For Home • For Business • About Webroot

Webroot Smarter Cybersecurity Solutions

Cybersecurity Resources Tips/Articles What is Social Engineering?
What is Social Engineering?
Examples & Prevention Tips

Social engineering is the art of manipulating people so they give up confidential

information. The types of information these criminals are seeking can vary, but
when individuals are targeted the criminals are usually trying to trick you into
giving them your passwords or bank information, or access your computer to secretly
install malicious software–that will give them access to your passwords and bank
information as well as giving them control over your computer.

Criminals use social engineering tactics because it is usually easier to exploit

your natural inclination to trust than it is to discover ways to hack your
software. For example, it is much easier to fool someone into giving you their
password than it is for you to try hacking their password (unless the password is
really weak).

Security is all about knowing who and what to trust. It is important to know when
and when not to take a person at their word and when the person you are
communicating with is who they say they are. The same is true of online
interactions and website usage: when do you trust that the website you are using is
legitimate or is safe to provide your information?

Ask any security professional and they will tell you that the weakest link in the
security chain is the human who accepts a person or scenario at face value. It
doesn’t matter how many locks and deadbolts are on your doors and windows, or if
have guard dogs, alarm systems, floodlights, fences with barbed wire, and armed
security personnel; if you trust the person at the gate who says he is the pizza
delivery guy and you let him in without first checking to see if he is legitimate
you are completely exposed to whatever risk he represents.

What Does a Social Engineering Attack Look Like?

Email from a friend
If a criminal manages to hack or socially engineer one person’s email password they
have access to that person’s contact list–and because most people use one password
everywhere, they probably have access to that person’s social networking contacts
as well.

Once the criminal has that email account under their control, they send emails to
all the person’s contacts or leave messages on all their friend’s social pages, and
possibly on the pages of the person’s friend’s friends.

Taking advantage of your trust and curiosity, these messages will:

Contain a link that you just have to check out–and because the link comes from a
friend and you’re curious, you’ll trust the link and click–and be infected with
malware so the criminal can take over your machine and collect your contacts info
and deceive them just like you were deceived

Contain a download of pictures, music, movie, document, etc., that has malicious
software embedded. If you download–which you are likely to do since you think it is
from your friend–you become infected. Now, the criminal has access to your machine,
email account, social network accounts and contacts, and the attack spreads to
everyone you know. And on, and on.

Email from another trusted source

Phishing attacks are a subset of social engineering strategy that imitate a trusted
source and concoct a seemingly logical scenario for handing over login credentials
or other sensitive personal data. According to Webroot data, financial institutions
represent the vast majority of impersonated companies and, according to Verizon's
annual Data Breach Investigations Report, social engineering attacks including
phishing and pretexting (see below) are responsible for 93% of successful data
breaches.

Using a compelling story or pretext, these messages may:

Urgently ask for your help. Your ’friend’ is stuck in country X, has been robbed,
beaten, and is in the hospital. They need you to send money so they can get home
and they tell you how to send the money to the criminal.

Use phishing attempts with a legitimate-seeming background. Typically, a phisher

sends an e-mail, IM, comment, or text message that appears to come from a
legitimate, popular company, bank, school, or institution.

Ask you to donate to their charitable fundraiser, or some other cause. Likely with
instructions on how to send the money to the criminal. Preying on kindness and
generosity, these phishers ask for aid or support for whatever disaster, political
campaign, or charity is momentarily top-of-mind.

Present a problem that requires you to "verify" your information by clicking on the
displayed link and providing information in their form. The link location may look
very legitimate with all the right logos, and content (in fact, the criminals may
have copied the exact format and content of the legitimate site). Because
everything looks legitimate, you trust the email and the phony site and provide
whatever information the crook is asking for. These types of phishing scams often
include a warning of what will happen if you fail to act soon because criminals
know that if they can get you to act before you think, you’re more likely to fall
for their phishing attempt.

Notify you that you’re a ’winner.’ Maybe the email claims to be from a lottery, or
a dead relative, or the millionth person to click on their site, etc. In order to
give you your ’winnings’ you have to provide information about your bank routing so
they know how to send it to you or give your address and phone number so they can
send the prize, and you may also be asked to prove who you are often including your
social security number. These are the ’greed phishes’ where even if the story
pretext is thin, people want what is offered and fall for it by giving away their
information, then having their bank account emptied, and identity stolen.

Pose as a boss or coworker. It may ask for an update on an important, proprietary

project your company is currently working on, for payment information pertaining to
a company credit card, or some other inquiry masquerading as day-to-day business.

Baiting scenarios
These social engineering schemes know that if you dangle something people want,
many people will take the bait. These schemes are often found on Peer-to-Peer sites
offering a download of something like a hot new movie, or music. But the schemes
are also found on social networking sites, malicious websites you find through
search results, and so on.

Or, the scheme may show up as an amazingly great deal on classified sites, auction
sites, etc.. To allay your suspicion, you can see the seller has a good rating (all
planned and crafted ahead of time).

People who take the bait may be infected with malicious software that can generate
any number of new exploits against themselves and their contacts, may lose their
money without receiving their purchased item, and, if they were foolish enough to
pay with a check, may find their bank account empty.
Response to a question you never had
Criminals may pretend to be responding to your ’request for help’ from a company
while also offering more help. They pick companies that millions of people use such
as a software company or bank. If you don’t use the product or service, you will
ignore the email, phone call, or message, but if you do happen to use the service,
there is a good chance you will respond because you probably do want help with a
problem.

For example, even though you know you didn’t originally ask a question you probably
a problem with your computer’s operating system and you seize on this opportunity
to get it fixed. For free! The moment you respond you have bought the crook’s
story, given them your trust and opened yourself up for exploitation.

The representative, who is actually a criminal, will need to ’authenticate you’,

have you log into ’their system’ or, have you log into your computer and either
give them remote access to your computer so they can ’fix’ it for you, or tell you
the commands so you can fix it yourself with their help–where some of the commands
they tell you to enter will open a way for the criminal to get back into your
computer later.

Creating distrust
Some social engineering, is all about creating distrust, or starting conflicts;
these are often carried out by people you know and who are angry with you, but it
is also done by nasty people just trying to wreak havoc, people who want to first
create distrust in your mind about others so they can then step in as a hero and
gain your trust, or by extortionists who want to manipulate information and then
threaten you with disclosure.

This form of social engineering often begins by gaining access to an email account
or another communication account on an IM client, social network, chat, forum, etc.
They accomplish this either by hacking, social engineering, or simply guessing
really weak passwords.

The malicious person may then alter sensitive or private communications (including
images and audio) using basic editing techniques and forwards these to other people
to create drama, distrust, embarrassment, etc. They may make it look like it was
accidentally sent, or appear like they are letting you know what is ’really’ going
on.

Alternatively, they may use the altered material to extort money either from the
person they hacked or from the supposed recipient.

There are literally thousands of variations to social engineering attacks. The only
limit to the number of ways they can socially engineer users through this kind of
exploit is the criminal’s imagination. And you may experience multiple forms of
exploits in a single attack. Then the criminal is likely to sell your information
to others so they too can run their exploits against you, your friends, your
friends’ friends, and so on as criminals leverage people’s misplaced trust.

Don’t become a victim

While phishing attacks are rampant, short-lived, and need only a few users to take
the bait for a successful campaign, there are methods for protecting yourself. Most
don't require much more than simply paying attention to the details in front of
you. Keep the following in mind to avoid being phished yourself.

Tips to Remember:
Slow down. Spammers want you to act first and think later. If the message conveys a
sense of urgency or uses high-pressure sales tactics be skeptical; never let their
urgency influence your careful review.
Research the facts. Be suspicious of any unsolicited messages. If the email looks
like it is from a company you use, do your own research. Use a search engine to go
to the real company’s site, or a phone directory to find their phone number.

Don’t let a link be in control of where you land. Stay in control by finding the
website yourself using a search engine to be sure you land where you intend to
land. Hovering over links in email will show the actual URL at the bottom, but a
good fake can still steer you wrong.

Email hijacking is rampant. Hackers, spammers, and social engineers taking over
control of people’s email accounts (and other communication accounts) has become
rampant. Once they control an email account, they prey on the trust of the person’s
contacts. Even when the sender appears to be someone you know, if you aren’t
expecting an email with a link or attachment check with your friend before opening
links or downloading.

Beware of any download. If you don’t know the sender personally AND expect a file
from them, downloading anything is a mistake.

Foreign offers are fake. If you receive an email from a foreign lottery or
sweepstakes, money from an unknown relative, or requests to transfer funds from a
foreign country for a share of the money it is guaranteed to be a scam.

Ways to Protect Yourself:

Delete any request for financial information or passwords. If you get asked to
reply to a message with personal information, it’s a scam.

Reject requests for help or offers of help. Legitimate companies and organizations
do not contact you to provide help. If you did not specifically request assistance
from the sender, consider any offer to ’help’ restore credit scores, refinance a
home, answer your question, etc., a scam. Similarly, if you receive a request for
help from a charity or organization that you do not have a relationship with,
delete it. To give, seek out reputable charitable organizations on your own to
avoid falling for a scam.

Set your spam filters to high. Every email program has spam filters. To find yours,
look at your settings options, and set these to high–just remember to check your
spam folder periodically to see if legitimate email has been accidentally trapped
there. You can also search for a step-by-step guide to setting your spam filters by
searching on the name of your email provider plus the phrase ’spam filters’.

Secure your computing devices. Install anti-virus software, firewalls, email

filters and keep these up-to-date. Set your operating system to automatically
update, and if your smartphone doesn’t automatically update, manually update it
whenever you receive a notice to do so. Use an anti-phishing tool offered by your
web browser or third party to alert you to risks.

WEB APPLICATION SECURITY CENTER

More
Imperva IncapsulaGET QUOTE
HOME
WEB APP SECURITY 101
Advanced Persistent Threat
Defense in Depth
DNSSEC
Ethical Hacking
Incident Response
Intrusion Prevention
IoT Security
ISO/IEC 27001
Malware
Penetration Testing
PCI Certification
SIEM
SOC 2 Compliance
Social Engineering
Two Factor Authentication (2FA)
Vulnerability Assessment
Vulnerability Management
Web API Security
Web App Security
THREAT GLOSSARY
Backdoor Attack
Clickjacking
Cross Site Request Forgery (CSRF)
Cross Site Scripting (XSS)
DNS Hijacking
DNS Spoofing
Malvertising
Man in The Middle Attack
Phishing Attack
Reflected XSS
Remote File Inclusion (RFI)
Rootkit
Spear Phishing
SQL Injection (SQLI)
Web Scraping
Zero-Day Exploit
SOCIAL ENGINEERING
WHAT IS SOCIAL ENGINEERING

Social engineering is the term used for a broad range of malicious activities
accomplished through human interactions. It uses psychological manipulation to
trick users into making security mistakes or giving away sensitive information.

Social engineering attacks happen in one or more steps. A perpetrator first

investigates the intended victim to gather necessary background information, such
as potential points of entry and weak security protocols, needed to proceed with
the attack. Then, the attacker moves to gain the victim’s trust and provide stimuli
for subsequent actions that break security practices, such as revealing sensitive
information or granting access to critical resources.

Social Engineering Attack Lifecycle

Social engineering attack lifecycle
What makes social engineering especially dangerous is that it relies on human
error, rather than vulnerabilities in software and operating systems. Mistakes made
by legitimate users are much less predictable, making them harder to identify and
thwart than a malware-based intrusion.

SOCIAL ENGINEERING ATTACK TECHNIQUES

Social engineering attacks come in many different forms and can be performed
anywhere where human interaction is involved. The following are the five most
common forms of digital social engineering assaults.

Baiting
As its name implies, baiting attacks use a false promise to pique a victim’s greed
or curiosity. They lure users into a trap that steals their personal information or
inflicts their systems with malware.

The most reviled form of baiting uses physical media to disperse malware. For
example, attackers leave the bait—typically malware-infected flash drives—in
conspicuous areas where potential victims are certain to see them (e.g., bathrooms,
elevators, the parking lot of a targeted company). The bait has an authentic look
to it, such as a label presenting it as the company’s payroll list.

Victims pick up the bait out of curiosity and insert it into a work or home
computer, resulting in automatic malware installation on the system.

Baiting scams don’t necessarily have to be carried out in the physical world.
Online forms of baiting consist of enticing ads that lead to malicious sites or
that encourage users to download a malware-infected application.

Scareware

Scareware involves victims being bombarded with false alarms and fictitious
threats. Users are deceived to think their system is infected with malware,
prompting them to install software that has no real benefit (other than for the
perpetrator) or is malware itself. Scareware is also referred to as deception
software, rogue scanner software and fraudware.

A common scareware example is the legitimate-looking popup banners appearing in

your browser while surfing the web, displaying such text such as, “Your computer
may be infected with harmful spyware programs.” It either offers to install the
tool (often malware-infected) for you, or will direct you to a malicious site where
your computer becomes infected.

Scareware is also distributed via spam email that doles out bogus warnings, or
makes offers for users to buy worthless/harmful services.

Pretexting

Here an attacker obtains information through a series of cleverly crafted lies. The
scam is often initiated by a perpetrator pretending to need sensitive information
from a victim so as to perform a critical task.

The attacker usually starts by establishing trust with their victim by

impersonating co-workers, police, bank and tax officials, or other persons who have
right-to-know authority. The pretexter asks questions that are ostensibly required
to confirm the victim’s identity, through which they gather important personal
data.

All sorts of pertinent information and records is gathered using this scam, such as
social security numbers, personal addresses and phone numbers, phone records, staff
vacation dates, bank records and even security information related to a physical
plant.

Phishing

As one of the most popular social engineering attack types, phishing scams are
email and text message campaigns aimed at creating a sense of urgency, curiosity or
fear in victims. It then prods them into revealing sensitive information, clicking
on links to malicious websites, or opening attachments that contain malware.

An example is an email sent to users of an online service that alerts them of a

policy violation requiring immediate action on their part, such as a required
password change. It includes a link to an illegitimate website—nearly identical in
appearance to its legitimate version—prompting the unsuspecting user to enter their
current credentials and new password. Upon form submittal the information is sent
to the attacker.

Given that identical, or near-identical, messages are sent to all users in phishing
campaigns, detecting and blocking them are much easier for mail servers having
access to threat sharing platforms.

Spear phishing

This is a more targeted version of the phishing scam whereby an attacker chooses
specific individuals or enterprises. They then tailor their messages based on
characteristics, job positions, and contacts belonging to their victims to make
their attack less conspicuous. Spear phishing requires much more effort on behalf
of the perpetrator and may take weeks and months to pull off. They’re much harder
to detect and have better success rates if done skillfully.

A spear phishing scenario might involve an attacker who, in impersonating an

organization’s IT consultant, sends an email to one or more employees. It’s worded
and signed exactly as the consultant normally does, thereby deceiving recipients
into thinking it’s an authentic message. The message prompts recipients to change
their password and provides them with a link that redirects them to a malicious
page where the attacker now captures their credentials.

SOCIAL ENGINEERING PREVENTION

Social engineers manipulate human feelings, such as curiosity or fear, to carry out
schemes and draw victims into their traps. Therefore, be wary whenever you feel
alarmed by an email, attracted to an offer displayed on a website, or when you come
across stray digital media lying about. Being alert can help you protect yourself
against most social engineering attacks taking place in the digital realm.

Moreover, the following tips can help improve your vigilance in relation to social
engineering hacks.

Don’t open emails and attachments from suspicious sources – If you don’t know the
sender in question, you don’t need to answer an email. Even if you do know them and
are suspicious about their message, cross-check and confirm the news from other
sources, such as via telephone or directly from a service provider’s site. Remember
that email addresses are spoofed all of the time; even an email purportedly coming
from a trusted source may have actually been initiated by an attacker.
Use multifactor authentication – One of the most valuable pieces of information
attackers seek are user credentials. Using multifactor authentication helps ensure
your account’s protection in the event of system compromise. Imperva Login Protect
is an easy-to-deploy 2FA solution that can increase account security for your
applications.
Be wary of tempting offers – If an offer sounds too enticing, think twice before
accepting it as fact. Googling the topic can help you quickly determine whether
you’re dealing with a legitimate offer or a trap.
Keep your antivirus/antimalware software updated – Make sure automatic updates are
engaged, or make it a habit to download the latest signatures first thing each day.
Periodically check to make sure that the updates have been applied, and scan your
system for possible infections.
About

Company Blog
Newsroom
Customers
Network Map
Contact Us
Partners Program
Website Security

Bot Mitigation
Web Application Firewall
Backdoor Protection
What is Web Application Security

What is Malware
What is Phishing
What is Social Engineering
What is SQL Injection
What is Web Scraping
What is XSS
What is PCI DSS
What is a CSRF
Services

Content Delivery Network

DDoS Protection
Load Balancer
Failover
Contact Info

US: +1-866-250-7659
UK: +44-20-3695-7727

Imperva Inc.
Copyright ©2019 ImpervaTerms of Use Privacy PolicySee our cookie policy. Creative
Commons License
Images on the Web Application Security Center by Incapsula are licensed under a
Creative Commons Attribution 4.0 International Licence

Webroot's threat database has more than 600 million domains and 27 billion URLs
categorized to protect users against web-based threats. The threat intelligence
backing all of our products helps you use the web securely, and our mobile security
solutions offer secure web browsing to prevent successful phishing attacks.

Find the right cybersecurity solution for you.

HOME & HOME OFFICE

BUSINESS

PRODUCTS & SERVICES

PARTNERS
RESOURCES
COMPANY
Legal Privacy Sitemap Webroot.com

Webroot Antispyware, Virus and Malware Protection