What Is Social Engineering?
by Sophos Guest Blog • Apr 28, 2017
It’s a key part of criminal activities, often an important step in phishing campaigns. But what is social engineering, exactly? Social engineering is the act of manipulating people into taking a specific action for an attacker’s benefit. You might think it sounds like the work of a con artist – and you’d be right.
Since social engineering preys on the weaknesses inherent in all of us, it can be quite effective. And without proper training it’s tricky to prevent.
If you’ve ever received a phishy email, you’ve seen social engineering at work. The social engineering aspect of a phishing attack is the crucial first step – getting the victim to open a dodgy attachment or visit a malicious website.
Crooks have a lot of weapons in their social engineering arsenal to get recipients to take action, including:
- Creating a sense of urgency, perhaps by setting a deadline for action
- Impersonating someone important such as your company’s CEO
- Mentioning current events to make messages more authentic
- Obscuring malicious URLs to make them look legitimate
- Offering an incentive like a payout or a promotion
Phishing can’t work unless the first step – the social engineering – convinces you to take an action. But social engineering used in phishing attacks is getting more targeted and sophisticated every day as attackers try to stay ahead of users or try to go after bigger, more strategic targets.
Of course, social engineering isn’t just limited to email phishing campaigns.
Social engineering can happen over social networks, in person, and over the phone as well – a supposedly innocent call to your desk from “tech support” to gather a few seemingly minor details about what kind of operating system your company uses can actually result in a treasure trove of information for an attacker.
It can be difficult to completely avoid falling victim to social engineering, but there are a few things you can always keep in mind:
- Trust your gut feeling – if something seems fishy, slow down, take no action, and verify the situation. For example, speak to your boss in person if you aren’t sure if an email really is from them.
- If someone’s asking for sensitive information like a username and password over the phone, hang up. Legitimate customer service or technical support staff would never ask for this information.
- Avoid clicking links in emails or opening email attachments, especially when they’re unexpected. Remember that attackers can easily pose as someone you know or work with.
- Remember that you are in control. Don’t let anyone talk you into doing something you’re not sure about – ignore pressure tactics to get you to act and take a step back.
Ultimately, stay alert and keep cautious. If something seems too good to be true, it nearly always is.