Social engineering attacks: explained

A representative image of someone hacking online.
(Image credit: 123RF)

Social engineering attacks can encompass all sorts of malicious activities, which are largely based around human interaction. They can involve psychological manipulation being used to dupe people into making simple mistakes, which can often have wider repercussions. People might not immediately realize it, but successful social engineering attacks can be called upon to prize sensitive information out of an individual and, often, they may not even realize it’s happening. 

In order to do this, cybercriminals utilize a series of steps that are designed to home in on an unsuspecting person, first using a combination of investigative techniques in order to secure background information on the victim. Following on from that, the perpetrator will attempt to gain the potential victims trust, all the while hoping to catch them out and persuade the individual into giving away secrets about themselves, unwittingly or otherwise.

NordPass is a Top-Rated Password Manager

NordPass is a Top-Rated Password Manager
Our editors praise its accessible, competent, and easy-to-use solution. Techradar readers can get NordPass Premium for 55% off - plus 3 months free - by visiting NordPass.com.

Techniques behind social engineering attacks

Criminals who carry out social engineering attacks use a variety of methods in order to get the information they’re after. They might use baiting, for example, in order to tempt an individual into trying their luck, perhaps by entering into an offer or the chance to win a prize. Sometimes the virtual carrot can be replaced by something physical, such as a hard drive that might be infected with malware, which can then be used to infiltrate a users computer.

Other common methods used by those carrying out social engineering attacks include a raft of phishing techniques that can include spam, spear and voice phishing along with the likes of SMS attempts. Search engine phishing and URL phishing are also popular routes taken by cybercriminals, while web browsing sessions can frequently be targeted by hackers too. 

Scareware is another route taken by cybercriminals, often meaning a potential victim could be persuaded to click on a pop-up telling them their computer may be infected This can happen when users go to websites that might be infected by malicious advertising, or via messages received through email accounts. Ultimately, the end game for social engineering attackers is to disrupt the victim by carrying out acts of sabotage, or to steal from someone by taking valuable assets such as information or access, as well as money.

Scams that can take time

Not all social engineering attacks happen quickly and, in fact, some attempts can use a full suite of techniques including preparation and infiltration, which can happen over a period of time, sometimes months. Scams can often be carried out via email or phone and even face-to-face in some instances. Little and often techniques can frequently persuade individuals to part with information about themselves or their affairs unwittingly, which allows cybercriminals to slow build up a bigger picture of the potential victim.

In some cases, victims can part with information without even realizing the person they’re dealing with is a criminal. They may be posing as an IT support person or helpline staff, which can often mean they will be able to persuade a potential victim to part with more information than normal. Social engineering attacks can be so well done that they generate a range of emotions in the victim, from fear to excitement, from curiosity and anger right on through to guilt.

Dealing with social engineering attacks

Cybercriminals have become so good at social engineering attacks that they can often be difficult to spot, even by people who might have been duped before. However, the good news is that there is plenty of help at hand for anyone wanting to minimize the threat of social engineering attacks. One of the best things to do initially is to familiarize yourself with the tell-tale signs of a social engineering attack.

It’s a good idea to have a mental checklist of things to work through before you respond to emails or messages, even if they’ve fired you up to make a rapid response. Try to keep a cool, reasoned head even if you’ve seen a message that might have stirred up your emotions. Does it appear to be legitimate? Is it really from a trusted sender, or does there seem to be something odd about the communication?

Pick through a few details before you do anything: have you been sent an offer that sounds amazing? Too amazing perhaps? Are there any attachments or spurious links that might need to be clicked on? It’s worth checking back through the email or text details very carefully before you proceed because you may well find something contained inside the information that doesn't look right, or doesn't quite add up.

Preventing social engineering attacks

By taking your time to carry out some double checks on anything you’re not sure about, you may well be able to prevent social engineering attacks. However, in addition it's a very good idea to get yourself the latest security software, as well as investing in a password manager. Arming yourself with an up-to-date package, and paying for one that also keeps itself updated as time goes on will help to lessen the risks.

You should also use multi-factor authentication where possible too, which is a great way of helping to lock down online accounts. In fact, create as many obstacles for cybercriminals as is possible. It might seem like a lot more effort, but getting into this mindset can help tackle cybercriminals and social engineering attacks head on. Think about fingerprint or facial recognition if it’s possible to set up, for example.

Finally, arm yourself with a paid-for password manager. There are free options available but these are not as good for obvious reasons. Password manager software is very affordable especially when you consider just how much time, hassle and money it could save you by helping to prevent attacks from cybercriminals. The same goes for investing in a virtual private network or VPN too, as this is a great way of keeping your information hidden down a private and encrypted tunnel.

Common sense techniques

Finally, spend some time thinking about how you use your connected devices. It’s easy to get lazy and leave your phone or laptop sitting around, or not bother to set up secure passwords. This is just the sort of thing cybercriminals are on the lookout for. Even if you’re diligent and use lots of the security techniques outlined above, it is still possible to get caught out. 

However, using a combination of careful thinking and some of the best security software you can afford, you’ll be in a much better place than trying to ignore the problem in the vain hope that it’ll go away. Just remember: it won’t.

We've featured the best business password managers.

Rob Clymo

Rob Clymo has been a tech journalist for more years than he can actually remember, having started out in the wacky world of print magazines before discovering the power of the internet. Since he's been all-digital he has run the Innovation channel during a few years at Microsoft as well as turning out regular news, reviews, features and other content for the likes of TechRadar, TechRadar Pro, Tom's Guide, Fit&Well, Gizmodo, Shortlist, Automotive Interiors World, Automotive Testing Technology International, Future of Transportation and Electric & Hybrid Vehicle Technology International. In the rare moments he's not working he's usually out and about on one of numerous e-bikes in his collection.