When it comes to cyber-attacks, our thoughts jump immediately to malicious code and the misuse of technology. However, the success of a cyber-attack relies on other, not-so-famous tricks along with effective security breaching methods. The subtler, more invisible aspect of a cyber-attack is social engineering.
We say ‘tricks’ and not ‘techniques’ because that’s exactly what they are. Spotting social engineering tricks at play can be easy if you train yourself to be on the lookout. That’s why this method of manipulation needs to be a part of the discussion on cyber security.
In this three-part blog series, we shall about social engineering in detail, with an angle of cyber security. The first part gives an overview of this scamming technique.
The basics of Social Engineering
Social Engineering (SE) is the act of manipulating someone to change their course of action. Whatever the intention behind social engineering (good or bad), the fact remains that social engineering causes you to take actions you wouldn’t have taken otherwise.
Christopher Hadnagy, professional social engineer and ‘Human Hacker’, defines SE as:
“Any act that influences a person to take an action that may or may not be in their best interest.”
It is a means of taking undue advantage of a person’s emotional state and inherent natural tendencies to exploit them either for money or spilling sensitive information.
Social engineering as a concept relies primarily on two things to succeed – Manipulations & Influencing. In the world of cyber fraud, successful hackers use a combination of both to get what they want from their victim.
Social engineering as a concept relies primarily on two things to succeed:
Manipulation is the act of getting a person (called as a ‘target’) to do what you want them to do. A fear-inducing email saying you need to re-enter your credentials to unblock your account is an example of manipulation.
Influencing is the act of getting the target to want to do what you want them to do. It is different from manipulation in that the target is falsely led to believe that he / she is driving the conversation / narrative. An example could be ‘You have won a lottery!’, because although the scammer is tricking you, you want to click on the link because you’ve suddenly become very happy.
In the world of cyber fraud, successful hackers use a combination of both to get what they want from their victim.
In the coming parts, we will look at social engineering from a cyber security standpoint. Part Two talks about the types of SE attacks.
Frequently Asked Questions
Why is social engineering important in security?
Social Engineering is important in security because it exploits a person’s frame of mind to carry out a cyber-attack. Unlike other cyber threats, social engineering does not rely on vulnerabilities in networks or malicious payloads. The only antidote to social engineering attacks is awareness and alertness.
What is pretexting in Social Engineering?
Pretexting is the art of creating a realistic story and persona in order to trick the victim under disguise. In social engineering attacks, pretexts are often used to create a false sense of urgency or worry to cause the victim to act on an impulse.
Why do hackers use social engineering?
The primary aim of a social engineering attack is to get the victim to divulge sensitive information that they wouldn’t under normal circumstances. Social engineers rely on the psychological state of a victim to elicit an emotional response for them. Unfortunately, there is no antivirus yet for the feelings of fear or happiness or worry. Because social engineering focuses on the person and not the system, hackers find it easier not to tackle with threat protection tools and services.