You’ve seen a classic con artist portrayed many times before in movies and TV: A master of manipulation blessed with the gift of gab — and keen observation skills — cajoles, flatters, feigns ignorance and fakes compassion in pursuit of someone’s personal information, eventually leading to a lucrative (fraudulent) score.
When someone uses that sort of trickery to commit crimes online, it’s often referred to as social engineering. And the perpetrator is known as a social engineer (which sounds kind of respectable, but isn’t).
Social Engineering Definition
What Is Social Engineering?
Way back in 1992, Kevin Mitnick, once known as “The world’s most wanted hacker,” persuaded someone at Motorola to give him the source code for its new flip phone. (You can read about how he pulled it off in a chapter of a book Mitnick co-wrote.) Among other things, it demonstrates that falling prey to social engineering has less to do with inadequate technological defense measures and more to do with the human mind. As Mitnick and his co-author put it in their introduction: “Social engineering uses influence and persuasion to deceive people by convincing them that the social engineer is someone he is not, or by manipulation. As a result, the social engineer is able to take advantage of people to obtain information with or without the use of technology.”
Social engineering is essentially online deception that includes tactics like “spear phishing,” “watering hole attacks,” “baiting” and several other types with similarly catchy names. In carrying out this kind of cyber crime, a social engineer may try to dupe victims by imitating the URL and login page of a trusted website or tricking an email user into handing over money under false pretenses.
Social Engineering Attacks
Social engineers often seek personal information such as passwords and credit card numbers. They may also have a large-scale goal in mind. An example: compromising a company’s cybersecurity measures to gain access to confidential customer records. In 2021, a record number of cybercrime complaints, largely a product of this kind of online scamming, complaints led to nearly $7 billion in losses.
And plenty of prominent players have been snookered, including the Associated Press, Target, Sony Pictures, Yahoo, the Democratic National Convention and even the U.S. Department of Justice.
Social Engineering Exploits Kindness
Sal Lifrieri, who spent 20 years as a New York City cop before founding his company Protective Countermeasures, says our innate tendency to be of assistance to others is especially exploitable.
That’s certainly true in the below example of something called “vishing” (voice solicitation). The expert demonstrator easily dupes her mark by pretending she is a frazzled mother holding a crying baby. While impersonating a man’s wife, the woman is able to convince a phone service rep to give her information about his account.
“The ideal situation in a social engineering attack is that I get you to do something you would normally not do and you believe that you’re helping me,” Lifrieri says. “And you're going to be so satisfied that you helped, that you’ll walk away feeling satisfied.”
Social Engineering Manipulates Respect for Authority
While some of these attacks employ demands, whereby the target is strong-armed into capitulating, an authority tack can be trickier to pull off. Trave Harmon, founder and CEO of Triton Technologies, says that has a lot to do with upbringing.
“If you were taught that people in authoritative positions, even perceived ones, are to be trusted, all of a sudden an email from the admin at Microsoft that says, ‘We found a virus on your computer’ [seems credible],” he says.
Social Engineering Takes Advantage of Human Nature
A nonexistent computer virus is nothing compared to more advanced schemes that have been and continue to be played out on a grand scale. Whether enacted in person, online or by phone, those plots require time and patience — time to do background research and prepare the setup; patience to build trust and lie in wait until the moment is right to strike.
In 2014, only one year after a hack that was ultimately revealed to have swiped the personal information of 3 billion Yahoo users, the company got hit again — this time with a spear phishing email that duped an employee and led to the compromising of 500 million accounts. The U.S. Department of Justice charged Russian intelligence agents with the crime.
As LARES Consulting founder Chris Nickerson sees it, people actually “have a very strong understanding, even if they're not willing to admit it, that the cyber world is really just a basic reflection of the physical world.” In the former realm, he says by way of example, things called firewalls are often used to thwart intruders — even though “the concept of a wall in software is ridiculous. It's not a dimensional space in that aspect. So it just goes to show that even in the language people have created around it, cyberspace is not very dissimilar to the human space.”
Nickerson, though, puts little stock in the notion that human psychology is chiefly to blame when it comes to the efficacy of social engineering. While targets often dwell mentally in the criminally advantageous sweet spot “between fear and hope,” he also knows some “highly advanced beings” who’ve been hustled.
“Humans are going to do human stuff,” he says. “I don’t necessarily know if it’s a vulnerability. Lots of times it’s functioning as intended. From a psychological perspective, you’re doing the things that you're natively supposed to do, whether for health or the promotion of the species or [something else]. People are going to people, no matter what happens. The part of social engineering that most people get wrong is that it is founded in science, in engineering. It is not a methodology for lying. The fundamental pieces of engineering that create the space for something like reframing in a conversation, or anchoring, or the ability to use [neuro]linguistic programming in order to get an anticipated response are concepts that a social engineer has a foundational understanding of.”
Social Engineering Requires Confidence
Lots of social engineering plays out entirely online, where perpetrators can hide behind their screens and keyboards — and where things like tone of voice, facial expressions and body language are immaterial. When a scam requires more personal elements, such as phone calls or in-person visits, those facets become much more significant. Confidence, therefore, is key.
It surely was in 2007, when a man absconded with $28 million in loose diamonds from five safe deposit boxes at a Belgian bank. Passing himself off as a businessman named Carlos Hector Flomenbaum (probably a false identity), he’d been a regular customer for at least a year prior, ingratiating himself with employees through charm and chocolates. Flomenbaum became so trusted and beloved, in fact, that he was granted a coveted vault key that allowed him access during off-hours.
Swap out vaults for networks, and diamonds for passwords, and you’ve got yourself a social engineering swindle for the technological age.
“If you have confidence, you’re 75 percent of the way [there],” says Gregory Morawietz, vice president of operations at Single Point of Contact in San Francisco. “If you’re just walking through a door and you walk past somebody and don’t say anything at all, they might not stop you. Then you just hump it over to a conference room, drop a WiFi APN on their network and you’re in business. Leave out the side exit, and now you have an APN that you hid under the table broadcasting from their conference room. You’ve got access to their whole network, and you can hack away at it all day and night from the parking lot.”
Social Engineering Capitalizes on Online Sharing
Social engineers don’t operate in a vacuum. Their jobs are made easier by a culture of rampant oversharing on social media. Names, dates, locations, likes, dislikes, political leanings, proclivities — it’s all useful stuff for someone who wants to take you or your company for a ride. Online, as in person, knowledge is power.
“Once you learn a person, you can become them in certain situations that would benefit you,” says Morawietz, who agrees that social media is exacerbating the problem.
As online sharing continues to grow and evolve, so do the many ways social engineers attempt to prey on unsuspecting internet users.
Social Engineering Examples
Social Engineering Examples
- Diversion theft
- Quid pro quo
- Spear phishing
Baiting involves luring potential targets by offering them some sort of reward. This could take the form of a flashy online pop-up telling an unwitting user they can access a free movie download, perhaps for a film that’s still in theaters or isn’t available on streaming services.
But when they click the download button, the user’s computer may be infected with malware or they may be routed to a fake login page intended to steal login credentials, maybe to an email or social media account.
Diversion theft occurs when targets are conned into rerouting the destination of goods or confidential information. The attacker may try to spoof an email known to the target or pretend to be a colleague or someone from a trusted institution to get the victim to divulge certain information.
In a honeytrap scenario, attackers seduce their targets into giving up personal information or compromising sensitive work. Users may commonly encounter this kind of scam on dating sites or through social media, where both genuine and fake online relationships can thrive.
People may create an attractive online persona they use to hook potential victims and then con them into sending money or handing over personal information that can be used for nefarious purposes.
Quid Pro Quo
Quid Pro Quo schemes entice targets with the promise of goods or services in exchange for information.
Individuals who carry out these kinds of attacks may impersonate an IT professional, someone from a financial institution or a member of a government agency. These schemers tell victims they’ll perform a service, such as providing technical assistance for antivirus software, in exchange for personal information they claim will help with completing the task.
Phishing is typically the sending of fraudulent — but often real-looking — emails or other message types to thousands of potential victims in hopes that a portion of them will divulge personal information, including passwords, social security numbers and credit card numbers.
An example is the 2022 data breach at Twilio, which was the result of employees being deceived by text messages they thought came from the company’s IT department. The messages convinced the employees to follow a link containing words like “Twilio,” “Okta” and “SSO” to a phony Twilio sign-in page that allowed digital attackers to steal employee credentials and access information about a “limited number” of customers.
When using pretexting, scammers will lie about who they are or create a fictional scenario to extract sensitive personal information.
A common example is someone who poses as a company higher-up, such as a CEO, via email. The bad actor will often word their message to put pressure on the target by conveying a sense of urgency in requesting information like a mobile phone number that could be used to circumvent two-factor authentication or password recovery protocols, or financial details that could be used to complete a monetary transfer.
Rogue attacks trick targets into buying fake and malicious security software that deploys ransomware — malware that blocks access to a system or data until a ransom is paid.
The more than 3,700 ransomware incidents submitted to the FBI’s Internet Crime Complaint Center in 2021 resulted in upwards of $49 million in losses. The perpetrator “encrypts data on a computer, making it unusable” and can “pressure victims to pay the ransom by threatening to destroy the victim’s data or to release it to the public.”
Attackers who use spear fishing pose as someone’s friends or colleagues to launch a targeted attack against individuals or companies for the purpose of obtaining sensitive personal or corporate information.
This social engineering method is more specific than general phishing, with the scammer sometimes conducting research on potential victims. Their communication will often contain information or names known to the target to coax them into believing it’s safe to open and respond to a message or click malicious links.
Artificial Intelligence and Deepfakes
Deepfakes are AI-generated video or audio that can be used to mimic politicians and celebrities or even the average person’s colleagues, friends or family. So far legally unregulated, deepfakes will soon be easier to make than they already are, tougher to spot and widely disseminated.
As AI becomes smarter, Morawietz warns, a social engineering “epidemic” is mounting.
“Imagine AI set loose on a human that says, ‘Hi, this is Gregory from your phone company and I’ve kidnapped your husband, Jerry. Pay this ransom.’ Or, ‘Hi, Grandma, I need 500 bucks. My car broke down.’”
It’ll be so convincing, Morawietz says, that Grandma will ask only one question: “Where do I send the money?”
But this AI trickery won’t just be used to bilk people out of money or personal information. The potential also exists to sway public perception and possibly elections.
How Can You Protect Yourself From Social Engineering?
There is no single solution, but there are ways to more consistently mitigate the ill effects of social engineering in its many forms. Harmon’s tack is to “remove the weak link,” meaning humans, by “removing their ability to screw up. It’s like having bumpers on a bowling alley. You can’t get into the gutter. You can’t not hit the goal.”
His company, he says, uses “physical fail-safes” that include the multi-factor authentication software Cisco Duo, “so even if [an account] becomes compromised, [the perpetrator] still can’t get in.”
On a more elemental level, Harmon’s directive is this: “Change your mentality. Learn not to trust.” Whether it’s a “critical” email from a seemingly familiar source, a call from the “I.R.S.” threatening punishment for non-payment of back taxes or audio/video of a public figure saying something that doesn’t jibe with his or her past statements, learn what to look for and be on constant guard.
Various companies offer fee-based anti-social engineering training online. One of the most prominent, KnowBe4, goes beyond warnings and words to feature “unlimited simulated social engineering attacks through email, phone and text.” For those who’d rather not pay for scam-proofing, YouTube instructional videos abound. Are they comparable, educationally? You'll have to judge that for yourself.
While Lifrieri is all for education, he’s certain that no amount of teaching can negate the natural human inclinations toward greed and charity that social engineers love to exploit — whether through a long-lost “uncle” who left you a small fortune when he died or that stranded and penniless “grandchild” who hits Nana up for five Benjamins. And though he remains unconvinced that “people are becoming smarter” about protecting themselves, they’re at least growing more cautious due to their “lack of understanding.”
In other words, ignorance isn’t always bliss. Sometimes, though, it’s a blessing.