Imagine the following scenario: you receive a text message from a reputable company saying you’ve won a free vacation for being a valued customer. All you have to do is click the link to redeem it—but there’s a catch. Only the first five people to click will win a vacation, so you’d better act fast! Do you click it?
Hopefully, you answered no. If you did click, you may have fallen victim to a common method attackers use to embed malware in devices and harness personal information. By generating a sense of urgency and offering a tempting incentive, these experienced bad actors are
betting you’ll comply before thinking twice. This is one of many types of social engineering tactics that people easily fall victim to. In this article, we answer the question, “what is social engineering?” so you can take steps to protect yourself.
What Is Social Engineering?
So what is social engineering exactly? Social engineering involves the manipulation of human psychology to get access to sensitive information, like credit card numbers and passwords. It involves a wide range of tactics, which we’ll dive into below, but ultimately preys on precisely the things that make us human: emotions, fears, desires, and need for social approval.
Of course, convincing someone to willingly deliver information is much easier than finding system vulnerabilities, which is why social engineering has become a new favorite among highly skilled and beginner cyber attackers. Here are a few types of social engineering—and some social engineering red flags to watch out for.
Common Types Of Social Engineering
Now that we’ve answered the question, “what is social engineering,” let’s dive into a few common types of social engineering.
- Phishing. According to Verizon, 32% of data breaches involve phishing, making them the most common of all types of social engineering. Phishing is when a cyber attacker creates a website, email, or text message that looks credible, but is actually designed to trick people into providing information. Another example? Social media games that prompt you to reply with personal information commonly used for password security questions (pet names, the street you grew up on, etc.).
- Vishing. Vishing is a type of phishing that involves phones or voice emails. A popular vishing method is when an attacker imitates the voice response system of a company to get you to provide sensitive information.
- Spear phishing. In the same way that digital advertisements target your interests, phishing attacks can be customized according to what motivates you—and personalized to seem more legitimate.
- Baiting. Curiosity drives us to do all sorts of things. For example, the question “what is social engineering?” probably popped into your head, so you went to a search engine and typed it in. Some cyberattackers exploit this curiosity through a method called baiting, in which the attacker casually leaves a USB drive in a public place or a link in an unsuspecting corner of the internet in the hopes that you’ll plug the drive into your computer or click the link.
- Tailgating. This form of social engineering happens in physical places when an attacker steals your information by connecting to the same public WiFi network, or by following you into your workplace.
- Scareware. Ever click on a website and receive a notice that there could be malware on your computer, so you’d better download this software for protection? That’s scareware—the use of fear to prompt a person to do what you want.
- Quid pro quo. Who doesn’t love free gifts? With this in mind, attackers may offer you a product or gift card in exchange for some personal information.
Watch Out For These Social Engineering Red Flags
Before you click on an email link or provide anyone with information over the phone, do a gut check. Odds are if you feel something isn’t right, then it probably isn’t. For extra help, follow this quick checklist to make sure there aren’t any glaring social engineering red flags.
- An unexpected message. Beware any message that comes out of the blue. Does it make sense that this person or company is contacting you? Does the email address match their name? Are there people CC’d on the email who shouldn’t be?
- Requests that prey upon emotion. Messages that invoke a sense of urgency or fear are definitely social engineering red flags. An attacker might do this by pretending to be someone with influence over you, like a police officer, bank employee, or colleague. They could also do this by using scareware or quid pro quo.
- Spelling errors. Cyberattacks often contain intentionally misspelled words in email and website addresses. While a link or email address might look legitimate at first glance, make sure the spelling is accurate. Better yet, avoid clicking the link and navigate to the source through a search engine instead.
Think your website has fallen prey to social engineering?