What is Social Engineering? Cybersecurity and Data Privacy
As new online services such as social networking platforms and mobile applications have grown increasingly popular in the past decade or so, cybercriminals have also developed new methods and techniques that are geared toward stealing the personal information of online users. This being said, social engineering is one prominent way in which criminals can use deception and subterfuge to steal a consumer’s personal data, be it in the form of financial account details, or a person’s social security number, among other pertinent information. Just as con artists throughout history have used verbal manipulation and observational skills to take advantage of unsuspecting people, these same concepts are still being utilized today, albeit in another medium.
How does social engineering work?
The basic concept behind social engineering hinges on a cybercriminal or bad actor posing as someone they are not, such as the manager of a bank, with the goal of stealing some form of information or data under the guise of a legitimate interaction. To illustrate this point further, many consumers within the U.S. may have come across scam Paypal invoices when looking through their email accounts. These emails are presented as legitimate communications that were sent on behalf of the multinational financial technology company. However, when a user clicks on such an email and provides their personal information, they will in fact be disclosing their data to a cybercriminal that is looking to take advantage of them.
To this end, social engineering looks to capitalize on the trust that people within a particular society will have in certain businesses, financial institutions, media companies, etc. In going back to the example of Paypal, the online services that are offered by the company represent one of the original ways in which friends and family members, as well as consumers, could send payments to one another via the internet in a safe and secure manner. Due to the reputation that Paypal has built over the years, many people will see an invoice from Paypal in their email and think nothing of it, whereas a similar invoice from another company that did not have the same reputation would likely elicit some level of suspicion and apprehension.
Forms of social engineering
With all this being said, a cybercriminal that is looking to launch a social engineering attack again an individual or business alike can leverage a wide range of different techniques to do so. Likewise, phishing attacks are perhaps the most common form of social engineering that the everyday consumer will have come across, as fake Paypal emails that are sent to a person’s email account are a textbook example of such social engineering attacks. Nevertheless, there are a number of other methods that cybercriminals can also use to proliferate a social engineering attack. For example, baiting is a technique that is very similar to phishing, the only difference being that the former will attempt to promise a consumer a particular product, good, or service in order to get them to respond to their scam email.
Alternatively, pre-texting is another method that a cybercriminal can use to pilfer personal information from a particular person. When using this method, a cybercriminal will usually set forth a fraudulent scenario to a consumer, with the goal of having the consumer in question provide the criminal with their personal information. For instance, many users will have to confirm their identities when they forget their username or password for an online account. As such, a cybercriminal using a pre-text attack may pose as a legitimate HR employee or C-suite executive in order to steal the identity of a given consumer.
Conversely, in spite of the numerous ways in which criminals can steal the personal data of others using digital methods, there are still instances where a cybercriminal will attempt to gain access to such data within the scope of a physical workspace. For example, Colin Greenlees, a security consultant at Siemens Enterprise Communications, was able to gain unauthorized access to an FTSE financial services firm in 2009, in what is known as a tailgating attack. As the name implies, a tailgating attack involves tailing an employee of a business into a restricted area of the said business, and then obtaining personal information in the same manner that another legitimate employee would. This can include sitting in on company meetings, stealing paperwork from an employee’s desk, and asking fake questions to gain legitimate information, among other things.
While cybercrime was already on the rise in recent years, the onset of the global COVID-19 pandemic only provided criminals with further incentives to steal the personal data of other people. To this point, many of these criminals would utilize social engineering attacks when looking to steal information, such as unemployment benefits scams that were levied against American citizens in cities such as Washington, DC, in addition to many others. What’s more, in contrast to many other forms of cybercrime, social engineering attacks are designed to prey on the very thoughts and emotions of everyday people, as opposed to attacking a computer system or online database directly. Due to this fact, people all around the world will have to use more discretion when it comes to their online communications in order to avoid falling victim to a social engineering attack.