Social engineering is dynamic in that malicious actors are constantly changing their tactics in how they extract information from users.
Social engineering can take the form of a telephone call, such as someone who aggressively asks for information. For example, they could claim they are working with your boss and demands that you provide them with information immediately. Social engineering can also be done via email.
Social Engineering usually involves authority. The bad actor attempting to perform social engineering assumes a role of authority so that the victim is more likely to comply. For example, the social engineer could claim to be law enforcement, a help desk technician, a CEO, etc.
Intimidation is also a factor of social engineering. The social engineer will claim that if you don’t comply with their requests, something bad will happen.
Social proof/consensus is also often used in social engineering. The social engineer will try to convince the victim that what they are asking is normal or that others have already done it.
Social engineers also use the principle of scarcity in order to get their victims to act now. Social engineers create a situation in which the victim must act now. Social engineers provide a sense of urgency and want you to act quickly, rather than take the time to think.
Social engineers may attempt to establish a familiarity or liking with the victim. They may say I’m a friend of a friend so that the victim has a sense of familiarity and connection with the social engineer. They may attempt to find a common interest with the victim such as being a fan of the same sports team.
Similarly, social engineers attempt to establish trust. For example, the social engineer may say they’re from the help desk and just trying to perform updates to help you, and just need your credentials.
Phishing
Phishing is a type of social engineering combined with spoofing. Phishing is commonly done via email. The malicious actor will send an email or other form of communication that looks legitimate. For example, they’ll send an email that looks like it’s from your bank, and will ask you to click on the link. The link may take you to a website that also appears to be the banking’s website. It may have the bank’s logo and layout. However, if you check the web url of the page, you’ll notice that it’s not the bank’s url. For example, if your bank’s website was https://www.mybankABC.com, the url of the phishing website might be https://www.mybankACB.com. Usually, there’s something a little off with phishing. There may be spelling mistakes, fonts are different, graphics are wrong, layouts are different, etc.
When phishing is done over the phone, it’s called vishing (for voice phishing). An example would be that a caller pretends to be from a credit card company and says that there are suspicious charges on your card. They just need you to verify your credit card number to them so that they confirm you are the actual card holder.
Spear phishing
Like with actual fishing, many phishers generally try to cast a wide net by sending out their malicious content to a whole bunch of people. The more phishing attempts they send the more likely someone will fall for it. Usually phishers care about quantity rather than quality. They don’t care who their victim is.
On the other hand, spear phishing is when phishers have a specific group of people they are targeting. For example, phishers may target the accounts payable department of a company in order to get financial information.
When spear phishing is targeted toward the highest executive levels of an organization, it’s called whaling.
Impersonation
Impersonation is a big part of social engineering. The malicious actor pretends to be someone they’re not. They can research information about you or someone else in order to make it appear they are who they say they are. For example, a victim could have posted on social media that they are going on vacation with a particular tour company. The social engineer can see that social media post and contact the victim and pretend to be an employee of that tour company. The victim does have a tour booked with that tour company, so they are likely to believe the social engineer is who they say they are.
Shoulder surfing
While working on your computer, your computer screen may have sensitive information displayed on it. It’s very easy for people behind you to see this information and use it for malicious purposes. This is called shoulder surfing. The shoulder surfer doesn’t even need to be that close behind you. If you work in a building with see through glass windows, someone in a neighboring building or someone from the ground can use binoculars or a telescope to see your screen.
Tailgating
Tailgating is when you’re unauthorized to enter a building but you follow an authorized user into the building in order to gain access yourself. For example, a door may require an access card to enter. If you don’t have an access card, you can wait for someone who does have an access card to enter. Then ask that person to hold the door for you, or just follow closely, so that you can enter without an access card. It’s common for the tailgater to have their hands full to make it seem as if they do have an access card but just can’t use it because they have their hands full. This is to exploit the generosity of others to keep the door open for them.
Tailgaters may try to blend in by wearing matching clothing that authorized users are wearing. This could be employee clothing or if there is a known contractor doing work in the building (such as a telephone company), the tailgater could wear clothing to match the contractor to appear as if they have a reason to be in that building.
Dumpster diving
Sensitive information is oftentimes thrown out in the garbage. Malicious actors can go through the garbage to collect this information. They can gather information on employee names or contact information and then use this in an attack. This process of going through the trash is called dumpster diving.
In the United States, it may actually be legal to go through another person’s trash. Therefore, to safeguard your information, be sure to shred your information.