What is Social Engineering? 8 Tactics & How to Defeat Them

It doesn’t really matter whether you’re a consumer making under six figures or a multinational corporation with thousands of employees and shareholders. Social engineering is an equal opportunity scam.

For social engineers, your personal data represents a potential goldmine, from access to linked accounts through data caches stored in corporate servers. Attacks like these lead to millions of dollars in losses each year. So, how can you protect yourself (or your business) from social engineering attacks? Let’s find out.

Social Engineering: Social engineering attacks occur when a fraudster impersonates a trusted individual, such as a representative from a billing department or an employer. This is done to convince their victim to release important proprietary information like passwords or account numbers.

Essentially, social engineering is a confidence scam. They are entirely based on trust. The social engineer will choose a victim, earn their confidence, and then attempt to trick that individual into providing them with confidential information. This generally works through four basic principles:

Confidence: Social engineers may pretend to be someone you trust, or impersonate an authority figure (a boss, government official, etc.).
Consensus: Using peer pressure or social proof to force someone to act against their own best interests.
Familiarity: Faking complex feelings to manipulate victims into acting. For example, a dating scam.
Urgency & Scarcity: Applying a sense of urgency to queries or conversations, is the hope of rushing victims into acting without thinking.

Social engineers will generally target victims through email, online direct messages, text messages, or even phone calls. Unfortunately, these scams become more frequent and cast a broader net every year.

Around 90% of all data breaches involve some form of social engineering. These individual attacks add up quickly; IBM reports that the average cost of a single social engineering-related data breach hit $9.44 million in the US in 2022.

As mentioned above, the name of the social engineering game is persuasion. For instance, if someone you don’t know emails you from an unrelated business demanding you change your business login credentials, you’re not likely to follow those instructions. However, if the scammer is able to pose as someone you know and trust, like your manager or boss, it’s much easier for them to convince you. This is the genius of social engineering.

Scammers develop new tactics every day. Make sure you're protected.

A lack of investigation and critical thinking is the entire goal of social engineers. They aim to manipulate you into making a mistake through heightened emotions. Inciting anger or outrage, for instance, is one of the easiest ways to make someone act without thinking. The same applied to fear; you might lose your position, account, or status if you fail to follow instructions.

CASE IN POINT

Recently, the so-called “Look Who Died” scam has been widely circulated on Facebook and TikTok. Using this particularly horrible tactic, social engineers will target victims, claiming that a friend or loved one died, and providing a link. The victim clicks on the malicious link, and their profile is compromised.

Without some form of emotional manipulation, social engineers would struggle to connect with their victims. It’s a lot easier to “hack” a person’s feelings than a complex series of security measures.

The point of social engineering is to be customized to the victim. Thus, there are almost as many ways to engage in social engineering as there are humans out there. Here are a few of the most common tactics, though:

Business Email Compromise (BEC)

Business email compromise, commonly abbreviated to BEC, is a scam conducted through email. With a BEC attack, an email will appear to come from a legitimate source within the business. However, the sender is an imposter attempting to trick other members of the organization to divulge sensitive information.

Catfishing

Catfishing is a particularly cruel scam, also known as a “honey pot” scam, in which a fraudster poses as a romantic love interest via an online dating site or app. The catfisher will develop and maintain an online relationship with their victim for several days to weeks. They may then claim to be in a “tough spot,” or are going through some emergency, and convince the victim to send them money.

Pretexting

Pretexting revolves around the word “pretext.” It means to provide someone with a half-truth or series of small lies in order to convince someone that the speaker does so from a position of authority. A great example of this would be someone posing as an HR representative and pretending to arrange documents and meetings with an employee of a company. In the process, the employee would inadvertently provide the scammer with bank information, their social security number, or other sensitive information.

Phishing

Phishing is the practice of tricking a targeted individual into voluntarily giving up access to personal information. The target is typically financial data, but any personal account could be subject to an attack. Phishing is the most common of all social engineering attacks. In fact, the tactic works so well, and so often, fraudsters have applied the tactics to newer methods, like vishing, clone phishing, and spear phishing.

Scareware

Social engineering scams are most effective when the victim is stressed or in a state of heightened emotion. Scareware was invented to literally “scare” victims into an action. For example, clicking a malicious link, downloading malware, or sharing fraudulent links with others. Scareware is generally targeted toward very young individuals or older generations that are less tech-savvy.

Tailgating & Piggybacking

Tailgating is a physical attack performed by someone willing to physically enter a company or organization as a means to steal data or deliver malware to a centralized database. This gutsy tactic requires someone willing to either pose as an employee of that company or a worker hired to fix a computer, wifi, or some other imaginary issue.

Water Holing

This is an old hunting term. It essentially means “finding prey where they gather.” The idea would be to first learn about the potential victim’s habits and likes online. Once habits have been identified, the fraudster will inject a marketing email, promo code, or webpage with malicious code from often-visited sites to attract clicks.

Quid Pro Quo

Quid pro quo means “this for that” in Latin. This implies that someone will give you something in exchange for something else. In a social engineering context, quid pro quo attacks seek to make allies of potential victims through empty promises, which the scammer has no intention of fulfilling.

This list is not exhaustive by any means. There are literally countless ways by which social engineers seek, target, and attack victims from every walk of life.Why, though? Why would fraudsters go to so much trouble to defraud a person, business, or institution when it could be incredibly risky for them?

Become a Full-Fledged Chargeback Genius

The only resource you need to become an expert on chargebacks, customer disputes, and friendly fraud.

Download the Guide

Ultimately, social engineering is so popular because it is so effective. Humans are often the weakest link in the fraud chain. Targeting them is often much simpler than developing and testing costly software to work around fraud detection tools.

Tricking a human being into making a mistake doesn’t cost much more than the fraudster’s time. It’s a lot easier than attempting to brute force their way through a company’s security system.

We now have a better understanding of how — and even why — you might be targeted by social engineers. So, let’s go over a few social engineering scams that have actually occurred in the real world, and see what we can learn from them.

1 | Facebook & Google Lose $120 Million

In arguably the most high-profile single social engineering attack to date, a Lithuanian man named Evaldas Rimasauskas perpetrated a spear-phishing attack against two of the largest tech companies in the world.

Rimasauskas created a dummy for a legitimate computer manufacturing firm that both : Facebook and Google trusted. Through this fake company, Rimasauskas and his crew set up several bank accounts in the company’s name. They then spent two years slipping duplicate invoices for goods and services the manufacturing firm actually provided to each company, but with the fraudulent bank account attached.

Between 2013 and 2015, Rimasauskas managed to steal over $100 million from each company before the fraud was finally detected.

2 | UK Voice Deepfake

The executive of a UK energy company received a phone call from what he believed to be his boss, the CEO of the firm’s German parent company. The receiver was asked to transfer over £200,000 to an unknown supplier.

The individual on the phone sounded like his boss, so the man did what he was asked to do. Only later did he learn that the voice was a simulation created using AI voice technology, and he’d inadvertently helped a scammer steal nearly a quarter-million pounds from his company.

AI voice attacks, or vishing attacks, are becoming more commonplace as the technology develops. The FBI warns both consumers and merchants to be extremely cautious of any phone call asking for funds transfers or account requests of any kind.

3 | Microsoft 365 Scam

In 2021, a particularly tricky business email compromise scam was discovered by security researchers using Microsoft 365 as a vehicle. The scam revolves around a fraudster sending out emails with the subject line “price revision.”

The email would be blank, save for an attachment that looks like an excel spreadsheet XLSX file. The file will actually be an HTML file that leads the victim to a website containing malicious code or false login areas that record the user’s credentials.

Merchants: are you sure you're protected against chargebacks resulting from third-party fraud?

The people who were targeted in these scams weren’t stupid, unwary, or even incautious. They were victims of circumstance, with very practiced social engineers driving them to act through human emotional response.

But, now that we see how easy it is to be targeted, let’s discuss how to watch out for future attacks.

The keys to defeating social engineering attacks are self-awareness and vigilance. Never act on anything that elicits panic, and always take a moment to breathe and think critically when something demands sensitive information or funds. Social engineers can only profit by making you act without thought.

Specific red flags you should be on the lookout for include:

Heightened Emotions

If you receive a call, email, or SMS message from anyone you know, especially someone with authority over you or one of your accounts, you need to stop and think before you click! Odds are, a social engineer will attempt to make you act out of fear, anger, or urgency. Tale a moment to pause and investigate the situation, and judge whether it makes sense.

Something Seems Off

Maybe you recognize the sender’s name in an SMS message or email. However, the content doesn’t align with a previous thread, seems strange or off-topic, or includes anything that doesn’t feel right. Again, take a pause to investigate. You can contact your friend or account manager through the usual channels to determine the legitimacy of the message.

Details are Skewed

Or, maybe you recognize an email or SMS for the most part, but the sending domain is different, or there are extra numbers or characters in the address. Same as above: stop and investigate before clicking anything! An example of this would be someone emailing you from Amazon customer support telling you that your account is being suspended. It seems legit, but there are a few spelling errors in the address line, like “support@amazon1.com.” Odds are, the person contacting you is not from Amazon.

It’s “Too Good to Be True”

Is the message or email you’re receiving offering you something highly unrealistic in exchange for clicks or sign-ups? Remember the old adage: if something sounds too good to be true… then it probably is.

Message Contains Links or Downloads

To be honest, you probably shouldn’t download or click any links at all unless you can verify the sender or are expecting the message from that individual. Always confirm a link is safe to click in advance of opening anything, especially at work.

50 Insider Tips for Preventing More Chargebacks

In this exclusive guide, we outline the 50 most effective tools and strategies to reduce the overall number of chargebacks you receive.

Get the FREE guide

Remember, not every act of fraud is transactional in nature. The number one way to stop social engineering is to always take a break and think before you react. It’s that reactive impulse that the scammer is after. So, if you nullify that response altogether, half the battle is already won.

For businesses, however, tackling social engineering is a much more complicated process. Companies have many moving parts, systems, and employees, and any one of those could be targeted.

With that in mind, here are a few tips for businesses to avoid being victimized by social engineers:

Education is Key

Make sure your staff and management are frequently engaged in education and training that promotes employee safe practices and enhanced data security. Informing your staff of recent threats and constantly educating them about proper protocols and responses is essential to stopping social engineering scams.

Verify Every Provider

As the Facebook and Google scams should warn you, even vendors and third-party providers should be vetted thoroughly for every transaction, order, and invoice. This includes checking IDs, login keys, and sourcing credentials.

Establish Security Protocols

Employees should be asked to create, or even be assigned credentials. They should also follow a strict set of protocols for how and when those credentials are used, and by whom.

Leverage ID Proofing

One of the fastest ways to confirm a fraudster is not who they say they are is to find out where they’re contacting you from. Through reverse email and IP address lookups, you can gauge the risk associated with an email address or the location from which that email was sent. If neither address matches the legitimate sender, it’s likely a scam. If it’s a scam phone call, you wouldn’t be able to trace the phone number to the business in question, as scammers use online phone numbers and burner phones.

Secure Offices & Equipment

Never allow any vendor or third-party service provider into your place of business without thorough ID and invoice checks. Also, never leave hardware or equipment unsecured in your offices. You should have a strict series of protocols for connecting to your company’s server and software, and deploy anti-malware and anti-virus software at all times. Beyond this, securing your premises each night and ensuring everyone in your company must have badges to enter is also very important.

Let’s face it: fraud prevention is a complex network of interrelated issues. It’s not easy to stay current… but it can be very costly to get it wrong. Even just once.

This is why hiring an outside expert to help your business develop and deploy an effective fraud management strategy can be incredibly beneficial to your bottom line.

As an expert in the financial security and fraud management services industry, Chargebacks911® is uniquely placed to help your business detect and fight back against all manner of fraud and chargebacks… including social engineering scams. Call us today to get a free ROI analysis.

FAQs

What is an example of social engineering?

One example of social engineering is BEC or business email compromise. This is a scam conducted through email. With a BEC attack, an email will appear to come from a legitimate source within the business. However, the sender is an imposter attempting to trick members of the organization into divulging sensitive information.

Is social engineering a cyber attack?

It can be. However, some social engineers target physical facilities like offices, coffee shops, and anywhere people might be gathered, and where funds or information can be openly exchanged.

Why do hackers use social engineering?

Social engineering is popular because it is so effective. Humans are often the weakest link in the fraud chain, and targeting them is often much simpler than developing and testing costly software to work around fraud detection tools. Tricking a human being into making a mistake doesn’t cost much more than the fraudster’s time and is a lot easier than attempting to brute force their way through a company’s security system. For the social engineer, the path of least resistance wins.

What is the most common form of social engineering?

Phishing is the most common of all social engineering attacks. In fact, the tactic works so well that fraudsters have updated the phishing to adapt to newer technologies, with practices like “vishing” and “spear-phishing.”

What is the defense against social engineering?

Self-awareness, critical thinking, and time are the defenses against social engineering. Any message that encourages you to react with an emotion like panic or fear should be highly suspect. Additionally, anything that seems too good to be true, or just slightly off in some way, should give you pause.

Social Engineering8 Social Engineering Tactics to Watch for & How to Defeat Them

In a Nutshell

Everything You Need to Know to Spot & Stop Social Engineering Before it’s Too Late

Recommended reading