Social Engineering: How Cyber Criminals Thrive on Human Psychology

Social engineering is becoming one of the most popular methods used by cybercriminals for both big and small crimes. Essentially, social engineering is a way to gain access to networks, systems, or data by exploiting human psychology and curiosity rather than using technical hacking techniques. Using a variety of methods, including phone calls and social media messaging, attackers trick people into giving them access to valuable personal or corporate information.

Phishing

This is the most popular type of social engineering. Phishing is when hackers send fake emails disguised as legitimate ones (usually from a bank or another authority source) to get you either to share valuable information, such as credit card details, or to click on a malicious link.

“Some phishing emails are still quite poorly crafted and you can easily spot them. However, others look so much like the real deal that they can trick even experienced internet users. Sometimes even tech employees are getting tricked into opening fishy links or submitting data to unsecure websites,” says NordVPN Digital Privacy Expert Daniel Markuson.

There are endless examples of phishing. For instance, a few years ago a Snapchat employee gave up important information via email to a person who claimed to be the CEO of the company.

Baiting

Baiting is social engineering with the least amount of human interaction. Baiters may offer users a free movie, music, or software downloads; in other cases, they use physical media, such as USBs, to exploit human curiosity.

“They will leave an infected USB at a coffee shop, office building hall, or similar place where there’s a high chance someone will find it,” comments NordVPN Digital Privacy Expert. “Then someone takes it, sticks it into their computer and, voila, the malware is installed. If it’s in an office setting, the malware has a chance to get into important systems and files.”

One interesting baiting attack was actually a test by a security expert Steve Stasiukonis on a financial company that was his client. His team left USBs infected with Trojan in a parking lot near the office building. Many curious workers picked up the USBs and put them into their computers. This activated a keylogger, and it gave Steve the employees’ login information.

Pretexting

Pretexting attacks rely on building trust with the target and usually require some background research and a credible story. Typically, scammers pretend that they need certain information in order to confirm identity, make a transaction or fix some problem. Of course, they need this information or help—really urgently.

“One popular pretext is for a hacker to call up one department and claim to be from another department. They will be in some emergency and need to get some information or access quickly,” explains NordVPN expert. “The other person eventually gives up and provides the passwords or other credentials.”

One of the most famous cases of pretexting would be the News of the World scandal when members of the UK press fooled phone operators into handing over their PIN codes, which then allowed those journalists to eavesdrop on the royal family’s voicemails.

How can you protect yourself against social engineering?

• Lock your laptop and smartphone when leaving your desk.
• Do not keep your password and other credentials written in a visible place.
• Never use the same password for different accounts.
• Never open emails from untrusted sources.
• Do not click on suspicious links.
• If something seems suspicious, it probably is.
• Get an anti-virus software and a reliable virtual private network, such as NordVPN.
• Read your company’s privacy policy to understand what information you are allowed to share.
• Do NationalPrivacyTest.org to understand how much you know about cybersecurity.