more succinctly, it’s “targeted lies designed to get you to let your guard down.”
Types of Social Engineering Attacks
Social engineering attacks, which Verizon reports were used in 33% of the data breaches in 2018, can occur:
- Via face-to-face interactions,
- Over the phone (vishing, or what’s known as voice phishing),
- Over SMS text message phishing (smishing),
- Using email phishing tactics (such as phishing), or
- By using any combination of these and other avenues.
These types of attacks don’t require a bunch of technical
skills or hacking techniques. It’s about “hacking” or exploiting a person
rather than technology itself. However, using technology certainly makes pulling
off these attacks a lot easier for the cybercriminals who use them.
Frank Abagnale, the world’s most famous con man-turned-security consultant whose life and crimes were the basis of the movie “Catch Me If You Can,” said in an interview with SearchCloudSecurity that while social engineering at its core is still the same, it’s just that criminals are now using different methods of attack.
Some people used to say that I’m the father of social engineering. That’s because when I was 16 years old, I found out everything I needed to know — I knew who to call and I knew the right questions to ask — but I only had the use of a phone. People are still doing the same things today 50 years later, only they’re using the phone, they’re using the mail system, they’re using the internet, email, cloud. There’s all this other stuff, but they’re still just doing social engineering.”
Social Engineering Attacks Is All About Getting to Know You
In the digital world, social engineering attacks involves
cybercriminals learning as much information as they can about a company and a
target individual (i.e. you). They then use that information to get you to do
something you shouldn’t (such as providing sensitive personal information or
making a wire transfer).
Essentially, they treat you like a research project and
learn about you through a variety of tactics, including:
- Searching for information about you on Google and other search engines: The more they know about you, the easier it is to relate to you and make you trust them. This disarms you and makes you more likely to comply.
- Tracking down your social media pages to
learn about you: If a hacker knows what you pin on Pinterest, what you
watch on YouTube, what groups you’re a part of on Facebook, or even what photos
you like on Instagram, etc., they can craft more believable phishing emails to
- Seeing who you’re connected to (via LinkedIn
and your company website) and learning your organization’s hierarchy:
Cybercriminals want to make their jobs as easy as possible. If they know that
you’re Sally and you work as an accounts payable employee, and that your
company typically works with Org X as a vendor, they might be able to get away
with impersonating that organization to get you to make a fraudulent payment.
- Going through your trash: No, I’m not
speaking metaphorically here. I meant that literally. Some social engineers
have been known to go dumpster diving to gain valuable information about you or
your organization. This is an example of why it’s important to properly dispose
of personal, proprietary, or otherwise sensitive information.
Breaking Down the Social Engineering Attack Life Cycle
To talk about the lifecycle of a social engineering attack,
we’re going to use the terms as identified by Imperva. The social engineering
life cycle includes four distinct phases. These types of attacks include one or
more of these steps:
- Investigation: This step is all about
research and gathering as much information about you and your company as
- Relationship Building: This next phrase
is about using social tactics and psychology to manipulate or deceive you. Armed
with knowledge about you and your organization, they’ll reach out to develop a
connection and to engage with you.
- Play: This next step is when they really
put the plan into motion to exploit the interaction. It’s about expanding their
influence on you to get you to provide information or to perform an action.
- Exit: This is where they take a moment to
get rid of evidence — to wipe away their digital fingerprints, metaphorically
speaking — to make their getaway and get the hell out of dodge (ideally,
without you even knowing that something’s wrong until after they’re long gone).
How Social Engineering Attacks Occur
As you’ve learned, social engineering involves a malicious
actor researching you and your organization to learn about you so they can use
that information to dupe you into sharing information or doing something that you
Social engineering isn’t an impatient man’s game. Unlike
traditional phishing attacks, which can involve sending out mass emails to
thousands of people with the hope of tracking even just one into clicking on a
malicious link, social engineering attacks are more targeted. Cybercriminals
can spend a few hours or even days, weeks, or months preparing to make their
So, how does one of these attacks occur? Often times, it
boils down to finding the right person to target and finding — or creating —
the right opportunity.
According to Abagnale in an interview with WIRED:
Every case involving cybercrime that I’ve been involved in, I’ve never found a master criminal sitting somewhere in Russia or Hong Kong or Beijing. It always ends up that somebody at the company did something they weren’t supposed to do. They read an email, went to a website they weren’t supposed to. So they opened the door that allowed the person to get in.
It’s not that these people are that talented but they wait knowing that with a company of 10,000 employees someone is bound to open the door. They just wait for that door to be open.”
Not sure what we mean? Let’s dig a little deeper.
An Example of Social Engineering in Action
Let’s imagine that you’re an accounts payable employee named
Tina. You’re sitting at your workstation when, suddenly, you get a call from
Drew Stevens, a representative at one of your company’s vendors. He tells you
that there’s an issue with the last payment that was made, saying that they
never received it.
You feel mortified. While you’re apologizing and quickly try
to find the receipt from the last payment, Drew continues talking, reassuring
you that it’s fine but that they really do need the payment to be made quickly
if your company is to continue using their services. He continues on, saying
that it was probably just a hiccup with the paperwork — that their company
recently changed banks and sent the updated payment info to all of their
customers, yet, somehow, the new bank account info never seemed to make it to
you and another customer.
He sighs but laughs, saying it’s just one of those things.
Technology, right? Gotta love it.
He’s friendly, confident, charming, and understanding. He reassuringly
says that he doesn’t want to make additional work for you because they know
you’re probably already so swamped! So, to make it easy, he’s just sent you the
new banking info and would really appreciate it if you could go ahead and make
the payment ASAP so your organization’s service doesn’t lapse.
You check your email, and there’s a message waiting from Drew,
just like he said. In it, there’s an invoice attached. You open it immediately
and use the information in the doc to go ahead and make the payment.
Drew thanks you and tells you that he’s received the
payment. He smoothly wraps up the conversation, telling you that he’s going to
go ahead and sent a receipt for the payment and that he’s glad you both were
able to work together to rectify the situation so quickly. You exchange
goodbyes and hang up.
A few weeks later, your boss comes in to ask about the
payment to this unknown account. You tell him that you were being proactive and
wanted to take care of the situation quickly by making the payment.
But the payment was already made, your boss says, and it
turns out that the company just suffered a data breach that was tracked back to
What you didn’t know is that the invoice you opened from
Drew was actually a malicious file. Now, not only have you sent a payment to a
fraudulent account, but you’ve also opened up your company’s network and IT
systems to a hacker.
See Social Engineering Attacks in Action for Yourself
All of this just sounds too obvious, right? There’s no way that someone could be fooled by something so simple. Unfortunately, that’s not the case. Nearly two in 10 people fall for these attacks all the time.
Want to see some real-life “people hackers” in action? Watch
as social engineer David Kennedy tricks a company into providing credit card
information. He spoofs his phone number to make it appear as though he’s
calling from inside the company.
Here’s another example of how effectively a social engineer
can hack people. In this video, social engineer Jessica Clark uses vishing
(voice phishing/voice solicitation) to get the Real Future video host Kevin
Roose’s cell phone provider to give her Roose’s email address. But she doesn’t
Here’s an example from the same video of Dan Tentler, a
hacker who used social engineering tactics to track down Roose’s SquareSpace
blog. Tentler uses this information to craft an effective spear phishing email,
which gains him access to the host’s 1Password key chain.
What You Can Do to Prevent Social Engineering
Unsurprisingly, technology has made pulling off social
engineering crimes significantly easier for the criminals — but that doesn’t
mean that the outlook is hopeless.
In the interview with SearchCloudSecurity that we mentioned
earlier, Abagnale recommends the following approach for organizations,
businesses, and individuals alike:
So technology has made things a lot easier, and all criminals have done is conform to that. The important thing is this: You can’t develop technology and say, ‘Here’s my foolproof technology, you can’t beat it, goodbye.’ You have to constantly go back and stay on top of it all the time. You can’t just develop it and walk away and be done with it. You have to constantly be aware of things that can happen to it and how people are going to try to beat it.”
In other words, your company needs to:
- Harden your tech defenses with network and IT security best
- Secure any servers and databases and ensure your data is
- Implement cyber security awareness training for your
- Encourage your employees to follow cyber security and email security best practices
- Limit access to sensitive data and systems to only those
employees whose jobs require it
- Implement secondary verification procedures before wiring any
payments or making changes to vendor information
Don’t Get Breached
91% of cyber attacks start with an email, which can leave your business open to devastating data breaches. Not securing your email is like leaving the front door open for hackers.
Criminals, in one form or another, are nothing new. The same
can be said about social engineering. While it may adapt and change over time
in terms of how it’s performed, the same general concept is still the same.
This is why it’s so important for organizations to inform their employees about
these types of threats, so they can recognize them for what they are and not be
taken for a ride.
So, while a social engineer or cybercriminal likely has no
interest in discovering your underwear size, they certainly do want to learn
whatever they can about you in other areas so they can use that information to put
you at ease and get you to do something you shouldn’t.
*** This is a Security Bloggers Network syndicated blog from Hashed Out by The SSL Store™ authored by Casey Crane. Read the original post at: https://www.thesslstore.com/blog/social-engineering-attacks-a-look-at-social-engineering-examples-in-action/