What is social engineering and how can you protect yourself from targeted hacks?

An element of social engineering is a part of most online attacks  (Dominic Lipinski / PA)
An element of social engineering is a part of most online attacks (Dominic Lipinski / PA)

When it comes to cybersecurity, everyone is familiar with viruses and phishing emails. But what about social engineering?

While not exclusive to online crime, nearly all cybercrimes involve an element of social engineering — some considerably more sophisticated than others.

But what exactly is social engineering and what can you do to protect yourself from it?

Read on to find out more.

What is social engineering?

Broadly, social engineering is psychologically manipulating someone to do what you want. Anything from flirting your way out of a speeding ticket to flattering your way to a payrise is technically social engineering — albeit mostly harmless.

In the context of cybersecurity, social engineering is a blanket term for non-technical tactics used by hackers to get something they want — be it access to private accounts or money sent their way.

You’ll undoubtedly have seen some examples of this yourself — the various dating app crypto scams, for example, or the ‘hi mum’ WhatsApp messages that did the rounds last year. You may remember the low-tech Royal Mail text message scam where victims were led to fake sites to pay non-existent fees, too.

But they come in many forms, and can be incredibly sophisticated, especially if your details have been revealed in a data breach. If Company X is hacked, revealing customer names, addresses, and dates of birth, then a hacker could use this information to seem more authentic when contacting you, making you more likely to let your guard down and believe the approach to be legitimate.

One thing most social-engineering attempts have in common is a sense of urgency

Social engineering vs phishing — what’s the difference?

Phishing is a type of social engineering, but it’s limited to email, text messages, social networks, and other websites. You may get a fake email telling you that your Facebook account has been hacked, for example, but if you click the included link, you’ll be taken to a website that appears authentic but isn’t (e.g: faceb00k.com).

What makes social engineering so insidious is that it’s not limited to the online space, where people tend to be more cautious. It covers everything from fake phone calls to malware-packed USB keys planted in company carparks, left there in the hope that somebody’s curiosity will get the better of them, giving a criminal access to a company’s internal workings.

Does social engineering involve malware?

It doesn’t have to. While clicking a suspicious pop-up advert warning you that you have a virus will likely link to all kinds of nasties on your computer, if somebody manipulates your password out of you by other means, there may be no need to infect your PC.

Yes, you can get people’s passwords via a keylogger sneakily installed via an infected website or USB stick, but the point of targeted social engineering is getting the same information via a target trusting you — and ideally leaving them none the wiser that they’ve been compromised. That’s what makes it quite so sneaky.

Hackers can trick you into believing they’re a friend (Mika Baumeister on Unsplash)
Hackers can trick you into believing they’re a friend (Mika Baumeister on Unsplash)

Are social-engineering attacks always online?

While the attacks themselves don’t have to be, our increasingly connected world means that the outcome is usually computer-based in some capacity — simply because that’s where the valuable targets are.

But the attack methods don’t have to be at all. Indeed, the recent bout of iPhone thefts can reportedly involve an element of offline social engineering, where targets are befriended on nights out and encouraged to enter their passcode in sight of the criminal. In other words, the method of obtaining the information may be offline, but the outcome (locking people out of their Apple accounts) is online.

Why are social-engineering attacks popular?

The short answer is that humans are fallible and that’s easy to exploit. Rather than trying to find a hole in a company’s expensive security system, it’s far easier for a criminal to gain access to the same system via a legitimate but stolen password: a weak link in a stronger chain.

Ease aside, another reason is that it’s cheap — or it can be.

While the most sophisticated human-engineering scams can be extremely time-consuming, where the attacker builds a profile of the target before making contact, in its most basic form, it’s just a mass-phishing email or a browser pop-up.

That’s cheap, and while most people won’t fall for it, enough people do that it’s still worth trying. After all, there’s a reason you still see the Nigerian prince email scam doing the rounds, even after it’s been roundly ridiculed in pop culture for decades.

How to avoid social-engineering attacks

The nature of social-engineering attacks is that they’re always evolving, which makes hard and fast advice about avoiding them tricky. That said, these tips will see you in good stead in general, and more resilient when it comes to new and emerging threats.

Take a minute

Generally, one thing most social-engineering attempts have in common is a sense of urgency. People do silly things when under pressure and if they feel they have to act immediately, so take a moment to assess whether what you’ve been told is plausible.

Respond in your own way

With this sense of urgency, your attacker will often offer a simple solution — click the link to confirm it wasn’t you making the purchase, or simply confirm your details to the man from the bank who has called you out of the blue.

If these are genuine correspondences, then you should be able to contact the source on your own. Visit the official website of the company, or hang up and phone the bank directly via the official number.

Check what they know

If you get a phone call claiming to be from a business you work with, you would expect them to know certain details about you, such as your address. If they don’t, there’s a good chance they’re blagging and not who they claim to be, so follow the advice above and call them back via a known number.

(Of course, this isn’t completely foolproof if your details have been exposed in a data breach. So if the call is from a company that has just had records stolen, be extra vigilant.)

Get strong, unique passwords for every site

While having a strong password won’t protect you from a social-engineering attack per se, it can limit the damage. People who share passwords between websites are making it all too easy for cybercriminals to try the login credentials all over the web (automated systems exist to do this in minutes).

We all know the password advice — make it long (eight-plus characters), strong (a mix of letters, numbers, and special characters), and unique. A password manager, like LastPass or Bitwarden, can automate this for you and make you less of a target.