Wondering about the meaning of social engineering in cybersecurity? A working definition will give you the basics. Some real life examples of how it’s done will also make for interesting reading while preparing you to spot the “tells” that so many people have missed to their cost.
Beginning with the “what,” social engineering is practised by bad actors who persuade victims to trust them so that they open up chinks in their armour against cyberattacks and data theft. In a related context, social engineering is used for direct fraud, extracting payments to seemingly legitimate recipients.
In this article, we’ll focus on social engineering in cybersecurity while touching on its relationship to fraud. We’ll also take a look at methods hackers use to gain trust so that they can get sensitive information or infect devices or networks with malware.
Why Social Engineering Presents a Serious Threat
You know that you must safeguard your data and protect your devices and networks, so you’ve secured them thoroughly. Getting past your defences is extremely difficult, but if you can be persuaded to willingly drop your guard, the hacker hits paydirt.
Imagine a house with every possible security system in place. It will be hard to break in, but if the homeowner can be persuaded to open the door, a thief can enter with ease. This analogy illustrates the principle behind social engineering as a cybersecurity threat. Let’s look at some of the weaknesses exploited in social engineering – the ones that make our metaphorical homeowner “open the door.”
How Social Engineering Works
What harm could there be in opening an attachment or clicking a link? If an attachment contains hidden malware or a site you’re directed to is malicious, your organisation could suffer untold harm. Social engineering employs various strategies to lure people in. Here’s how.
It’s Routine
When you or your employees receive emails from one another, from clients, or suppliers, they’re trusted. But should they be? Hackers can steal email credentials or create email addresses very similar to the ones you trust. What looks like a routine invoice from a supplier or an interesting link from a colleague could be the start of an all-out cyberattack.
In May 2022, a phishing operation compromised over 130 email accounts within the UK’s National Health Service (NHS). The attackers used these legitimate accounts to send targeted emails, directing recipients to credential-harvesting websites designed to steal sensitive information.
In a related take on social engineering as a cybersecurity threat, the portals you typically use to log in to work-related apps can be simulated. You’re sent a link, are asked to follow it and log in, and when you do, your credentials are compromised.
It’s Urgent
Something bad is going to happen or you’ll lose an important benefit if you don’t act fast. At least, that’s what hackers want you to believe. They might masquerade as a person or business you know or pretend to represent a government agency. Whatever the identity they assume, the hackers prompt you to perform an action without delay. Quite simply, they don’t want to give you time to think. Here’s an example:
“Urgent: your billing information is out of date. Should you fail to update your information, your account will be terminated. Kindly click the link and log in to confirm or update your billing profile.”
It’s Interesting
Do you and your colleagues frequently share interesting tidbits of information found online? There are two issues to watch out for. Legitimate websites that get infected, and “spoofed,” fake websites made to look like the ones you frequently visit. Either of these may contain an unwanted payload or request sensitive information.
There are Awesome Freebies or Discounts
Ever received an offer that’s too good to be true? Chances are, it’s social engineering. For instance, a supplier might appear to offer massive discounts, or announce that there’s a free gift for you. When targeting the public, scammers often use trusted brand names to trick people. In business contexts, they may have discovered which suppliers you frequently support.
Someone Needs Help
This type of social engineering attack preys on the natural human instinct to assist others. Hackers may pose as individuals in need of help, such as a colleague or employee facing technical difficulties. For instance, they might claim to be struggling to log into an account or setting up a critical work tool like multi-factor authentication.
By leveraging personal information or insights about internal processes—often obtained from prior breaches or reconnaissance—attackers make their requests seem genuine. The desire to assist can lead to sensitive information being shared or harmful actions being taken. Attacks exploiting helpfulness can range from simple requests, such as participating in a survey, to complex schemes involving emails and phone calls.
You Want it to Stop
Somehow, you seem to have subscribed to a particularly annoying newsletter. You’re sick of it, so you hit “unsubscribe.” This seemingly normal action can be a huge mistake. Hitting that innocent-looking unsubscribe button could trigger a malware download or expose your IP address.
Besides these risks, simply showing that your account is active and you’re willing to click links can result in a torrent of further spam and flag you as a potentially fruitful target for phishing attacks.
Types of Socially Engineered Cyber Attacks
Phishing, Smishing, Angling, Spear Phishing and Whaling
According to research from DeLoitte, email phishing is used in 91 percent of cyberattacks. Smishing, using SMS messages that lure people to dangerous ground, is a variation of this.
Angling occurs on social media. For instance, a business account your company interacts with posts what appears to be an interesting link.
Spear phishing, on the other hand, targets individuals. It is usually undertaken after conducting thorough research that exposes details like their interests, connections, and contacts. Whaling is similar, but specifically targets high-level executives.
Baiting
Apart from spreading the net wide with tempting online advertisements and free downloads carrying malware, baiting can be deliberately targeted. For example, you find a USB drive on your desk. To find out who it belongs to, you plug it in and malware infects your device.
Business Email Compromise (BEC)
After monitoring an executive’s behaviour, a scammer creates a spoofed email account and poses as the person in question. They may send out the usual lures toward unsafe sites and attachments. Worse still, they can instruct workers to make payments. Alternatively, they can ask employees to change a supplier’s banking details so that payments go to fraudsters instead.
Here’s another example of a BEC: you receive an email from a person posing as your IT manager. It urges you to change your login details. There’s a handy link to help you. Don’t fall into the trap. Your credentials will be stolen.
Vishing and Deep Fakes
You get a call from your CFO. You may even be invited to a video conference. You can hear and recognise the CFO’s voice, and if it’s a video call, you can even see the faces you’re expecting to see. Meanwhile, a fraudster is using AI tools to fake the entire interaction. This form of social engineering is generally used to perpetrate large-scale financial fraud.
Pharming and Tabnabbing
In pharming, attackers exploit system vulnerabilities to redirect traffic from legitimate websites to their spoofed sites. Tabnabbing has similar effects but exploits inactive web pages.
Scarewaring and Quid Pro Quo
Your screen lights up with scary warnings claiming that your device has been infected or your device protection is about to expire. It “helpfully” directs you to a link where you’re encouraged to buy a fake product and your device downloads more harmful malware even if you don’t fall for the fraud. Scarewaring is a form of quid pro quo attack in which you’re led to believe you’ll get something of value in exchange for your information.
Social Engineering Attack Prevention
If you’re worried about your organisation falling victim to socially engineered cyberthreats, it’s a very justifiable concern. According to official UK statistics:
- 50 percent of businesses reported cyberattacks in 2023/2024
- 32 percent experienced breaches
- 70 percent of medium-sized businesses were attacked
- 74 percent of prominent charities were attacked
- Social engineering in the form of phishing affected 84 percent of businesses
- 35 percent report receiving spoofed emails
Note: not all organisations report attacks or spot them when they happen, so these figures are likely to be even higher.
Here’s what you can do to combat the threat:
- Be suspicious of unusual phone calls or email messages, especially if they appear urgent.
- Never provide sensitive personal or business information until you are sure that you are communicating with an authorised person.
- Check websites’ security. A closed padlock sign shows encryption of information. An https URL is secure in terms of information sent, but is no guarantee of secure content. If you don’t know the site, don’t share sensitive information there.
- Scan attachments before opening them and only open attachments from trusted sources.
- Keep anti-virus software, firewalls, and email filters updated, delete software you don’t use, and update software that you do use frequently.
- Provide training that will help employees to spot attempted social engineering and cyber security threats.
- Encourage employees to report suspicious online activity, calls, or messages.
- Use multi factor authentication for log-ins. That way, even if credentials are stolen, hackers won’t be able to use them.
- Change passwords often and use secure passwords.
- Monitor networks for unusual activity.
How Cybersecurity Professionals Can Help
When you’re safeguarding sensitive data, you can be sure that there are people who would like to get their hands on it. Cybersecurity professionals can search for vulnerabilities in your systems and data governance, helping you to solve problems before they happen. They can help you train staff to spot the signs of social engineering in action, and conduct phishing simulations that help them learn in practice.
However, don’t fall into the trap of thinking that it’s only the inept that fall into the hands of scammers and hackers. Social engineering is designed to catch intelligent, highly competent people off guard, and victims may not realise that they’ve compromised your cybersecurity.
Use security operation centres to monitor your systems for unusual activity and implement dark web monitoring to spot signs that your information has been stolen, allowing you to prevent or limit damage.
From training to security software and systems monitoring, Advantex keeps high-profile organisations safe online. We protect your business from cyber threats, including social engineering, with tailored solutions like Cybersafe Managed Service, which integrates advanced security measures such as DNS and Endpoint Protection. Our 24/7 Security Operations Centre ensures rapid risk detection and response, while Penetration Testing identifies vulnerabilities and provides actionable recommendations. We also offer Cyber Awareness Training to help employees resist social engineering tactics and DMARC Management to safeguard your domain against phishing and spoofing. Contact us to find out what working with us could mean for you.
