While technology is growing ever more sophisticated, the basic human emotions of greed, fear, curiosity, loneliness, helpfulness, and group solidarity stay the same over millennia. These emotions leave us vulnerable to manipulation. Indeed, we’ve been falling for scammers who use social engineering techniques to lure us into helping them achieve their unscrupulous aims since the times of Helen of Troy.

In fact, consider the earliest example of social engineering: the story of the Trojan horse as told in Homer’s Odyssey. The Greeks laid siege to Troy but were not able to breach the city’s defenses. Seeing that their conventional warfare tactics weren’t working, the Greeks decided to deploy a ruse. They made a big show of ending the siege and sailing away in apparent defeat, leaving behind a giant wooden horse as tribute to the Trojans. The Trojans, believing their eyes, pulled the horse into the city, reveling in their victory. But the Trojan horse was hollow, and inside it sat Greek soldiers who waited silently for the Trojans to fall asleep. In the dead of night, the Greek soldiers climbed down from the horse and opened the gates of Troy to the rest of their army, which sailed back to the Trojan shore after sunset. The Greeks, capitalizing on the element of surprise, laid waste to the city of Troy, securing a final victory.

Do you think we’ve become more sophisticated since the days of Ancient Greece?

Do you think we’ve become more sophisticated since the days of Ancient Greece? Maybe so. But we’re still likely to fall for the most basic of ruses. Wear a hardhat and carry a clipboard, and you’re likely to sail past security in many buildings. Ditto for wearing coveralls and carrying a plumber’s toolbox.

Social engineering in the context of cybersecurity

Cambridge Dictionary neatly encapsulates what social engineering is in the context of cybersecurity: attempts to trick people into giving secret or personal information, especially on the internet, and using it for harmful purposes. 

Social engineering techniques are a key weapon in the arsenal of cybercriminals. Most hacks and breaches are not brute-force attacks perpetrated by hackers breaching a system’s security measures through the prowess of their coding abilities. Rather, most crimes start with a social engineering campaign designed to lure someone into giving up their credentials – essentially sharing the keys to the front door of the system.

Kevin Mitnick, a famed hacker whose exploits are celebrated in both the hacking and the cybersecurity communities, attributes much of his success to figuring out the right social engineering approaches to his targets, rather than to his coding. In his illustrious hacking career, he has tried many approaches to finding the information he needed to get inside, from dumpster-diving to find an employee directory and a pile of source code to calling up the switchboard of a target company and convincing them to send him valuable information.

Some of the most common social engineering techniques used in cybercrime include:

• Phishing: This commonly involves impersonating a business that the victim knows, trusts, and uses, such as a bank, utility company, email provider, or streaming service. Typically, an email or a text is sent to victims asking them to input their login information, and when they do, the hacker sees it and gains access to the account.
• Spearphishing: A subset of phishing, this is a targeted and personalized attack against a specific individual using information about the victim that is often gleaned from social media.
• Baiting: This uses an enticing offer to tempt a person into taking action, such as downloading a file onto their computer. The most common aim of baiting is the installment of malware on one’s computer. The function of the malware can vary, including transmitting keystrokes back to the cybercriminals, thereby sharing all the victim’s login credentials with them, or locking the impacted IT system and demanding ransom to unlock it.
• Scareware: This attempts to sow fear and panic by targeting victims with fake threats and alarms. Scareware can take the form of an urgent notification that one’s computer is infected and that the victim must immediately install software to clean it or it can take the form of a robocall from a government agency informing the victim that their identity has been stolen and urging them to speak to an agent.
• Quid Pro Quo: This involves a requested exchange of sensitive information, like login credentials, for a service. For example, a cybercriminal can impersonate someone from the IT department and ask the victim for their login credentials in order to update software on a company computer.

Protecting yourself from social engineering

One of the most potent ways to stop potential scammers is using a trusted phone number or email to verify suspicious information. For example, if you get an email notifying you that you must change your online banking password, do not immediately click on the link provided and do not use any contact information from the email itself to verify its authenticity. Instead, call a customer service number you are certain belongs to your bank, such as the one provided on the back of your debit card, for example.

Another way to minimize the likelihood of a social engineering attack is to manage your social media postings prudently. Remember that social media posts are public and that we often provide more information than we think, especially in photos and videos. Cybercriminals mine social media for personal information so that they can make their approaches more targeted and personalized. The less information they have, the less potent the social engineering attack will be.

If you would like to discuss ways to educate your company’s employees so they become more resistant to social engineering attacks, we can help. Contact Dr. Ronald Menold, Director of Cybersecurity Services, to discuss the best options for protecting your business and your employees.

Dr. Ronald Menold, Director of Cybersecurity Services at COSECURE Cybersecurity, brings deep knowledge gathered along his 24-year career as a Supervisory Special Agent with the FBI. Ronald holds a Certified Information Systems Security Professional (CISSP) and a Certified Ethical Hacker (CEH) certification from (ISC)2 and EC-Council respectively and multiple SANS/GIAC certifications. Ronald holds a Bachelor's in Computer Engineering and a Doctorate in Computer and Information Security. Contact Dr. Ronald Menold →

COSECURE, an ancillary business unit of Cozen O'Connor, assesses client technology systems for cyber risks, teach employees how to protect themselves and their companies from hackers, and help our clients respond to cyber security threats, data breaches, and financial fraud. Learn more →