What Is Social Engineering, And Why Does It Matter?

Shadab Idrishi | Growth | Tech | Startup

12 min readJul 26, 2023

Introduction

Social engineering is a type of attack that relies on one’s social status, relationships, and other personal information to get access to another person’s account. It is also known as “credential theft.” In order for someone to be able to carry out a social engineering attack, they need access to the victim’s personal information. This can include things such as their names or email addresses, phone numbers and physical details like home address or work address.

What Is Social Engineering?

Social engineering is a term that refers to the process of manipulating people into taking actions they would otherwise not take. It is often used in cybersecurity and computer security context, but it can also mean any manipulation of human behavior by an attacker or hacker.

Social engineering involves deception, manipulation, and trickery to manipulate someone into doing something on your behalf that they would normally not do for themselves (e.g., opening up their bank account). A classic example of this kind of attack was described by Robert Toth in his article “The Art Of Deception: The Psychology Behind Human Hacking Techniques” published at Forbes magazine in 2016:

“An employee was asked by her manager if she could get a copy of the company’s inventory spreadsheet from another employee who had access.” She asked him nicely and he said yes; however when she went looking for it online she found out that he had been lying about having access… This is a classic example of the kind of attack that Robert Toth described as “social engineering.” It’s also one of the most common methods for hackers to gain access to sensitive information about an organization or individual.

How does it work?

Social engineering is a form of psychological manipulation that aims to convince a person to disclose secret information. It can be used to gain access to information by using deceptive means, such as deceitful phone calls or emails, or even more extreme methods like impersonating people in authority. Social engineering can also be used in physical locations such as banks and ATMs.

Social engineers often rely on common human weaknesses for their success: greed, vanity, loneliness — and even love!

Traits of Social Engineering Attacks

Social engineering attacks can be made to look like they are from a friend or a legitimate company. This is done by using emotions, urgency, and trust to get you to perform certain actions that will compromise your security.

Emotions are the secret to getting someone’s attention in a way that text alone could never accomplish.

Urgency is another important trait of social engineering attacks because it makes sense for someone who’s being attacked by someone else — they want their attackers gone as soon as possible! That’s why we often see people clicking through links quickly before realizing what was going on (which can happen even after seeing those same links many times over). When this happens repeatedly with one person at work over several months or years then he becomes suspicious about himself becoming compromised due entirely on his own actions rather than anything else happening around him.”

Heightened emotions

Social engineering attacks are often characterized by heightened emotions, which can make you more likely to click on a link or download a file. For example, if your attacker makes you believe that there’s an emergency at work (e.g., “I have just been informed that our company is going bankrupt”), then the act of clicking links and downloading files will feel like an urgent response to this looming threat.

If you’re wired up enough and haven’t had time to think through what’s happening in real time — if your brain is busy trying desperately not to cry over losing everything because of some stupid social engineering attack — it won’t be obvious whether what happened was manipulation or simply good fortune: both scenarios might seem equally plausible at first glance.

Urgency

Urgency is one of the most powerful emotions that can be used to influence people. It’s an inherent desire to get something done or completed as quickly as possible, and it’s often used to make people act without thinking.

When you’re in a rush, say goodbye and take action before someone else can tell you what needs to happen next. Urgent actions are often taken without careful consideration because they’re perceived as urgent by everyone involved (you).

Trust

Trust is an important part of social engineering. It’s a key component in many successful social engineering attacks, and it’s used to gain access to information or sensitive data that can be used by attackers to gain control over your computer or steal money from you. Trust is a social engineering tool that can be used to trick people into doing things they wouldn’t normally do. People give their trust to others, and often don’t even realize it until after the fact. A simple example of this would be when you meet someone for the first time — if they’re nice to you, then you’ll probably like them and trust them more than someone who isn’t as kind or polite.

Types of Social Engineering Attacks

Social engineering is a type of attack where the attacker uses information he or she knows about you and your personal life to trick you into doing something that you wouldn’t normally do. It’s similar to a confidence scheme, except with more finesse and complexity.

The most common types of social engineering attacks include phishing, scareware, baiting (also known as luring), voice phishing (vishing), SMS phishing (smishing), email phishing and search engine phishing. There are also other types like URL spoofing and in-session phishing which use fake websites that look like they belong to reputable companies but actually have malicious content on them when visited by unsuspecting users.

Phishing

Phishing is when someone tries to trick you into giving them your personal information by using an email that looks like it came from a legitimate company but actually comes from someone else who wants to steal your identity. For example: if I got an email saying “Your credit card was declined!” It would have come from the company itself but they didn’t send it directly because they wanted me to think something happened with my account instead (and then give them money).

Scareware

Scareware is a type of malware that tricks users into thinking their computer has been infected. Scareware is usually distributed through email or a fake website, and it often installs itself through a browser hijacker or other malware.

The goal of scareware distributors is to convince victims to purchase expensive software that will supposedly remove the scareware from their computer — but often this program doesn’t work at all, leaving you with no way to remove the infections on your system (and potentially costing you more money).

Baiting

Bait is a technique used in social engineering. The goal of baiting is to get somebody to do something they wouldn’t normally do on their own, so they can gain access to sensitive information or make them more vulnerable to attack.

Examples of bait include:

A fake job offer asking you to apply for a position at your company.
An email from your boss asking about a new project and asking if you want help with it (this is also known as “the old-man trick”).

You can avoid being baited by knowing what types of emails are common targets for social engineers, and how they might try compromising you before getting anywhere near your computers or networks (or other systems).

Social engineering and cryptocurrencies

So why would someone want to use this method in order for them to steal cryptocurrency? Well, cryptocurrencies are not backed by any government or central bank; they’re completely digital so there’s no physical form of it at all. As such, criminals could easily buy large amounts of cryptocurrency on exchanges without having any proof that they own the currency (i.e., no ID). This is a huge problem because the cryptocurrency market is worth billions of dollars at this point and growing every day. There are plenty of people who would love to get their hands on that kind of money without having to work for it.

Voice phishing (vishing)

Voice phishing (vishing) is a type of social engineering attack in which the attacker attempts to trick the victim into giving up sensitive information by pretending to be a trustworthy entity. It’s called “voice” because it relies on voice features like pitch, volume and tempo to make you think that you’re talking with someone who works at your company or some other organization you know well.

Voice phishing is an attack that uses the telephone — and its natural tendency for users to trust those who call them — to trick users into giving up sensitive information such as passwords or credit card numbers, often through fake caller identification (ID).

SMS phishing (smishing)

SMS phishing is when you get a text message that claims to be from your bank, or other important company, with a link to update your account. The link takes you to a fake website where someone has stolen your password and is trying to get more personal information from you.

You can prevent this kind of phishing by changing the settings on your phone so it won’t send texts unless they come from people in the contact list or an actual number that belongs to someone you trust.

Email phishing

Email phishing is a type of social engineering that involves sending an email with a link or attachment that appear to be from a legitimate company. The goal of this type of attack is to convince you to click on the link and disclose personal information, such as your username and password, which can then be used in other attacks against you.

Email phishing attacks are often aimed at friends or family members who may use the same account across multiple devices (such as desktop computers, mobile devices, tablets and smartphones). This allows hackers access into those accounts without leaving any traces behind — as long as they have the right information about you!

Search engine phishing

Search engine phishing is a type of phishing attack that uses search engines to direct victims to malicious websites. The attacker creates a website that looks like a legitimate site, but is actually a clone of the legitimate site.

To carry out this type of social engineering scam, an attacker will create a fake version of their target’s website and then use it as bait (or “instrument”) in an attempt to trick users into downloading malware or other unwanted software.

URL phishing

URL phishing is a type of phishing attack that uses a URL to lure a victim into visiting a malicious website.

The idea behind URL phishing is simple: you create an email with a link to your website, and then send it out with the goal of luring people who are interested in what you have to offer onto your site.

The method has been around since the early 2000s, when it was first used by fraudsters who wanted access to bank accounts or other sensitive personal information.

In-session phishing

In-session phishing occurs when a victim is already logged into a website and receives an email that looks like it’s from the site they’re visiting. The attacker takes advantage of their trust, tricking them into giving up their credentials so they can access their account.

The victim isn’t aware of the attack because there’s no visible indication that anything has happened until later — when they realize that something has gone wrong with their online identity.

Angler phishing

Angler phishing is a type of social engineering that uses a lure to get someone to click on the link or open an attachment. It’s a very effective and popular form of social engineering, because it can be done without any hacking skills at all.

Angler phishing uses legitimate-looking emails, links, images and text messages which appear to come from trusted sources like banks or PayPal accounts. The message may even have been sent by someone you know in order to trick you into opening an attachment with malicious software inside it (for example: an invoice).

How to Spot Social Engineering Attacks

Are my emotions heightened?
Did this message come from a legitimate sender?
Did my friend actually send this message to me?
Does the website I’m on have odd details?
Does this offer sound too good to be true?

If you answered yes to any of these questions, you may be experiencing an attack by social engineers.

Social engineering is a sneaky tactic that takes advantage of human nature and the way we interact with the world around us. In the digital age, this often involves hackers impersonating people on social media or through email in order to get access to confidential information like passwords or credit card numbers.

Are my emotions heightened?

If you’re going to be tricked by a social engineering attack, it’s helpful to keep in mind that your emotions are more likely to be heightened than usual. As we’ve already discussed, humans are pretty emotional creatures — but when you combine this with the fact that many people have been taught from birth that certain behaviors are good and others bad (by their parents and/or society), it’s easy for us to fall into old habits of thought and behavior.

In other words: Your brain is wired to make decisions based on emotion rather than logic or reason. This means that when someone tells you something makes sense, it doesn’t necessarily mean that their argument is sound; instead, their argument might just seem logical because they use language well enough so as not get caught up in all those illogical parts of themselves (like being afraid).

Did this message come from a legitimate sender?

Don’t trust email addresses that look like they’re from someone you know.
Don’t trust links in emails.
Don’t trust attachments in messages.
Don’t trust phone numbers that look like they’re from someone you know (e.g., the person who sent this message might have been hacked).
Don’t expect things to be too good to be true — if something seems too good to be true, it probably is!
Did my friend actually send this message to me?

You should also check the sender’s name, email address and other information that was included in your chat. If there are any discrepancies between what you see on Facebook and what’s actually been sent to you, then question it!

For example, if a friend sends me a message saying “Hey,” but their profile picture shows that they have changed their cover photo to an image of a cat with sunglasses (which is not my friend), then I know something is up. It may seem silly when we’re teenagers — but it can be quite dangerous sometimes!

Does the website I’m on have odd details?

Social engineering is about manipulating people into doing what you want them to do. It’s not just about tricking them into clicking on a link; it’s also about convincing them that your request is legitimate and compelling enough for them to take action on it. This can be done in many ways, but the easiest way is through misspellings or incorrect grammar in the website’s pages. For example:

The domain extension should match the name of your company (e.g., .com instead of “.org”). If you’re unsure if this is correct, check with your accountant or lawyer (who will probably have an opinion). The URL structure should make sense and there shouldn’t be any punctuation errors — for example: www.-url-domain-extension/. A good rule of thumb when checking URLs is: if there are any dashes in them then don’t click anything!

Does this offer sound too good to be true?

If it sounds too good to be true, it probably is.
If you are unsure about an offer and want more information, ask! Don’t just take the first thing they say as fact.
It’s also important not to click on any links or download anything without knowing who sent them (and why).

Attachments or links suspicious?

If you’re not sure if the attachment is real or fake, hover over it and see if the URL changes. If it does, don’t open it! You can also look at other people’s email addresses in your inbox to see if anyone else has sent similar emails with links or attachments.

Can this person prove their identity?
Ask for a phone number.
Ask for a photo of them holding a piece of paper with a date and your name on it.
Ask for an address.
Ask for their social media profiles, LinkedIn profile, Facebook profile, Twitter profile

Conclusion

In this article, we’ve explained the dangers of social engineering — a type of attack that can compromise your personal information and digital security. While it may be tempting to believe yourself immune from such attacks, no one is safe. You can reduce your risk by staying vigilant and being suspicious of all emails, texts, or posts claiming they have some great offer or deal that you’ve never heard of before. This can help prevent an attack before it happens!