What is social engineering?
Social engineering harnesses our natural disposition to trust. Find out more about the many faces it can take.
Social engineering is a type of fraud that takes advantage of our tendency to give others the benefit of the doubt. It involves stealing personal or company information that can be used to commit other cybercrimes.
It can take multiple forms, from an email to a text message to a phone call.1 The fraudster pretends to be a coworker, friend, or company you’re familiar with. They often create a sense of urgency to convince you to act quickly without taking time to think it over.
It can be hard to guard against social engineering because we tend to respond differently under pressure. “Good” cybercriminals trap you when you’re least expecting it.
An innocent-sounding name for a treacherous practice
Anyone can fall for one of these schemes. Even if you know you need to be skeptical of messages that promise the sun and the moon or are saying you could go to jail, sometimes they somehow seem credible.
What’s more, you might fall for a social engineering scam more than once, since there are so many reasons why you might let your guard down, whether it’s being too busy, momentarily distracted, overconfident or thinking you’re just lucky.
Humans are a lot easier to hack than computer networks.
Family of frauds
Unfortunately the social engineering family is a big one. And just like any other family, each member is a little different:
Phishing is a tactic where a cybercrook uses familiar-sounding emails, websites or text messages to get you to divulge confidential information.
Spear phishing is a targeted attack against specific individuals or companies. The fraudster uses clever strategies to collect personal data about their targets and then sends them emails that seem familiar and trustworthy.
Baiting promises a reward in exchange for a specific action, such as money back if you just plug in a thumb drive or download an attachment—which then steals your data.
Water-holing or a “watering hole attack” works by identifying a website frequently visited by a specific group of users. The scammer hacks into the site and installs malware to ensnare the users the next time they visit it. Water-holing is very difficult to detect.
Vishing is using voicemail to tell you you’re in grave danger if you don’t act immediately. For example, a voicemail may ask you to reset your bank password right away because your account has been hacked.
Pretexting uses a fake identity and knowledge of your past behaviour to get you to compromise your information. For example, a scammer learns that you bought a product at a certain store. Then they email you pretending to be a customer service representative and ask you to confirm your credit card information.
Quid pro quo attacks offer a service in exchange for an action. A classic ploy involves a fake IT worker contacting people who requested tech support and promising to fix their problem quickly if they deactivate their antivirus software or provide their login credentials.
Tailgating allows an unauthorized person to gain access to a building or secure area either by tagging along with someone else or pretending to have forgotten their key card.
Want to learn more about how to stay safe online? Check out our tips to keep away from cybercrooks.