What is social engineering (social manipulation)?
Easily explained, social engineering, or social manipulation, is a manipulation technique where cybercriminals exploit human minds and the human instinct of trust in order to obtain private information, login access, or valuables.
In such scams, cybercriminals manipulate the user’s behaviour through carefully designed emails, voicemails, or text messages convincing the user to do carry out actions such as transferring money, provide confidential information, and downloading files that install malware on the company network.
Summed up, these social engineering techniques all have one thing in common: the human element and human’s ability to being misled.
What might a social engineering attack look like?
There are many types of social engineering frauds. For example, phishing attacks where victims are tricked into providing confidential information, vishing attacks where a voice mail or phone call convinces victims to act on fake instructions or physical tailgating that rely on trust to gain entry into the premises. Chief Information Security Officer in Visma, Ole William Ingelsson, explains:
“Very often we see these social engineering attacks have an element of urgency in them, like a bank transaction that needs to be completed within a very short deadline and thereby trying to limit victims’ ability to think clearly.”
Here are some of the most common social engineering methods:
- Baiting: An attack that lures users into a trap with false promises, which can be either online or physical.
- Malware: Psychological manipulation to trick users into believing that malware is installed on their device and in order to remove it they have to pay a certain amount.
- Pretexting: When a false identity and a fake scenario is used to trick victims into providing their information.
- Tailgating: To follow employees entering the premises of the physical workplace without access rights (for example access cards, and codes).
- Phishing: Tactics include fake emails, websites, and text messages to steal information. These emails are sent to thousands of people and do not target you specifically.
- Smishing: Phishing through phone and SMS.
- Spear Phishing: The same thing as phishing but a specific company or person is targeted (often the CEO or sometimes the whole company).
- Vishing: A voice mail or phone call pretending to be someone else and urging employees to act quickly. Pretty much phishing but over the phone. More sophisticated scammers can even use voice changers to conceal identity and change to either a female or a male voice.
You might also be interested in reading: Visma’s contribution to European Cyber Security Month.
How can your business, or you as an employee, prevent social engineering attacks?
As a company, it is important to focus on changing behaviour by raising awareness of such cyber attacks. With the right knowledge about how they can be scammed by a social engineering attack, employees will be more vigilant and on guard when receiving suspicious emails, calls, or events–and they will also know how to act accordingly.
So, when it comes to social manipulation: What should you as an employee be careful about?
As an employee, do not click on suspicious links, and always verify the sender’s identity if you receive emails or phone calls. For phone calls, call back to the person they pretend to be if you’re in doubt (that is, make a phone call to the person that tried to reach you to identify that this person in fact called you rather than simply calling back the same number).
Emails are never too urgent for double-checking, and if in doubt, ask your colleagues or manager for a second opinion. In addition, always be careful who you let into the office building. Try to avoid holding the door up for a stranger, especially if the stranger does not carry a badge that verifies his or her relationship to the workplace.
What should you do if you become a victim of a social engineering attack?
Do not feel ashamed, remember that it can happen to everyone. Also, do not keep it to yourself but rather contact your security team directly as soon as possible and give them as many details of the attack or scam as possible.