Social Engineering

September 20, 2017

A common misconception most people have about cyber attackers is that they use only highly advanced tools and techniques to hack into people’s computers or accounts. This is simply not true. Cyber attackers have learned that often the easiest way to steal your information, hack your accounts, or infect your systems is by simply tricking you into making a mistake using a method called social engineering. Social engineering is when a cyber attacker pretends to be someone or something you know or trust, such as your bank, a coworker, or a tech support company, and then uses that trust to get what they want, usually by just asking for it. You can make your shield instantly stronger by recognizing a social engineering attack.


Cyber attackers can launch a social engineering attack using a variety of different methods, including email, instant messaging, over the phone, or in person. They use numerous tricks to get your attention, such as offering free downloads, announcing that you won a contest, or pretending that your computer is infected. In addition, these attacks often appear to be legitimate, such as including an official logo or a formal signature. Their goal? To get you to share information, such as your password, or take a specific action, such as opening an infected email attachment. You can help to protect yourself, your family, and our organization by recognizing social engineering attacks before they happen. Let’s look at two common types of social engineering attacks.


You get a call from someone claiming to be from the tax department. He informs you that your taxes are overdue and that you will be arrested in the next 48 hours unless you pay the outstanding amount. He then explains a process by which you can easily pay the amount owed now over the phone and avoid going to jail. However, this is not really someone from the government. Instead, it is a cyber attacker trying to trick you into paying him money. He does this by creating a tremendous sense of urgency and scaring you into making a mistake, such as giving him credit card information or bank information for payment.


Here is another common social engineering attack. You receive an email from your boss explaining that she is traveling. She urgently needs to call someone in human resources; however, she does not have their phone number. In addition, she explains her laptop just died and she does not have access to her work email. As such, she needs you to reply to her personal @gmail.com account and email her our organization’s employee phone book.


In reality, this is not your boss, but a cyber attacker who is pretending to be your boss and targeting you via email. Most likely, the attacker got your information and identified your boss’s name by researching our organization online. The attacker is trying to trick you into sending them our entire phone listing so they can then launch attacks on other people in our organization.

The simplest way to defend against social engineering attacks is to use common sense. If something seems suspicious or does not feel right, it may be an attack. Some common indicators of a social engineering attack include:

  • Someone creating a tremendous sense of urgency. If you feel like you are under pressure to make a very quick decision, be suspicious.
  • Someone asking for information they should not have access to or should already know.
  • Someone pressuring you to ignore or bypass our security policies and procedures.
  • Something too good to be true. A common example is you are notified you won the lottery, even though you never even entered it.

If you suspect someone is trying to make you the victim of a social engineering attack, do not communicate with the person anymore. Simply hang up the phone or ignore the message and contact the Service Desk.

© SANS Institute 2017