Introduction

In recent years, cybercriminals using social engineering have adopted more advanced methods to access sensitive information, leveraging modern psychology to manipulate employees and individuals. The first step in defending against these tactics is understanding how attackers operate. Here are eight of the most common social engineering approaches.

1. The Ten Handshakes Theory

The main goal of a social engineer using the phone is to convince their target of one of two things:

• The caller is a company employee.
• The caller is a representative of an authorized body (such as law enforcement or an auditor).

If the attacker wants information about a specific employee, they may first contact colleagues to extract the necessary details. Security experts note that, much like the old “six degrees of separation” theory, there may be only ten “handshakes” between a cybercriminal and their target. Attackers often start with a secretary or similar position to gather information about higher-ups, using a friendly tone to build trust and gradually obtain confidential information.

2. Learning Corporate Language

Every industry has its own jargon. Attackers study this language to use social engineering more effectively. By speaking in familiar terms, cybercriminals can gain trust and more easily extract the information they seek.

3. Using Hold Music as a Psychological Tool

Successful attacks require time, persistence, and patience. Social engineering attacks are often slow and methodical, gathering not just data but also “social signals” to build trust. One trick involves recording a company’s hold music during calls. Later, during a conversation, the attacker might say, “Please hold, I have another call,” and play the familiar music, convincing the target that the call is legitimate. This is a clever psychological ploy.

4. Caller ID Spoofing

Criminals frequently use caller ID spoofing to disguise their phone number. For example, an attacker can call from their home, but the recipient’s caller ID shows a company number, creating the illusion of a corporate call. Unsuspecting employees may then share confidential information, including passwords, believing the call is internal. This method also helps attackers avoid being traced, as callbacks are redirected to a company line.

5. Exploiting News Headlines

Whatever the current news, attackers use it as bait for spam, phishing, and other scams. For example, a phishing email might claim:

“Another bank [bank name] is acquiring your bank [bank name]. Click this link to ensure your information is updated before the deal closes.”

This is an attempt to steal your credentials, access your accounts, or sell your information to third parties.

6. Exploiting Trust in Social Platforms

Popular social networks like Facebook, Myspace, and LinkedIn are often used in social engineering attacks. Studies show people tend to trust these platforms. For instance, a phishing email may claim to be from Facebook, asking you to “click here” to update your information due to maintenance. Experts recommend always typing web addresses manually and remembering that legitimate sites rarely ask users to change passwords or update accounts via email.

7. Typosquatting

This malicious technique exploits human error when typing URLs. A single typo can lead you to a fake site designed by attackers. These sites often closely mimic legitimate ones, aiming to steal data, sell products, or distribute malware.

8. Using FUD to Manipulate Stock Markets

FUD (Fear, Uncertainty, Doubt) is a psychological manipulation tactic used in marketing and propaganda to sow doubt and fear about a product or organization. Research shows that news about security vulnerabilities can impact stock prices. For example, after Microsoft Patch Tuesday, the company’s stock often fluctuates. In 2008, false rumors about Steve Jobs’ health caused Apple shares to plummet—a classic case of malicious FUD.

Another example is the “pump-and-dump” scheme, where attackers send emails hyping stocks they’ve already bought, causing others to buy in and drive up the price before the attackers sell off their shares.

Conclusion

Cybercriminals are highly inventive in their use of social engineering. As these methods show, psychological tricks are powerful tools for achieving their goals. It’s important to pay attention to any detail that might reveal a scammer and to verify the identity of anyone requesting confidential information, especially in sensitive discussions.