Hacking 101: What is social engineering?

Ever gotten a suspicious email claiming to be from a well-known company? A robotic voicemail asking for your information? Most of us have. While it might just seem like a nuisance you can ignore, social engineering is a very real threat you need to be prepared for.

We’ve all been there. You get a ridiculous-looking email full of typos claiming to be from a service you don’t even use, asking you to log in and share your information. It might seem impossible that anyone could fall for such a blatant scam, but don’t let the obvious tricks lull you into a false sense of security. Social engineering techniques are always evolving, and because they involve a human element, we’re all susceptible to making a mistake.

What is a social engineering attack?

Social engineering manipulates people into sharing sensitive data, like logins and payment information, usually via some form of technology. This technique doesn’t require a supercomputer or fancy algorithms to crack a person’s password. Instead, the attacker focuses on tricking the target – usually by posing as someone trustworthy – into handing over their private information. By leveraging human psychology and behavior, an attacker can capitalize on emotions like fear, trust, and anxiety and exploit human error to deceive victims.

Common methods used in social engineering

It’s essential to know the most common techniques and telltale signs of social engineering attacks. When you know what to expect, it’s easier to spot these common methods and pause for a moment before taking any action that could compromise your data.

• Phishing: Phishing is a social engineering attack that involves sending fraudulent communications, usually emails, to trick the recipient into sharing sensitive data or information. The technique is so prevalent that we now have terms for different types of phishing:

  • Vishing: Voice phishing via phone calls, often asking you for private information.
  • Smishing: SMS or text message phishing containing malicious links.
  • Spear phishing: Spear phishing targets and tailors the attack to a specific person or company.
  • Whale phishing: Whale phishing specifically targets high-profile employees or “big fish,” like CEOs, to get sensitive data.
  • Angler phishing: Angler phishing is a newer form of social engineering targeting social media users. The attacker pretends to be a customer service agent reaching out to customers in order to gain access to data like account credentials.

• Pretexting: Pretexting is a type of social engineering attack where a hacker will create a situation or pretext, like pretending to be a customer service rep from the bank, in order to trick the victim into sharing sensitive information.

• Baiting: Baiting occurs when an attacker leaves behind a device, like a USB stick, to be found somewhere. It’s designed to install malware and other malicious files when the target inserts it into their computer.

• Tailgating or piggybacking: This social engineering technique happens when an attacker physically follows someone with access into a place they are not supposed to be. This could be as simple as holding the door open for someone at the office.

• Quid pro quo: With a quid pro quo attack, the social engineer will pretend to provide something, usually a service, in exchange for the target’s help or data. For example, an attacker may call a victim pretending to be from the IT department to gain access to their computer.

• Scareware: Scareware is a type of malware meant to scare you into taking some kind of quick action, like immediately downloading software to remove a fake virus from your computer.

• Honey trap: In a honey trap, the attacker will act as though they are sexually or romantically interested in the victim in order access data or money.

• Water holing: Water holing takes advantage of the trust we give to sites we regularly visit. An attacker can look for vulnerabilities and infect a site with malware or recreate incredibly similar versions of the legitimate website to redirect victims to. This can lead to targets inadvertently downloading malware or ransomware, sharing personal information, or being targeted for subsequent phishing attacks. Water holing attacks are common in cases of large scale data breaches of well-known organizations.

What is the difference between social engineering and reverse social engineering?

You may have seen the term “reverse social engineering” popping up lately. Reverse social engineering is a perfect example of the way hackers can adapt and evolve their techniques to cast a wider net and reach more victims.

While many traditional social engineering attacks involve the attacker approaching the target, with reverse social engineering, the victim is meant to unknowingly approach the attacker, usually for assistance. For example, an attacker might pose as a support agent from a utility company or bank on social media. When the victim contacts the “support agent” for a customer service issue, the attacker can gain access to account details, payment information, and passwords under the guise of providing customer support.

How to protect yourself from social engineering attacks

Being aware and educated about different types of social engineering methods is a large part of preventing attacks, but you can bolster your security further with a few more steps:

1. Stay in the loop. Hackers are always coming up with different ways to use existing social engineering methods or inventing new attacks. Stay up to date with common techniques and how they may be evolving. Subscribe to newsletters or podcasts, follow your favorite sources on social media, or set up Google alerts that will keep you caught up on online security.
2. Slow down and assess. If you’re being targeted, regardless of the social engineering technique being used, there’s nothing stopping you from pausing for a moment to assess the situation. Do you recognize the text message sender? Would your bank ever ask you for private information over email? Does it sound too good to be true? There’s no harm in doing a little bit of research on the source, like calling a company to confirm details or typing a phone number into your preferred search engine. Follow your gut – if it turns out to be legitimate, you only spent a few extra minutes being safe.
3. Keep everything updated. From your devices to your software, do your best to keep everything up to date. If automatic updates are an option, turn them on.
4. Turn on two-factor authentication. If you’re given the option, turn on two-factor authentication (2FA) to add a second layer of security to your accounts, on top of your usual login details. This extra verification method means that even in the worst case scenario, if a social engineering attack is successful and someone else has your password, it’ll be much harder for them to gain access to your sensitive data.

Protect yourself by using a password manager

The final step is to use a password manager like 1Password. Along with the convenience of creating strong passwords and letting you log in to sites with a single click, a password manager will add another layer of security to protect you from social engineering and other cybercrimes.

For example, most password managers will save the website URL alongside your username and password so it knows when to autofill your credentials. If you inadvertently visited a website targeted for a water holing attack, you’d immediately notice that your password manager wasn’t offering to autofill your username and password. Taking a closer look at the website URL, you’d realize that you were on a fake site, preventing your data from being compromised.

In addition, using a password manager like 1Password helps you know where you can enable two-factor authentication, notifies you if any of your passwords have appeared in a data breach, and alerts you to weak or reused passwords. 1Password Watchtower also alerts you to security problems with the websites you use so you can keep all your accounts safe.

Remember that anyone can fall victim to a social engineering attack. Human brains will always be susceptible to manipulation, no matter how smart or tech savvy you are. But if you stay alert, educate yourself on common tactics, and embrace the right tools, you can spot scams and stay safe online.

Emily Chioconi

Content Marketing Manager