Social Engineering: How scammers use it for identity theft
Social engineering is one of the most powerful tools for cybercriminals looking to commit identity fraud. It allows scammers to manipulate victims’ emotions and get them to compromise their own information. But what exactly is it? And how does it work?
Read on to learn about the dangers of social engineering attacks and how you can help protect yourself against them.
What is social engineering?
Social engineering refers to the broad range of manipulation techniques cybercriminals use to play on victims’ emotions and trick them into making choices they wouldn’t normally make. The goal of social engineering is generally either (1) to sabotage their data or (2) to steal personal info, access, or money.
Social engineering attacks may attempt to get victims to:
● Reveal confidential, personal information, like usernames, passcodes, financial details, etc.
● Send money via money order, gift cards, cryptocurrency, or electronic fund transfer—i.e., wire transfers and automated clearing house (ACH) transfers.
● Install or authorize malware on their devices.
● Become a mule for laundering and transferring illegal money, etc.
Social engineering attacks tend to involve complex schemes with multiple steps, often relying on some sort of communication between the cybercriminal and the victim. This interaction is where the “social” aspect of the attack comes into play. The attacker manipulates the victim’s emotions to get them to compromise their own data, rather than having to use brute force methods. After all, it’s easier for a cybercriminal to exploit people’s natural impulses than to figure out new ways to hack software.
That’s what makes social engineering attacks so nefarious. They trick you into betraying yourself.
How does social engineering work?
Social engineering attacks generally follow a reliable, four-step cycle:
Collecting intel
The cybercriminal gathers background information on you or the organization you belong to. They learn your habits and any helpful personal details or interests to make their scheme appear more believable.
2. Engaging with the victim
Using the information they’ve gathered, the cybercriminal initiates an interaction or relationship with you and builds trust, so you don’t suspect what’s coming.
3. Attacking
After establishing trust and determining your weakness—often over a long period of time—the cybercriminal launches an attack. They use your natural inclination to trust against you to get whatever they want: money, access to systems, information, etc.
4. Disengaging
Once the cybercriminal gets what they want, they cut off communication and attempt to cover their tracks. Often, this happens slowly and smoothly, so you don’t realize what happened until well after the fact.
Though the social engineering attack cycle is very predictable, the time frame of the attack is not. Social engineering attacks may be executed over many months—like in a romance scam, where the cybercriminal spends a long time convincing the victim they’re a real romantic prospect before exploiting them—or within a single email, text message, or in-person interaction. The more familiar you are with the way social engineering works, the more likely it is you’ll be able to spot and avoid attacks when they happen.
Why does social engineering work?
Even the most level-headed, logical person in the world could become a victim to a social engineering attack if they’re not careful. That’s because social engineering techniques are based on inherent attributes of human decision-making called cognitive biases.
These biases are so hard-wired into our brains, we often don’t even think about them—but cybercriminals sure do. They plan and execute elaborate attacks based around the following key principles of influence:
● Authority
There’s a reason why scammers often pose as government officials, police officers, doctors, and other authority figures—it makes people more likely to comply.
● Consensus/social proof
You know that old phrase, “Would you jump off a cliff if all your friends were doing it?” Well, when it comes to social engineering scams, the answer for many people is “Yes!”
● Consistency
In for a penny, in for a pound. Most people don’t want to seem wishy-washy, so if a scammer can get them to agree to something small, they’re more likely to agree to something bigger down the line.
● Urgency/scarcity
If you’ve ever been motivated by phrases like “For a limited time only” or “While supplies last”, then you understand the influential power of urgency and scarcity.
● Liking
People tend to be more easily persuaded by people they like. Hence the success of charismatic conmen.
● Reciprocity
If someone gives you a gift, you’re more likely to give them one back.
What kind of tactics do cybercriminals use in social engineering attacks?
Most social engineering attacks are layered, involving a combination of tactics for gathering information and extorting victims.
Phishing
Phishing involves sending victims fraudulent messages from what appear to be legitimate sources.
Common types of phishing
● Email phishing
Email phishing is the most well-known type of phishing. Messages often encourage the victim to reply or follow-up via an external link or phone number and sometimes include malware attachments.
● Smishing
SMS phishing, or smishing, is done via text or mobile app messages. These may also invite victims to follow-up via a web link, email address, or phone number.
● Vishing
Voice phishing, also called scam calls or robocalls, uses a computerized dialing system to connect unsuspecting victims to either a live person or a pre-recorded message when they pick up the phone. Then, the system records any sensitive information provided.
● Spear phishing
Spear phishing is a more targeted form of phishing that narrows the attack to a single victim or a small group. While typical phishing schemes cast out a broad, generic net, spear phishing often uses information gathered from a victim’s social media or other public information to make the scam seem more legitimate.
● Angler phishing
Angler phishing is when a scammer poses as a trusted company’s customer support team on social media to prey on disgruntled consumers. They often send a link, offering to connect the consumer to a customer service agent for more help, but clicking the link surreptitiously installs malware on the victim’s device.
● Search engine phishing
Search engine phishing is a technique where scammers manipulate search rankings to get fake websites to come up at the top of search results.
● URL phishing
In URL phishing, scammers attempt to get victims to click a link to a phishing website. They may embed the fraudulent link in an email, text, social media message or online ad, or they might try to trick victims into clicking by hiding it in hyperlinked text or buttons.
Malware
Malware is any kind of malicious software designed to cause harm. Cybercriminals often include malware attachments in phishing messages, where they can be used to compromise passwords and other personal info, track a victim’s activity, take a device or computer network hostage, etc.
Malware is also at the root of most large-scale cyberattacks, including major data breaches that result in widespread identity theft and fraud.
Data breach
Though data breach is often considered one of the end goals of social engineering attacks, the personal data harvested in a breach—like full names, home addresses, email addresses, phone numbers, etc.—may also be used to fuel further cyberattacks involving phishing, malware, etc.
Physical theft
Cybercriminals are not above getting their hands dirty—literally. Some social engineering attacks involve dumpster diving to gather sensitive information from bank statements, pre-approved credit card offers, and other mail that hasn’t been properly sanitized or destroyed.
Shoulder surfing
Shoulder surfing is a sneaky social engineering technique where cybercriminals gather people’s personal information by looking over their shoulder or eavesdropping for confidential data. Shoulder surfing generally happens in public, like at an ATM; in crowded areas like airports, restaurants, and bars; and on public transportation.
How can I help protect myself from social engineering attacks?
With so much of our lives and information online, nobody is 100% safe from social engineering attacks, but there are some things you can do to help protect yourself from identity theft and fraud.
Turn your spam filter on.
Email phishing is the most common form of phishing, so using a spam filter is a very effective way of preventing potential attacks from even reaching your inbox.
2. Ignore suspicious messages and attachments.
Trust your gut. If you receive a message that seems fishy to you, don’t reply or click any links or attachments in case of malware.
3. Use multi-factor authentication.
Multi-factor authentication, or two-factor authentication, can help prevent attack takeover if your passwords or usernames are exposed in a social engineering attack.
4. Be wary and watchful.
Beware of anything too good to be true, as well as any phishing messages that attempt to play on your emotions to persuade you to do something.
5. Enroll with a credit and identity protection service like PrivacyGuard.
PrivacyGuard can help monitor your personal information and track your credit scores to help you keep aware of your personal information.
Curious about how cybercriminals target scams at seniors and people with student loans? Visit our blog to read more.