What is Social Engineering?

Social engineering is a set of tools and practices used to get people to perform certain actions. Social engineering relies on social manipulation and social psychology and can be used both for good and for bad. A volunteer may convince a person to give away money for a charity group, or doctor can argue for a patient to begin a diet, which ends up benefiting the patient itself. It is therefore not the act of social engineering itself which is a threat to human security; it is the intention of malice and/or financial or other interest of the attacker.

When it is used with a bad intention, social engineering consists of manipulative techniques, designed to lead the target to give away information, grant access somewhere, or perform a certain action. Corporate spies are people who want details of you or your company, for a variety of purposes. They could be competitors, disgruntled former employees, or people who want to harm your business through blackmail or extortion. They can also be thieves, looking to access your company’s customer data, money or business intelligence.

In this article, we will focus on the harmful methods of social engineering online, and tell you about the different ways in which people can be attacked with a social engineering scam. We explain what a social engineering attack may look like and where you could run into one. What are the warning signs, and how can you protect yourself and your company?

What is Social Manipulation and Social Exploitation

Let’s begin by discussing the psychological aspects of social engineering. Social engineering is rooted in social manipulation and social exploitation and largely relies on the underlying condition of humans to trust other people and believe that they are being earnest and have no bad intentions. In everyday life, people don’t necessarily have the need to not trust other people, or not take their word for granted.

This is how social engineering differs from other forms of breaching (cyber)security, such as stealing, security firewall hacking or threatening. Social engineering is about psychological manipulation, and its based on people either willingly, or unknowingly, performing a certain action. It most often relies either on goodwill or on the ignorance of people.

Therein lies one of the greatest advantages of social engineers – the innate desire of people to believe what they see is real, and people are who they seem to be or say that they are. That is why, in order to fight social engineering, the first thing you need is a dash of disbelief. No need to go overboard and start suspecting everyone around you – most people are still good people! But remember, social engineering is based on the idea that you don’t know it exists or that you could encounter it.

The Social Engineering Framework

In their research paper, Mouton et al. discuss the eight phases of a social engineering attack framework. They are as follows:

1. Attack formulation.

The first phase consists of identifying the goal and in accordance, identifying the target necessary to fulfill the goal.

2. Information gathering.

In this stage, social engineers asses and identify potential information sources and begin the information gathering and assessment.

3. Preparation.

In the preparation phase, social engineers analyze the information and develop an action plan to begin approaching the target.

4. Develop relationship.

In this stage, the social engineers establish a line of communication and begin to build a relationship. Notice that according to the framework, social engineering includes three phases before the target is contacted in the first time. This is a good reminder of how much work and analysis goes into devising a social engineering attack – once the target is approached, social engineers have studied their target and devised their strategy well.

5. Exploit relationship.

In this phase, the target is “primed”. The exploitation stage uses different methods of manipulation to evoke the right type of emotions and prime the target to the right emotional stage. Once the target is in the right stage, the social engineer will start bringing out information from the target. The goal of emotional priming is that the target will feel good about giving out information, instead of feeling guilty about it or threatened to do so. Giving out information will thus not only be voluntary but feel good as well.

6. Debrief.

In this stage, the social engineer returns to the target and maintains the desired emotional state. The goal is that the target will not feel like anything in the relationship was odd, and they will not understand that they have been under attack. It is important for the social engineer to continue the communications to an extent, so that the target won’t get alarmed, realize they have been taken advantage of and because of this, possibly contact authorities.

7. Goal satisfaction.

After a successful social engineering attack, the social engineers will exploit the information they have gathered. After the social engineering attack, the social engineer will either return to the target for more information or slowly close the connection.

1. Attack formulation.

The first phase consists of identifying the goal and in accordance, identifying the target necessary to fulfill the goal.

2. Information gathering.

In this stage, social engineers asses and identify potential information sources and begin the information gathering and assessment.

3. Preparation.

In the preparation phase, social engineers analyze the information and develop an action plan to begin approaching the target.

4. Develop relationship.

In this stage, the social engineers establish a line of communication and begin to build a relationship. Notice that according to the framework, social engineering includes three phases before the target is contacted in the first time. This is a good reminder of how much work and analysis goes into devising a social engineering attack – once the target is approached, social engineers have studied their target and devised their strategy well.

5. Exploit relationship.

In this phase, the target is “primed”. The exploitation stage uses different methods of manipulation to evoke the right type of emotions and prime the target to the right emotional stage. Once the target is in the right stage, the social engineer will start bringing out information from the target. The goal of emotional priming is that the target will feel good about giving out information, instead of feeling guilty about it or threatened to do so. Giving out information will thus not only be voluntary but feel good as well.

6. Debrief.

In this stage, the social engineer returns to the target and maintains the desired emotional state. The goal is that the target will not feel like anything in the relationship was odd, and they will not understand that they have been under attack. It is important for the social engineer to continue the communications to an extent, so that the target won’t get alarmed, realize they have been taken advantage of and because of this, possibly contact authorities.

7. Goal satisfaction.

After a successful social engineering attack, the social engineers will exploit the information they have gathered. After the social engineering attack, the social engineer will either return to the target for more information or slowly close the connection.

Social Engineering Online

Social engineering online is becoming more and more prevalent and sophisticated. Perhaps the most famous type of social engineering are “Nigerian letters”. In its simplest form, it consisted of a scammer (most classically pretending to be a Nigerian prince), identifying themselves as someone who had acquired a vast amount of wealth. All they would need from you, “Dear Friend”, is to pay a small transaction fee, and you would receive your share of the wealth. The twist would, of course, be that no money was ever hiding in a mattress or on the prince’s account, waiting for you, and instead, your transaction fee would go into their bank accounts.

This still works on people who don’t understand how online scams work, namely people in vulnerable positions or people with a lacking understanding of the internet. Most people, however, are aware of this type of scams and therefore know to avoid or report them. Spam boxes and internet help forums have also helped to filter and detect clear scams.

This doesn’t mean online scams are dying, however. They are instead taking more sophisticated forms. Social engineering often now relies on “webs of trust”, scammers pretending to be friends of friends, former schoolmates or co-workers or friends of the people in the target’s networks.

The difference between social engineering and traditional hacking is that a social engineering hacker always plans for the target to voluntarily give out specific information or perform an action the attacker wants to (of course, without understanding they are harming themselves or their company while benefiting the attacker). Hackers, on the other hand, may perform their attacks in multiple different forms, and hacking can occur even without the target ever realizing this. However, as computer software has evolved and companies have begun to pay more attention to cybersecurity in general, many hackers have turned from “pure” hacking (such as embedding a virus) into a blend of hacking and social engineering. This could mean they penetrate the security walls to some extent and use social engineering to access private information of the target to get information such as passwords, to bypass the rest of the security walls.

Social Engineering Emails

Although we might no longer run into Nigerian princes offering us unimaginable wealth, email scams are still prevalent in the world of social engineering scams. What differentiates email scams from other forms of online scams is that they are the likeliest forum for “authority based scams”. This is because an official entity (such as your bank or your construction company) is much more likely to approach you via email than in a Facebook message, for example.

Email is an official method of communication in many official and governmental institutions, and many people use email to transfer private information to authorities. This is why it pays to be especially cautious when it comes to anyone asking for your private details via email. Remember to check the email and make sure they are an official party. It is very rare official authorities would ask for you to give you their information directly! Make sure the website is the official website of the party it claims to be, and that it has the right type of transfer protocol (the web link’s suffix), usually http://, signaling a secure network. To learn more about email scams and how to detect them, see our post about phishing.

Social Engineering in Social Media

They may then approach you in a private message and ask for your donation or other resources towards an orphanage they claim to be building, but of course actually aren’t.People give away more than they realize when they open up their lives in social media. Even if you keep things to yourself in private media and don’t accept friend invitations from people you don’t know, social engineers can obtain a large amount of data of you if they befriend a friend of yours.

Social engineers can gain access to your family history, private information such as birthday, workplace, where you live and where you spend time. It also reveals information about what you’re interested in, how you spend your free time, and who your friends are. Social engineering in social media takes advantage of people’s growing networks and the inability to remember “who is who” in the pool of growing friends and connections.

With the help of information available, social engineers can write targeted and personalized messages for you. They can pretend to be a former coworker in a large company they can see you worked for or a classmate you don’t remember, but who has friended many of your former classmates.

Social engineers can also introduce themselves as people you don’t know, but use their information to compile a message to invoke reactions in causes especially interesting to you. Let’s say you regularly follow NGOs which provide housing for orphans in Asia, and seem sympathetic towards the cause. The social engineer may then also “like” these pages and strike up a conversation with you in a private group.

Methods of Social Engineering

Social engineers often draw on one or several compliance techniques. These are some of the methods a social engineering attack is likely to draw upon:

  • Friendship or liking: people comply easier when the request comes from a friend or someone they like. Social engineers will seek a common ground and establish a friendship to get the target to comply with their request.
  • Commitment or consistency: once a person is committed to something, they are more likely to comply with “follow-up” requests, which are in line with the original request they agreed to. In social engineering, this could mean asking for a simple, easy thing first, and then slowly continuing with more detailed and personal requests. Once the target has complied with the first request, they are much more likely to agree to the rest
  • Scarcity: People are more likely to agree to a request if they feel the offer is scarce or will only be available for a short period of time. Social engineering uses this technique to offer “once in a lifetime” business deals or offers which expand shortly, to use the target’s fear of missing out against them.
  • Reciprocity: People are likelier to comply with a request if they have been treated well by the person making the request. For example, the social engineer could have done the target a small favor, in order to use their need for reciprocity against them.
  • Social validation: people are more likely to comply to a request if they consider it the socially correct thing to do. The social engineering attack could be framed as a socially expected request, such as asking for a donation for a yearly charity gathering of the target’s University.
  • Authority: Many people are especially trusting towards official authorities such as police force, firefighters or security personnel. This is called the principle of authority – one of the six principles of persuasion. If a social engineer camouflages as an authority or a legitimate entity, such as the police or a bank, the target is more likely to comply with the request.

How to Prevent Social Engineering Attacks

Penetration testing is a type of hacking that is used for the benefit of the company. These are real people with real hacking or social engineering skills. Instead of using their skills against the company, they perform hacking tests in order to ensure the security of the company, by the request of the company.

As hacking techniques are becoming more sophisticated, it is no longer enough that the company installs cybersecurity and ensures that it’s working through penetration testing, which tries to hack the security system. As security systems are more secure, more and more hackers lean on the benevolence (and ignorance or lack of education) of humans, not computers. This means that in order to combat security tests and social engineering, companies need an educated and informed workforce alongside reliable cybersecurity programs.

When it comes to social engineering, the greatest threat to cybersecurity is the human error. This is why when preventing social engineering, it must focus on educating and training people and making them aware of different types of scams they are likely to run into. Educate and train yourself, and encourage your co-workers or employees to train themselves as well. Remember, all it takes is one person from a company to fall into a scam, and the entire company can be at a risk.

The most important things you need are education, skepticism, and consistency in training. The education phase consists of understanding different techniques used by social engineers and making sure you give out information online with caution. The second matter, skepticism, is about building a stage of mind where you can practice smart caution when receiving emails or talking with people online. The third stage is the most complex to follow through, as in order to prepare against social engineering attacks, you would need to encounter them in real life as well.

Learn more about the unique approach Hoxhunt takes to continously train and educate your employees.