What Is Social Engineering, and How Is It Used in Cybersecurity Attacks?

By: Glenn Sweeney
November 4, 2024

Social engineering sounds nice, and in some contexts, it is. Social engineering can mean shaping the development and behavior of a community. But in my industry, social engineering refers to the techniques a hacker will use to manipulate and deceive their victims. 

But before I explore this topic further, I want to talk about one common trait that plays right into a scammer’s hands — overconfidence. When you read this blog, it might be easy to assume that you’re too smart to fall for any of these tactics. But everyone can have a careless moment, especially when we’re tired or in a rush. And our own overconfidence can get us into a lot of trouble

The Psychological Principles Behind Social Engineering

An online scammer depicted as a puppeteer is able to manipulate multiple people at the same time through social engineering.

While advanced scammers will try to use your brain against you in a number of different ways, these are common psychological principles that they rely on most often. But they aren’t the only ones. You’ll find that a few marketers with questionable ethics will also use some of these tactics to try to get you to buy something you don’t need. 

1. Favoring Reciprocity/Quid Pro Quo

Ever felt compelled to give something to a charity because they gave you some pre-printed address labels? That’s pretty harmless. But scammers will also use your natural desire to return kindness by offering something like a discount or some useful information to try to pressure you to do something for them. 

It may be something that seems harmless, like revealing the make and model of your first car. But connect the dots — that’s a common password retrieval question.

2. Complying With Authority

When someone calls your home posing as local law enforcement, you’re probably going to have a stronger urge to comply with their wishes. Scammers know this, which is why they’ll use your tendency to comply against you. 

Besides law enforcement officials, here are a few other authority figures that scammers will sometimes try to impersonate: 

  • Your boss or grand boss 
  • An IT professional 
  • The IRS 
  • A fraud investigator at your bank (ironically)

3. Valuing Social Proof

One business man is depicted crossing a boundary, which encourages others to do the same in an illustration of how social proof is used by scammers and hackers.

You’re more likely to do something if you think other people are doing it or have already done it. Marketers understand that when they say four out of five dentists recommend a certain brand of toothpaste, you’re more likely to try it. Of course, in marketing, they have rules around the claims they make. But scammers don’t play by the rules. 

In order to get you to do something, a scammer might try to convince you that your coworker has already taken the action they want you to take, so you should do the same.  

4. Fearing Scarcity

This urge is so strong we even have a cute acronym for it: FOMO (fear of missing out). 

When you believe that a great opportunity is going, going, gone, you’re more likely to act impulsively. Marketers use this to get you to buy things you don’t need — and shopping channels are especially notorious for trying to create a sense of scarcity in order to drive up their numbers. But scammers do this to get you to give them access to your account or data. 

5. Trusting Friends and Familiarity

What are you more likely to trust — an online review or a recommendation from a friend? 

Word of mouth is great, but some mouths are more influential than others. People we’ve built close relationships with have far more influence over us than strangers do. So scammers will often try to strike a more friend-like tone, build up a relationship over time, or pose as someone you already know and like in order to get you to do something. This form of social engineering attack is often called pretexting. 

6. Wanting To Appear Consistent

There are plenty of ways this tendency works in our favor. We all want to be people of our word and feel like our decisions are rooted in logic.  

Scammers understand that only too well. So they’ll often try to get you to agree to something — typically something that at first seems simple and insignificant. Then, they’ll start escalating their requests little by little, hoping you’ll feel pressured to follow through on your earlier “commitment.” 

7. Avoiding Fear and Anxiety

Humans don’t always make good decisions when they’re stressed and anxious. Fear and anxiety are also unpleasant feelings — feelings that we’d like to go away as soon as possible. 

That’s a dangerous combination and one that scammers will frequently use. They’ll often fabricate a scary situation like your bank account being hacked, to get you to act quickly and without thinking it through.  

8. Being Curious

Human beings are naturally curious, which is why we wrap our presents. It’s also why some marketers will offer a discount code that you have to click or scratch to reveal. 

Scammers will often try to use that too, like sending you a message with a cryptic phrase, such as, “Are you in this video?” They might also promise you something enticing but somewhat vague, and all you have to do is open an attachment or click a link. 

How To Protect Your Business Against Social Engineering Attacks

A business executive is shown cutting the strings used by cybercriminals to get employees to compromise their login credentials or initiate wire transfers.

Many social engineering attacks prey on our natural tendencies to be nice, accommodating, and avoid embarrassment. So businesses need to flip the script and make sure that their employees understand that a healthy dose of skepticism — and even reluctance to comply with a firm request — will be welcome and rewarded. Employees also do better at recognizing social engineering at play in phishing attacks and other common scams when they know what to look for. Here’s how to make that happen. 

Provide Regular Security Awareness Training

When your employees know what to look for and get regular reminders, scammers have a much harder time getting them to do what they want. 

Case in point — since you’ve read this far, I believe the next time you are asked for the name of your first-grade teacher (another common password retrieval question) you’ll instantly be on your guard. That’s good. But scammers change up their tactics from time to time, and everyone has careless moments. 

Therefore, a good security awareness training program should include: 

  • Ongoing education on the most common types of scams and tactics currently being used
  • A refresher on your email, internet, social media, password, and privacy policies and why they’re important
  • Threat recognition and response training
  • Regular vulnerability testing, including simulated phishing attacks

Establish and Maintain Clear Security Policies

Make sure you have clear directions available for how you’d like your employees to handle sensitive information, how your office handles on-site visitors, and how your staff should safeguard entrances to your physical office. 

A Note About Preventing Tailgating in Office Environments

For example, if your employees are supposed to swipe a badge in order to access your business — or certain portions of it — any tailgating (when an unauthorized person follows an authorized person through a door or access control system) is a no-no. 

That means no holding important security doors open — even in an effort to be nice — and no propping them open for the sake of convenience. 

Use Multifactor Authentication and Other Cybersecurity Tools

Even with regular training, a certain percentage of your staff will still be vulnerable to advanced phishing techniques. That’s why using multifactor authentication (MFA) is so important — it can prevent 99.9% of attacks. 

In addition to MFA, modern email filtering tools can help reduce the amount of scams that reach your employees, but it’s important not to rely on them completely. Scammers are constantly finding ways to sneak past them. 

Because no single tool or solution can prevent everything, more and more businesses are adding additional layers of security to their online systems. That way, even in the worst-case scenario, where an intruder gets access to your systems and data, they can only see and access so much. The damage will be contained. 

Create a Culture of Security

Adopting an anti-tailgating policy will not help much if your executives don’t follow it. A culture of security has to be created from the top down, and that means managers and executives need to model secure behavior. 

When an employee reports suspicious activity or questions an odd request coming via email, for example, they should be rewarded for that, even if the request or activity ultimately turns out to be legitimate. 

Limit Publicly Available Information

Scammers often can pull enough information from what’s available online to impersonate an employee or a vendor. Most organizations will need to have a robust online presence, but resist the temptation to overshare.

Implement Strong Verification Procedures

Limit who can make financial transactions, and have procedures in place to verify the legitimacy of any wire transfer or sensitive data requests before they are fulfilled. 

Keep Your Incident Response Plan Up to Date

If you haven’t already, put together a thorough incident response plan (IRP), and put it to the test at least once a year. 

Vet Your Vendors

If someone can easily hack into a vendor’s email system, they can send fraudulent invoices, wire transfer requests, and malicious links from a trusted email account. So if you use MFA, but your vendors don’t, it’s time to reconsider the relationship. 

Everyone who has access to your facilities, infrastructure, or data is a potential risk to your organization, which is why vendor due diligence is non-negotiable in 2024.

Get Expert Help Countering Phishing, Quid Pro Quo, Pretexting Attacks and More

When used correctly, AI has been a huge time-saver for many businesses, but it has also been a boon for cybercriminals. The spelling errors and sloppy grammar that were once reliable indicators of a scam in progress are now largely gone. But other indicators have taken their place. 

If you need to update your awareness training and user authentication tools, we specialize in making training engaging and effective, and reducing the frustration associated with using MFA. Spoiler alert — it doesn’t have to be frustrating or a constant drag on your productivity. 

Learn More About Building a Human Firewall  Learn More

 

Topics: Security