How Social Engineering Cyber Attacks Work

A Far More Sinister Type of Cyberattack

There are a number of ways cybercriminals can infiltrate your personal and professional worlds. But around this time of year, holiday cyberattacks tend to increase. This is because we’re more active on certain platforms, are handling more emails and tasks, and are generally not paying as close attention to the things that would other indicate suspicious activity.

Recently, we covered one of the most common methods of attack: holiday phishing scams. In these types of attacks, hackers send emails masquerading as common retailers or other organizations that contain fake links, malicious attachments, and other harmful elements designed to steal money and information as well as implant malware into networks.

While phishing scams are certainly dangerous to individuals and organizations alike, there remain more disturbing types of attacks that take things a step further. These are social engineering cyber attacks.

Before we dig into the types of social engineering cyber attacks, we first need to understand what social engineering is. Social engineering aims to manipulate a variety of people into giving up confidential and sensitive information. It accomplishes this through a number of creative albeit malicious forms of communication and manipulation that preys on people’s natural tendency to trust and to want to help.

Around this time of year, it’s not uncommon to get messages from friends and family asking for help with an upcoming event, looking for gift ideas, or sharing photos or recipes. Communication generally increases between those we know as we invite people to gatherings, send well wishes, check in on loved ones and friends, and so on. It’s because of this, and because of our increased activity in email, social media, and online in general that cyber criminals seek to use the holidays for social engineering cyber attacks. 

Let’s explore some social engineering cyber attacks and how they work.

The Abuse of Interpersonal Relationships

Every day, you’re likely receiving multiple texts, direct messages, emails, and phone calls from your friends and family members. Communication is part of what makes us human, and it’s that communication and investment in one another that helps to build trust. But when it comes to social engineering cyber attacks, that trust is the tool used to wreak havoc.

Once a hacker has some level of access to your email or social networks (typically accessed through some other form of attack unbeknownst to you), they can begin to see who you communicate with, what the relationship between you is, and how the communication typically flows. They can then match that style to try to get access to the information they’re looking for, which might include a password, financial information, or login.

Attempts might include a link with a message asking you to “check it out” — a news article, a website, or whatever you and that contact might normally share. Other attempts might be an attachment in the message that requires you to download it or open it. Once you do so, the malware embedded in the file takes hold of your system and can spread from there.

If you receive a message from a friend or family member, but it seems out of place, or the content of the message isn’t something he or she would normally share, don’t take any action whatsoever. Better to verify via a separate method of communication that the person actually meant to send you the message. If they report not sending you the message, delete it immediately. Be cognizant of this when accessing personal messages on a work device, as any actions you take will affect that machine and can put your company’s network at risk.

The Creation of Compelling Scenarios

In addition to exploiting your personal relationships, social engineering cyber attacks may also focus on situations or circumstances to get you to take action. This can be in your personal life or at work; in either area, there are a number of potential situations that may cause panic or require you to act, though you should first question the source of the request. 

For example, say you get a message from a co-worker (especially a superior) requesting immediate access to a file, platform, or some other asset. Maybe they “forgot” their password but urgently need to get in, and (surprise!) you’re the only one that can help. You don’t want to appear unhelpful or insubordinate, so you comply with the request. It’s all downhill from there.

Another example includes requests for contributions to charities. This is particularly prevalent following natural disasters or other incidents when support is requested from the public. If a company historically participates in a certain charity drive or event, cyberattackers may send emails to employees posing as the company or charity and asking for support. Knowing that their employer typically participates in supporting them, the employee may click a link or even donate, though that money is now lost forever to the attacker.

A final example is a verification email. This might look like a confirmation that comes after creating a new account or signing up for something. You click the link and are taken to a page to complete a form. Note that in the hands of a capable coder, any form can be built and designed to resemble a legitimate website form. There is typically a sense of urgency applied — e.g., “Complete the form as soon as possible to activate your account! Access will be lost if not completed within 15 minutes.” 

It’s OK to Be Unsure

With the rise of social engineering cyber attacks, especially around the holidays when goodwill can be manipulated and stress can be exacerbated, it’s important to slow down and question the messages you receive. Again, if even the slightest thing looks off, confirm via a separate communication method with that contact regarding the message. 

But don’t just delete suspicious messages and forget them. For personal accounts, change your passwords in the event you think you’re at risk. At work, notify your IT team and information security teams right away.

Ultimately, maintaining security in the workplace regarding social engineering cyber attacks requires ongoing education and a strategy for managing it — as well as scanning organizational systems for threats. At Inversion6, we work hand-in-hand with organizational leadership teams to educate their employees on best practices while also providing ongoing security monitoring to help them proactively identify threats and resolve them.

Fill out the form below to learn more about our security solutions.