Average reading time: 5 minutes
If you want to break into someone’s house, it is so much easier if the home owner opens the door and lets you in.
This basic truth is well-known to cyber-attackers. Yes, it’s possible to hack into IT systems using complex ‘brute force’ and ‘man in the middle’ techniques. But many bad actors prefer a more direct approach: to simply trick victims into handing over the keys.
This is called social engineering, and it describes a type of cyber-attack in which criminals manipulate company insiders into revealing confidential information.
Sadly, the attacks are frequent. In the summer of 2022, for example, an 18-year-old hacker successfully infiltrated Uber’s systems by posing as an employee and texting a staff member to request a password.
In its 2022 Mobile Security Index Report, Verizon reported that 82% of breaches involved a human element, including social attacks (along with errors and misuse).
It added that, in 2021, five out of six organizations confirmed that they had experienced an email-based phishing attack that tricked users into a risky action, such as clicking a bad link, downloading malware, providing credentials or
executing a wire transfer.
So how do they do it?
Well, it’s not complicated. In fact, social engineering deploys techniques that have been used by tricksters and con artists for hundreds of years.
No coding skills needed. Just a bit of psychology and some patience.
But being aware of these tricks can help to arm people against them. So here are eight of the most prevalent techniques…
# 1. “Hey, we’ve met before”
It’s easier to gain someone’s trust if you think you know them. Hackers are well aware of this. And in a connected world, it is pretty easy for them to find the information they need. They can check LinkedIn for example, and explain that they were at the same industry conference you attended last month. They might even check ‘out of office’ replies from colleagues to gather information they can to write something like…”Hey John. Since Jane is on vacation till September 10, can I ask you a question?”
# 2. “There’s no time to check, I’m in a hurry”
Once a hacker has successfully gained a victim’s trust, it might be a while before they perform the attack. But when it comes, there could be some kind of time pressure. It could be a text or email that says: “I've lost my login details and my plane takes off in five minutes. Please help!”
# 3. “I’m your boss. Do what I say”
It’s easy for hackers to find out the names of senior executives at an organisation. The details are all public. So once hackers successfully enter the company system, they can then pose as the boss and request information from staff. If the ‘boss’ makes a demand that bypasses security processes, employees will find it hard to refuse.
# 4. "I really need your help"
Most people are kind and friendly. Regrettably, cyber-attackers abuse this positive aspect of human nature to get what they want. Thus, a hacker that has forged a connection with his or her target will ask a favour such as: "Can you open this file for me? I can’t access it on my laptop.” The recipient will do as asked, and the attacker will hack into the system.
# 5. “You’ve won!”
Everyone loves a freebie, right? It’s amazing how even high earners will fall for a trick that involves a gift of some kind. But the reward doesn’t have to be financial. In a work environment, an infected file could even come in the form of an email that reads: "You have a secret crush – click here to find out who it is."
# 6. “Don’t be awkward”
It’s human nature to fall in with the herd. No one (well, almost no one) wants to stand out. Hackers will exploit this. They will send an email saying something like: "You're the only one who hasn’t answered this questionnaire. Please do it now."
As you can see, social engineers have a range of tricks they can use. They also have time. So if one fails, they will persist until they find a way in.
This is worrying. And it explains why, for all the attention of cybersecurity, attacks such as the one on Uber still succeed.
Still, there are several ways businesses can reduce the threat. It’s just a question of keeping employees trained and aware of the most common techniques. You can find more information here.
- Cybersecurity in 2022? Remote working and mobile are changing everything
- What to do in a data breach
- The Internet of threats