Introduction
In recent years, cybercriminals specializing in social engineering have adopted more advanced methods to gain access to sensitive information, taking into account the modern psychology of both corporate employees and people in general. To learn how to resist various tricks, it’s important to understand the general tactics used by attackers. In this article, we’ll look at the most common social engineering approaches.
Background
The term “social engineering” first entered common use in the 1990s, thanks to renowned cybersecurity expert and former hacker Kevin Mitnick. However, attackers had been using similar methods long before the concept was officially defined. Experts believe that today’s cybercriminals have two main goals: stealing passwords and installing malware. Attackers use social engineering via phone, email, and web pages. Below are the main methods for obtaining confidential information.
Tactic #1: The Six Degrees of Separation Theory
The key goal of a social engineer over the phone is to convince the victim that they are a coworker or a representative of government agencies (such as law enforcement or an auditor). When a scammer wants information about a specific person, they may first try to get details from the victim’s colleagues. According to the old “six degrees of separation” theory, only six connections separate the attacker from the target. Experts recommend being especially cautious if you’re unsure what a coworker wants from you.
Usually, the attacker contacts a secretary (or someone in a similar position) to gather information about higher-ups in the corporate hierarchy. A friendly tone often helps scammers. Slowly but persistently, criminals find the right approach, and getting information you’d never normally share often becomes just a matter of time.
Tactic #2: Using Corporate Jargon
Every industry has its own specific terminology. To be more convincing and sophisticated, social engineers study the nuances of corporate language and culture. If a scammer speaks the same “language” as the victim, they can build trust much faster and get the information they want more easily.
Tactic #3: Using Familiar Hold Music
To successfully carry out an attack, a social engineer needs time, persistence, and patience. Social engineering attacks are usually slow, with data about future victims collected regularly. The main goal is to build trust and then deceive. For example, an attacker might pretend to be a coworker. One key trick is to use the company’s hold music. The attacker records the music, and during a call, might suddenly say, “Hold on, I have another call coming in,” and play the familiar music. The victim, hearing the music, becomes even more convinced they’re speaking with a real employee. This is simply smart use of psychology.
Tactic #4: Caller ID Spoofing
Attackers often spoof phone numbers, making the Caller ID display a corporate number even if the call is coming from elsewhere. In most cases, unsuspecting employees will share confidential information, including passwords. This trick also helps cover the attacker’s tracks, since a return call to the displayed number will go to the real company.
Tactic #5: Exploiting Current Events
No matter what’s in the news, attackers will find a way to use current events—like a presidential campaign or economic crisis—for spam, phishing, and other scams. Such messages often contain links to infected sites disguised as useful programs.
Phishing attacks on banks are often similar. It usually starts with an email like: “Another Bank [name] is acquiring your Bank [name]. Please follow the link and verify your information.” Needless to say, this is an attempt to steal information that can be sold or used to steal money from your account.
Tactic #6: Hacking Social Media Accounts
It’s no secret that Facebook and LinkedIn are extremely popular social networks. Many studies show that users tend to trust these platforms. Targeted phishing attacks on LinkedIn users confirm this. Often, attackers send fake notifications about technical work on the network, inviting users to update their information. That’s why it’s recommended that employees type addresses manually instead of clicking on links in emails. Also, legitimate sites rarely ask users to update personal information via email.
Tactic #7: Typosquatting
This technique relies on people making mistakes when typing website addresses. If a victim mistypes a URL, they may be redirected to a site created by the attacker. Cybercriminals prepare by registering domains with common typos and creating sites that look identical to the real ones. A single-character typo can lead you to a copycat site designed to collect personal data or spread malware.
Tactic #8: FUD (Fear, Uncertainty, Doubt)
Fear, uncertainty, and doubt (FUD) are often the basis of psychological manipulation in marketing. Many techniques aim to make users feel unsure or anxious about a product or company, leading them to act rashly. Recent studies show that product security and vulnerabilities can affect stock markets. For example, researchers tracked how Microsoft’s stock reacted to Patch Tuesday vulnerability reports—there were significant fluctuations after such reports. Another example is when attackers spread fake news about Steve Jobs’ health in 2008, causing Apple’s stock to plummet. This is a vivid example of FUD used for malicious purposes. Also, beware of spam aimed at artificially inflating prices, such as in the stock or cryptocurrency markets. Attackers may send emails touting the “amazing potential” of certain stocks or coins they already own. As people rush to buy, prices soar, and after the scammers sell, prices crash again.
Conclusion
Cybercriminals often use very sophisticated social engineering techniques. As we’ve seen, attackers achieve their goals through various psychological tricks. Therefore, it’s important to pay attention to every detail that might reveal a scam. Always verify and double-check information about people who contact you, especially if confidential information is involved.