Complete Social Engineering Guide

Social engineering is the act of using human sentiment to manipulate them into giving up sensitive information. This is a technique used by cybercriminals to loot common people. Social engineering mostly uses human psychology rather than a technical approach to gain access to systems or data. So yes, cybercriminals started seeing that it’s much easier to manipulate human emotions and reactions rather than directly attacking them by technology.

How does Social Engineering Work?

Imagine that a group of robbers wants to gain access to a safe, but it’s impossible to break in. Plan B is to ‘convince’ the owner of the safe to willingly give the codes to open it.

The same concept is used in cybersecurity. Here’s an example.

Imagine you want to access a computer network of “ABC Company.” First, you will try to find the software flaws, and if there’s none (or if it’s too difficult), you go to plan B (this is where social engineering comes in). You will pose as a technical support person and trick an employee into letting you inside the company and their computers, giving you direct access to their networks.

This seems too easy. There have been many cases where hackers have infiltrated companies using similar techniques. Most of the attack was based on tricking the human brain. So what are the “human flaws” that hackers manipulate in social engineering? Scroll through the below section to know that. 

Different Ways of Social Engineering:

All social engineering techniques target the human decision-making attributes and are exploited in various combinations to attack a victim. Most social engineering techniques are used to steal confidential information from people.

There are many flaws when we make decisions, but there are six key attributes that are used for social engineering. The 6 principles of influence were established by psychiatrist Robert Cialdini. They are as follows:

• Reciprocity
• Commitment and consistency
• Social proof
• Authority
• Liking
• Scarcity

Let’s discuss these points in detail.

1.   Reciprocity

In social psychology, this is a social norm of responding to a positive action with another positive action. People are wired to return a favour. A commonplace to see this tactic being used is in marketing. In supermarkets, free samples are a good example.

In cybersecurity, this is being used when an attacker is in some way generous or being thoughtful; the victims feel like providing special access or overlook some things.

2.   Commitment and Consistency

This is a powerful influence on our behaviour because it reflects back on our self-image. A common tactic used in social engineering is to ask for small requests then build up for a huge favour. This builds trust between the victim and the attacker, making it easier to exploit them.

A real-life example of commitment and consistency can be seen in online marketing, where pop-ups show up on sites saying, “I’ll sign up later.”

3.   Social Proof

There’s a saying, “don’t go with the flow,” which was said based on people doing things based on other people doing the same thing. In the disco age, the owners would unnecessarily make a big line outside of the club even though there was plenty of room inside. This tactic drove more people to come.

Politicians frequently emphasize the popularity and overstate their winning margins (they're lying btw), which convinces the people to vote for them.

4.   Authority

People tend to respect and obey authority figures even if they ask to perform objectionable actions. A famous ransomware attack occurred where people got their files encrypted and were notified to pay a fee to the FBI to retrieve their data.

It’s more likely that a person would respond to a bank or government agency call without hesitation, which is widely used within cybercriminals.

5.   Liking

People are easily persuaded by other people whom they like. In marketing, this is also used, where companies use famous people to sell their products. Again, people were more likely to buy it if they liked the person selling the product.

In the case of cyber-crime, an attacker can go through your social media and quickly grasp what the things you like (if you have a very active social media presence) are. After gathering the information, they can contact you as the person/brand requesting you to take action.

6.   Scarcity

Scarcity will generate very high demand because everyone wants to get the best deal or to be unique from everyone else. For example, if there’s a specific unique item but there’s only 30 in the whole world. People would want to get their hands on that as fast as possible.

Another example would be a special offer like black Friday, where there are huge discounts for products and people want to get their hands on them.

All the mentioned tactics are being used in social engineering in order to persuade a person to give up confidential information. The most common types of social engineering attacks usually take place over the telephone, social media, and emails.

Types of Social Engineering Based Scams

There are many ways to measure scams, but most are measured from the number of people affected and the amount of money being scammed. Here are the top 5 scams that used social engineering:

• Debt Collection

Most complaints under this scam involve debt collectors where the victims receive calls from harassing collectors who threaten and repeatedly call attempting to collect a debt. This includes but is not limited to credit/debit card fees, payday loans, and unauthorized use of credit/debit cards.

• Fake Government officials

If you received an email, letter, or phone call from a government agency (like the IRS) instructing you to wire Western Union or MoneyGram money someplace or follow some link to enter information, it’s a scam! No government will ever instruct people to carry out financial transactions using these methods.

There are a lot of videos on YouTube where people are prank-calling these scammers, and it’s hilarious.

• Identity Theft and Phishing

A very common type of scam where the attackers gain access to your sensitive information like social security numbers, date of birth which are then used to apply for loans, credit cards, and financial accounts. Also, by collecting personal information, the scammers will impersonate you on social media and other sites.

Phishing usually happens via emails, where a victim receives an email that appears to come from a trusted source. These emails will have links or attachments which will request the victim to update existing account information. But those websites and emails are fake.

• Phone Scams

Scammers will call people pretending to be from banks, government officials, or credit card companies. They will request your personal information and request payments to be done. These people are really persuasive, and an example of this type of scam is the “your Microsoft license key has expired,” among many others.

• Fake Prizes, Free Gifts, and Fake Lotteries

Have you ever received an email claiming that you won a prize, lottery, or gift and you will have it if you paid a “small fee” or the delivery charges? These scammers will use genuine companies and brands to persuade the victim.

Usually, a lottery scam will take the form as follows. First, you will receive an email saying that you have entered a lottery, and a couple of hours later will receive a follow-up email saying you won a huge amount of money. In order to claim the prize, you have to pay the “administrative fees.” No genuine lottery asks for money for paying any type of fee.

Life Cycle of a Social Engineer

Here we’ve mentioned the complete life cycle of a social engineer. Have a look to stay ahead of the cybercriminals. 

1.   Information gathering

This is the first and most important step of carrying out a socially engineered attack. This requires a lot of patience and keenly watching the habits of the target. During this stage, the attacker will gather all the information of the target, which includes but is not limited to:

• Personal information
• His/her interests
• Work details
• User credentials

And many more. The more information the attacker has on the victim, the higher the chance of the attack being successful. Here’s a complete list of Personally Identifiable Information.

This stage determines the success rate of the overall attack.

2.   Engaging with the victim

After gathering all the information, the attacker will start opening up a conversation with the victim without the victim finding anything suspicious. Since there was enough background research, it’s easier to engage with the victim.

3.   Attack phase

This step is generally taking place after a period of time engaging with the target. During this time, the needed information is retrieved by using social engineering techniques and builds a form of trust between the victim and the attacker.

However, during this period, the attacker is very subtle not to make anything look suspicious and spook the victim. After the attack is made, the results will also be in effect during this stage.

4.   Ciao, Adios, Good-bye

At the last step, the attacker slowly ends the communications with the victim. He will shut down all communications with the victim with time but slowly without arising any suspicion in the victim.

This leads for the motive to be fulfilled as well as for the victim to know that the attack ever happened rarely.

Conclusions

Cybercriminals lurk all over the place, waiting for us to slip and share data. So while the criminals have to be lucky just once to get into your system, you have to be cautious every single time to fail those attempts.

Always be attentive and pay attention to detail. Have multiple security measures installed so that you will be able to stop the hackers in their tracks. Trust your gut, and if it seems too good to be true, it probably is.