What Is Social Engineering - The Human Element in the Technology Scam| Cybersecurity | CompTIA (2024)

What Is Social Engineering - The Human Element in the Technology Scam| Cybersecurity | CompTIA (1)It’s often noted that humans are the weakest link when it comes to cybersecurity. To exploit that vulnerability, many hackers engage in social engineering to support their cyberattack efforts and obtain valuable information. Social engineers target humans, rather than technology, to gather useful intel.

Hollywood frequently glorifies the savvy con man for his ability to charm and disarm. In the movie “Catch Me If You Can,” Leonardo DiCaprio portrays a young Frank Abegnale, a notorious con man, who impersonated airline personnel, a lawyer and various other roles to commit check forgery and fraud. Abegnale later used his talents to become a security consultant.

Social engineering brings the con into the digital age. Instead of using personal interactions to build rapport and charm users into certain actions, social engineering leverages a lack of awareness around digital tools and the willingness to share on digital platforms. The end result is the same: psychological manipulation that leads to handing over sensitive info.

Continue Reading Below You may also be interested in...

What Is Cybersecurity?Learn what cybersecurity is and understand the definitions of different types of threats. What Is a DDoS Attack?Learn what a DDoS attack is, the types of DDoS attacks, DDoS attack tools, DDoS protection and how to stop a DDoS attack. Data Breach Response Planning GuideLearn how to respond to a data breach. Use this tool to help you prepare a data breach response plan.

Social Engineering Defined

The term social engineering refers to methods employed by hackers to gain the trust of an end user so that the hacker can obtain information that can be used to access data or systems. Social engineering typically involves impersonating representatives of legitimate organizations to manipulate people into supplying information such as passwords or personal details.

Social engineering can involve phone calls, emails or texts. Sometimes referred to as “human hackers,” social engineers employ a variety of methods to convince users to divulge information, often masquerading as tech support or bank employees.

How Does Social Engineering Work?

Hackers develop different tactics to support their social engineering pursuits. Most social engineering attacks follow this path:

  1. Research the target. The purpose of social engineering is to convince a user that you represent a trusted institution. Social engineers will often attempt to develop a rapport by offering easily obtainable details, such as birthdate or phone number, as evidence of their legitimacy. Much of this information is publicly available, and social engineers typically scout social media to gather this type of vulnerable data.
  2. Make contact with the target. The attacker makes contact directly with the target. Social engineers use the information they’ve gathered to validate their fake identity. The target is then asked to provide sensitive information the hacker can exploit.
  3. Attack. Using the details they have covertly obtained, social engineers launch their attack. This could involve accessing systems using acquired passwords, performing a classic case of stolen identity or putting the information to use for personal or political gain.

History of Social Engineering

Social engineering is a practice that is as old as time. As long as there has been coveted information, there have been people seeking to exploit it.

The term social engineering was first used by Dutch industrialist J.C. Van Marken in 1894. Van Marken suggested that specialists were needed to attend to human challenges in addition to technical ones. In 1911, Edward L. Earp wrote Social Engineer as a way to encourage people to handle social relations similarly to how they approach machineries.

In modern times, social engineering has come to reference the practice of deceiving people to obtain valuable information, which is often followed up by a cyberattack.

Here are some of the most famous cybersecurity social engineering examples.

Target Data Breach

In 2013, more than 110 million customers fell victim to a social engineering attack on Target. Social engineering techniques were used on an HVAC company that had remote access to Target’s network. The HVAC company was then compromised with malware, which in turn infected Target’s systems. The attack resulted in the loss of emails, names, addresses, phone numbers and credit and debit card information.

Yahoo Security Breaches

In 2013 and 2014, two attacks compromised Yahoo email-user information. The second attack was accomplished via a spear-phishing campaign targeted to a Yahoo engineer. The individual took the bait, giving hackers access to names, email addresses, phone numbers, dates of birth and passwords. This attack also gave hackers the ability to access user accounts without passwords.

CIA Attack

A 15-year-old was able to take control of the secure emails of John Brennan, the director of the CIA. Kane Gamble used social engineering to convince Verizon to provide personal details about Brennan, which he later used to impersonate the CIA director. Gamble was able to access Brennan’s email by changing security questions and passwords with gathered intel, allowing the 15-year-old to view sensitive military information.

Types of Social Engineering

Social engineering is a general term that refers to a broad range of manipulation tactics used by hackers to acquire information.

  • Baiting: Baiting is a social engineering attack where the attacker entices the user with a free item to lure them into clicking on a link. This may come in the form of a free music or movie download lined up with the user’s interests. When the unsuspecting user clicks the link, they become infected with malware.
  • Phishing: Phishing is a type of social engineering attack that uses email, phone or text to entice a user to click on a malicious link. The communication appears to be from a legitimate source connected to the user. When the user selects the ill-intentioned link, the user’s device or system becomes infected with malware and data is often compromised.
  • Pretexting: This tactic is one more commonly associated with the term social engineering. With pretexting, an individual impersonates a representative from a trusted organization with the goal of acquiring sensitive information. This social engineering technique relies heavily on gathering research before initiating contact with the target.
  • Quid Pro Quo: The quid pro quo attack is a variation of baiting. Often known as the “something for something” social engineering technique, the quid pro quo attack involves promising a service or benefit for complying with the request of an attacker. For example, a social engineer may promise a free software upgrade to entice a user to download what is actually malware to their system.
  • Reverse Social Engineering: In this kind of social engineering scheme, the attacker convinces a target that they have a problem or issue and then positions themselves with a solution. The target then initiates contact with the social engineer believing that they are able to solve their problem.
  • Tailgating: This social engineering tactic is a physical attack. With tailgating, a hacker gains access to restricted areas of a building by following an approved employee into the building and piggybacking on their credentials. In these cases, the social engineer often pretends to be an employee or even a delivery person.
  • Whaling and Spear Phishing: These attacks are a variation of phishing and, because they target a specific individual, they require a significant amount of research. In whaling attacks, these individuals are high-profile people, often executives or the C-suite.

How to Prevent and Protect Against Social Engineering

The best form of prevention against social engineering attacks is end-user training. Teaching your employees how to recognize social engineering tactics and avoid them is of the utmost importance.

Here are some points to help support your training efforts.

  • Research any suspicious calls, emails or texts.
  • Open attachments only from trusted sources.
  • Immediately delete any emails or texts asking for passwords or personally identifiable information (PII), such as social security numbers or financial information.
  • Don’t open any emails promising prizes or notification of winnings.
  • Download software only from approved sources.
  • Be wary of urgent requests or solicitations for help.
  • Make sure you have spam filters and antivirus software on your device.
  • When in doubt, contact IT to confirm any technology-related requests.

What’s the Difference Between Ransomware vs. Malware vs. Social Engineering vs. Phishing?

Ransomware, malware, social engineering and phishing all encompass different forms of ill-intentioned cyberattacks.

  • Malware is a general term formed by the words “malicious” and “software” that describes different types of software intended to compromise systems, obtain sensitive data or gain unsanctioned access to a network.
  • Ransomware is a category of malware where attackers use various methods to encrypt your data, making it inaccessible, or bar you from entry to a particular system or device. Attackers then demand a ransom in exchange for reinstating your access.
  • Social Engineering, by contrast, is a method used to extract sensitive details by way of human manipulation. With social engineering, hackers connect with users while pretending to represent a legitimate organization and seek to ascertain critical information such as account numbers or passwords.
  • Phishing is a form of social engineering that involves email, phone, text or illegitimate websites. In both instances, the collected information is used to access protected accounts or data.

While our guide acts as an introduction into the threats posed by social engineering, this is by no means an exhaustive list. Social engineering and the cybersecurity world change on a daily basis, and attacks are becoming increasingly sophisticated. The best way to combat cyberattacks is to stay informed about the latest attacks.

Read more about Cybersecurity.

As a seasoned cybersecurity expert with a comprehensive understanding of the intricacies surrounding social engineering, it's evident that this article provides a well-rounded overview of the subject. The author adeptly covers various concepts, ranging from the definition of social engineering to its historical context and infamous examples.

Let's delve into the key concepts covered in the article:

  1. Social Engineering Defined:

    • The article introduces social engineering as a method employed by hackers to gain the trust of end users and extract valuable information. This involves impersonating representatives of legitimate organizations to manipulate individuals into divulging sensitive information such as passwords or personal details.
  2. How Does Social Engineering Work:

    • The author outlines the typical path of a social engineering attack, including researching the target, making contact with the target, and executing the attack. This involves developing a rapport by offering easily obtainable details, often sourced from publicly available information on social media.
  3. History of Social Engineering:

    • Social engineering is described as a practice as old as time, with its term coined by Dutch industrialist J.C. Van Marken in 1894. The article also highlights the evolution of social engineering and its modern reference to deceiving people to obtain valuable information, often followed by a cyberattack.
  4. Famous Social Engineering Examples:

    • The article cites real-world instances of social engineering attacks, including the Target data breach in 2013, Yahoo security breaches in 2013 and 2014, and a notable CIA attack where a 15-year-old used social engineering to access sensitive information.
  5. Types of Social Engineering:

    • The article categorizes social engineering into various types, such as baiting, phishing, pretexting, quid pro quo, reverse social engineering, tailgating, whaling, and spear phishing. Each type is explained, offering a comprehensive understanding of the diverse tactics employed by hackers.
  6. Prevention and Protection Strategies:

    • The author emphasizes the importance of end-user training as the best form of prevention against social engineering attacks. Practical tips, such as researching suspicious communications, avoiding opening attachments from untrusted sources, and having robust security measures in place, are provided.
  7. Distinguishing Social Engineering from Other Cyber Threats:

    • The article clarifies the distinctions between social engineering, malware, ransomware, and phishing. It highlights that while malware is a general term for malicious software, social engineering focuses on human manipulation, and phishing is a specific form of social engineering involving deceptive communications.
  8. Continuous Adaptation in Cybersecurity:

    • The conclusion encourages readers to stay informed about the latest cyber threats, emphasizing the dynamic nature of social engineering and the need for ongoing vigilance.

In conclusion, the article serves as a comprehensive guide for readers, offering insights into the tactics, history, and prevention strategies related to social engineering. The inclusion of real-world examples enhances the credibility of the content, providing readers with valuable knowledge to safeguard against evolving cybersecurity threats.

What Is Social Engineering - The Human Element in the Technology Scam| Cybersecurity | CompTIA (2024)
Top Articles
Latest Posts
Article information

Author: Nathanael Baumbach

Last Updated:

Views: 5575

Rating: 4.4 / 5 (55 voted)

Reviews: 94% of readers found this page helpful

Author information

Name: Nathanael Baumbach

Birthday: 1998-12-02

Address: Apt. 829 751 Glover View, West Orlando, IN 22436

Phone: +901025288581

Job: Internal IT Coordinator

Hobby: Gunsmithing, Motor sports, Flying, Skiing, Hooping, Lego building, Ice skating

Introduction: My name is Nathanael Baumbach, I am a fantastic, nice, victorious, brave, healthy, cute, glorious person who loves writing and wants to share my knowledge and understanding with you.