Principles of social engineering and how it works

Ruth C. | June 03, 2020

Social engineering refers to the manipulative strategies that convince people to perform a specific action. Differently than other threats, this attack is not a manifestation of highly-technical skills. Instead, misleading human interactions drive social engineering scams. Cybercriminals can use compelling evidence to pull off psychological manipulation. Hence, attackers thoroughly investigate their victims in hopes of crafting more persuasive messages. You should learn how to recognize criminals’ moves when they attempt to gain your trust and extort sensitive data.

What is social engineering?

Social engineering is a scam that convinces people to take actions or divulge data. Cybercriminals can use deceptive human interactions to trick users into revealing passwords, bank information, or giving access to confidential resources. In some cases, malicious actors might ask victims to make transactions, which can lead to severe financial losses.

Social engineering does not care that you have built a sturdy barricade: from a reliable VPN to an advanced anti-virus program. Your investments in digital security and privacy can crumble to a simple scam, triggering fear and curiosity. We all have received deceptive emails, congratulating us on winning grand prizes. If you play along, perpetrators of such scams will soon require you to cover expenses. Once you make the transaction to crooks’ bank accounts or via more untraceable options, they will disappear.

Thus, social engineering is the main ingredient of phishing strategies like smishing, conversation hijacking, pretexting, etc.

Repetitive data breaches pave the way for more compelling social engineering scams. Billions of credentials end up on the web, and cybercriminals do not shy away from using them. Therefore, social engineering scams can feature your actual name, passwords, and other previously leaked data. As a result, you might be more eager to believe its credibility and act on its requirements. Hence, such manipulative tactics depend on users’ trusting nature. However, you will soon uncover the truth if you double-check all the offers and proceed with caution.

how social engineering works

For instance, let’s say you receive a suspicious email from your bank. It asks you to confirm your credentials or make transactions. Do not implement these requirements straight away. Contact your bank and determine whether the received instructions are legitimate.

Lifecycle of social engineering: recognizing a malicious email

Crooks enhance their social engineering schemes to make people follow their orders. However, random scams with no actual victim personalization continue to circulate as well. Here are the steps that mostly all social engineering scams follow to deceive users. Hackers can also exploit unfortunate situations. For instance, Google registered higher numbers of phishing sites during COVID-19.

Preparation for the social engineering scams

At this stage, crooks ransack the digital space to gather as much information as possible. The efforts and resources utilized by criminals depend on the value of the target. For instance, whaling attacks prey on executives and high-profile individuals that control highly sensitive information. In such cases, crooks are likely to go over a three-step procedure. Firstly, they identify a person that has access to the critical resources of a company. Then, they analyze the business’ official signatures, email letters, and gather details about their victim. Later, they choose the optimal social engineering strategy. Finally, they enter stage two.

Establishing a relationship with victims and gaining their trust

Professional scammers have a way with words. They might seem friendly and helpful, but their actual goal is to mislead victims and make them cooperate. Well-designed social engineering scams tend to work on quality relationships between victims and attackers. Crooks might engage in some chit-chat, or politely hurry victims to perform required actions. The actual implementation of the social engineering attack depends on the goal, target, and available resources. You can expect hackers to be assertive, ready to take control of the situation, and spin their rehearsed stories.

Execution of the attack

Once attackers feel comfortable that a victim is likely to follow their instructions, they start stage three. Now, social engineering scammers will explain the required actions with hopes that the victim will comply. In some cases, crooks might ask you to make transactions, reveal sensitive information, or purchase gift cards in different currencies. Clickjacking tempts users with various offers to get them to click on fake buttons or links.

Whatever it is, you should implement such instructions only after verifying that the request comes from a legitimate source.

The user becomes a victim, and the cybercriminals vanish

After a series of deceptive emails convince users to cooperate, con artists won’t stick around for long. They will disappear and provide no follow-ups of the situation. If a victim was oblivious to the on-going scam before, this is the moment that reality kicks in.

Some services might provide refunds if the scam was far too advanced to recognize beforehand. However, usually, victims do not have the grounds to ask for refunds or compensations for their losses. It is especially true for social engineering scams that require users’ sensitive data. Once cybercriminals extort credentials and other details, they can misuse them to any extent.

How to spot social engineering scams?

It is important to note that con artists can go beyond using emails as the cyberweapons of their attacks. In some cases, social engineering scams can take place via phone or social networking services. Hence, be cautious when services or companies contact you to inquire about your credentials or ask to confirm your identity. Here are some general guidelines to follow when you suspect a person of being deceptive:

  • Check the senders’ details. Be wary of the email address that the letter came from. Usually, you can see whether it matches the company’s contact information. If not, write to the authoritative email address or call provided phone numbers. Explain your situation and emphasize that you think that a social engineering scam impersonates its services.
  • Learn about the prevalent social engineering forms. If you know the steps and maneuvers used by con artists, you will be able to recognize them quickly. Experts usually divide social engineering into phishing, smishing, vishing, pretexting, catfishing, baiting, quid pro quo, and contact spamming. While different in their actual implementation, they all impersonate people or services to get access or extort. If you remain cautious, you can be immune to them all.
  • Search the received email for inconsistencies or grammatical errors. If you receive a letter from a reputable source, it is unlikely that they will leave glaring mistakes in their messages. It might be that it does not originate from the specified source if it is full of errors.
  • Hover over hyperlinks in emails. It might be that a social engineering scam hopes to trick you into downloading intrusive malware. Do not click on random links, and do not download attachments. Triple-check whether the sender is reputable in advance.

How a VPN prevents social engineering scams

Obviously, a VPN service won’t supervise your actions to make sure you do not hand in personal information to crooks. Social engineering relies on human error, and targets need to recognize a scam before it causes havoc. However, a VPN can prevent con artists from gathering information about you. If they cannot complete the first stage of social engineering, their scams won’t be as successful.

Ruth C.

Ruth C.

Cybersecurity Researcher and Publisher at Atlas VPN. Interested in cybercrime, online security, and privacy-related topics.


social engineering

© 2024 Atlas VPN. All rights reserved.