The term social engineering is increasingly being used in the news and by risk teams when talking about online scams, but do we really understand what it is or how it might be used? We’ve pulled together some high-level information to explain what it is, how it works and what could go wrong if you become a victim to it.

Social engineering is the act of using psychological tricks to convince someone to take an action, usually through technology. Salespeople and politicians use social engineering to get us to buy a product or buy into a message. However, when social engineering techniques are used by criminals the outcomes can be much more damaging.

Criminals will use a combination of the techniques detailed below to try and trick you into giving away valuable data, personal information, financial details, or passwords. If you know how they work, it’s easier to spot them and stop the criminals in their tracks.

 

Techniques

Baiting icon

Baiting

Baiting attacks use a false promise to provoke a victim’s greed or curiosity. The cyber-criminal will dangle the bait to entice the intended victim into acting.

A criminal will leave the bait – usually in the form of a malware-infected link or attachment in obvious areas, such as in an email inbox. The bait is designed to look convincing enough to make you investigate and open the link or attachment through curiosity. More often than not this results in malware being silently installed onto your system.

Scareware

Scareware icon

This technique focuses on our emotions, more specifically, on our fear. It involves victims being bombarded with misleading threats and false alarms. For example, victims will be deceived into thinking that their system has been infected with a form of malware and will be prompted to install some software to fix the problem. The ‘fix’ is usually malware itself and only benefits the attacker.

Scareware is also commonly known as deception software, rogue software and fraudware.

Spear phishing

Spear icon

Spear phishing is a very focused attempt to ‘fish’ for your personal information. These cyber-criminals will build a detailed profile of you based on information they can find out publicly and send out tailored emails, which might appear to come from your bank, a company you buy from or a group you are interested in.

While phishing techniques typically target a larger number of recipients in order to get a bite, spear phishing focuses more on a specific individual or organisation to build a bespoke attack that has more chance of success.

Pre-texting

Pre-texting icon

Pre-texting is when an attacker obtains information through a series of lies to capture someone’s attention. Once the attacker has your attention, they will attempt to trick you into providing valuable information. The scam is often initiated by an attacker pretending to need this information in order to perform a critical task.

This type of social engineering technique usually begins by the cyber-criminal impersonating someone within the company, such as a co-worker or other persons who would have the right to know the information they are requesting.

Quid pro quo

Quid pro quo icon

This technique is similar to Baiting. Quid pro quo attacks tend to promise a benefit in exchange for valuable information. This type of scam involves an exchange – I will give you that, if you give me this. The attackers lead the victim to believe that it is a fair exchange, when in reality it will only benefit them.

An attacker may call you, posing as an IT professional, for example and convince you to hand over your login credentials, thinking that the attacker is going to give you remote support. Instead, the attacker would now be able to access and take control of your device – ultimately infecting it with malware or stealing valuable information.

 

Famous social engineering attacks

Cabarrus County, 2018

Cabarrus County, in the US, suffered a huge loss of $1.7 million in 2018 due to social engineering scams. The attackers used malicious emails to impersonate county suppliers and requested payments to a new bank account. After the money had been wrongfully transferred, it was diverted into several other bank accounts.

Toyota, 2019

The Toyota Boshoku Corporation, a supplier of Toyota auto parts, fell victim to social engineering in 2019 and suffered a loss of $37 million. Using pretexting, attackers persuaded a finance executive to change recipient's bank account information in a wire transfer.

Shark Tank, 2020

Shark Tank television host, Barbara Corcoran was tricked out of $380,000 in 2020. A scammer impersonated her assistant and sent an email to the bookkeeper requesting a payment related to real estate investments. The scam was only discovered and investigated when the bookkeeper sent an email to the assistant’s correct email address asking about the transaction.

 

Want to learn more?

Learn more about PhishingLearn more about Smishing

 

Also see...

Change Portfolio Governance: Is Your Change Portfolio Really 'Green'?

If you're a change leader with responsibility for change portfolio management, Head of Internal Audit (HOIA), Chief Risk...

Regulatory Oversight, PRA ‘Dear CEO’ Letters – IT Change and Outsourcing

If you're a Head of Internal Audit (HOIA), Chief Risk Officer (CRO), Board member (incl. Non-executive Director), Audit ...

DORA Explained & How to Ensure Compliance

On 27 December 2022, the Digital Operational Resilience ACT (DORA) was published in the Official Journal of the EU. The ...