In cybersecurity social engineering is the manipulation of someone by a hacker, to convince the individual to provide personal information. This information can be used later and added to the hackers’ portfolio of data that they have collected on their target. Or the info can be used on the fly by the bad actor, e.g., clearing out your savings account.
Psychological manipulation to gain sensitive data is nothing new, it is a common phenomenon and shockingly, a high percentage of us fall victim to it regularly.
Brian Brushwood, a host, author, and touring entertainer told us about a very interesting research done amongst some people that came to use a copier machine. There was a line for copying papers. Someone came last in the line and told everyone that she has only 5 pages to copy and needs to do them fast as she was in a hurry. Surprisingly 94% of the people agreed to let her copy next; since it was the humane thing to do; Not only that, she asked nicely and used the word “because”. Her request elicited sympathy and caused people to sacrifice a little for her. And even someone who was going to copy only 6 pages, let her copy first (Google search ‘Brian Brushwood social engineering’).
What was the point of the story? It is that, if you can convincingly tell your story, most of the time, it will go over very well. This is the same thing that happens in social engineering. It is the matter of words used, the personality of a targeted person, and how the conversation is presented. Cyber social engineering or extracting confidential information can be done in four ways. They are: blagging, also known as pretexting; phishing; pharming & shouldering (or shoulder surfing). Let’s see what each of these terms means and how events revolve around these methods.
Blagging
Blagging plays a big role in social engineering. A fake scenario is created so the victim can engage with the hacker or scammer for a certain period. The goal is to extract as much personal information as possible from the victim to get access to their credentials or maybe financial account.
For example, a scammer calls using a fake identity from the banking service you use. They ask for your birthdate, social security number, pins associated with the services, security questions, and even the credentials of the person that can act as a handler of your finances in your absence. Most people will not give a second thought to providing this information because they believe they are speaking to someone who represents their bank. What the scammer does during or after the call is, change the passwords or pins which blocks the original owner of the account from accessing it. The con artist then transfers funds to another account. Once the transfer is done, it is too late to get back the funds (unless your bank decides to be generous).
Phishing & Pharming
Are used to gather information then launch an attack.
Phishing
Phishing pronounced just like the word ‘fishing’, and if you rotate “f” 180o, it looks like a hook that is used to catch fishes. People who line fish use the right bait and are patient, the same strategy is used in phishing for humans by scammers. The purpose of a phishing attack is to lure you out via email or SMS text (smishing), entice you to click on a link. This method is so common that you may even have a few of these emails in your spam folder sitting right now.
Spear Phishing
Spear Phishing is used to target a single user. The situation maybe that a hacker wants to access someone’s LinkedIn or Facebook profile. The sham artist sends out specific instructive email to a particular person baiting them with appealing links, if the potential victim takes the bait, they could soon find themselves locked out of their social media accounts.
Pharming
Pharming is carried out on a larger scale to phishing. The objective here is to direct all users of a particular website to a fake web address, so that they input confidential information into the web page, such as log in details. The information that was entered by the user is now in the possession of hackers.
Pharming is carried out by using an advanced hacking technique called Domain Name Server (DNS) poisoning, which I definitely will not be delving into here in this article.
Basically, DNS is the procedure that is in place on the world wide web that converts an unfriendly Internet Protocol (IP) address to the friendly Uniform Resource Locator (URL) or web address that we all know and love. When the DNS that changes IP to URL is not working properly (poisoned), we are directed to the wrong web address which has been set up by the hacker to mislead us into thinking it is the genuine website.
Phishing/Pharming Stages
- The hacker crafts emails that can evade spam filters,
- They create emails with mass appeal, and that are usually promising something for nothing or get rich quick scheme.
- They then send out the same email to a huge number of people. The goal is to reach as many eyes as possible.
- Attack the individuals that click on the email links
- For pharming they will build a fake website: The dummy site may look like that of a legitimate company, one that most people are familiar with. The site will be designed to capture as much information as possible.
Shouldering
Shouldering or shoulder surfing is a form of data theft that is done by peeking at a user’s screen or keypad over the shoulder or from a distance. It is an easy way to get hacked or lose important information. Typical shoulder surfing can happen when the victim is putting in pins on ATM, passwords on a computer or phone, or providing someone with very personal information or company data. A potential third party can also monitor from a distance via binoculars or gather data from a CCTV.
Someone who can get access to your PIN from a distance can also obtain further information like your birthdate or address from another source. These kinds of leaked data are always available for sale on the dark web. We have less privacy nowadays; the credit goes to digitalisation.
It is so easy to unintentionally become a victim it can happen in airports and other public transportations like a bus; hallway-facing monitors; screen reflections, so be careful when conducting private business in a public place.
This article provides a comprehensive overview of social engineering in cybersecurity, highlighting the various tactics employed by hackers to manipulate individuals and extract personal information. It emphasizes the importance of being cautious and vigilant in protecting sensitive data. The examples provided, such as blagging, phishing, spear phishing, pharming, and shouldering, serve as reminders of the diverse methods used by cybercriminals. The article effectively raises awareness about the risks associated with social engineering and emphasizes the need for individuals to exercise caution, particularly when sharing personal information in public settings. Stay informed, stay cautious, and prioritize your online security.
Great article on social engineering in cybersecurity! It’s fascinating how hackers can manipulate individuals to provide personal information through psychological tactics. The story shared by Brian Brushwood about people willingly allowing someone to cut in line at a copier machine demonstrates the power of convincingly telling a story and appealing to people’s sympathies.
I have a few questions regarding the methods mentioned in the article. Firstly, how can individuals protect themselves from blagging attempts? It seems scammers can create elaborate scenarios to extract personal information. Additionally, what are some effective ways to identify phishing emails and avoid falling victim to them? With spear phishing becoming more targeted, it’s crucial to stay vigilant.
The discussion around pharming is also intriguing. The concept of redirecting users to fake websites to gather confidential information is concerning. Could you provide more insights on how DNS poisoning works and how individuals can protect themselves from such attacks?
Lastly, shouldering or shoulder surfing is a form of data theft that seems relatively simple yet highly effective. It’s surprising how easily someone can obtain sensitive information by observing a person’s screen or keypad. Do you have any recommendations for minimizing the risk of shoulder surfing in public places?
Overall, social engineering is a critical aspect of cybersecurity that requires both awareness and proactive measures. It’s essential for individuals to stay informed about these tactics and take necessary precautions to safeguard their personal information.
Cheers
M.T.Wolf
The article provides valuable information about social engineering in cybersecurity and highlights the different tactics employed by hackers to manipulate individuals and extract personal information. It emphasizes the importance of being cautious and vigilant in order to protect sensitive data. It showcases how convincingly telling a story and appealing to people’s sympathies can lead to manipulation. This highlights the power of social engineering tactics and the need for individuals to be aware of such techniques.
Hi Liam
Thank you so much for your comment! I’m delighted to hear that you found the article on social engineering valuable and informative.
You’re absolutely right—social engineering tactics can be incredibly powerful because they exploit our natural tendencies to trust and sympathize with others. By telling convincing stories and appealing to emotions, hackers can manipulate individuals into divulging sensitive information or performing actions that compromise security.
The key to defending against these tactics is awareness and vigilance. Recognizing the signs of social engineering attempts, such as unsolicited requests for personal information, offers that seem too good to be true, or urgent messages that play on fear or curiosity, can help us stay one step ahead of potential attackers.
Your point about the need for individuals to be aware of these techniques is crucial. Education and awareness are our best defences. By sharing information and stories about social engineering, we can help others recognize and resist these manipulative tactics.
Thank you again for your thoughtful comment and for emphasizing the importance of caution and vigilance in protecting our sensitive data. Let’s continue to spread awareness and help each other stay secure in this increasingly interconnected world.
Best regards,
Khalil
Hey Sahriar,
Wow, it is really a great topic. Social engineering is such a fascinating yet concerning aspect of cybersecurity. I have read your post, and I totally agree that users need to be made aware of the risks involved with social engineering techniques. Awareness-building and maintaining vigilance are essential for effectively countering these deceptive tactics. But I am interested in knowing what proactive steps you think businesses can take to better safeguard themselves and their staff against social engineering scams. Continue your outstanding work in bringing attention to this critical cybersecurity concern.
Thanks for your query Sara!
1) First and foremost, education is key, staff should learn how to:
# recognise phishing emails
# spot and deal with unsolicited phone calls; a healthy amount of vigilance and scepticism will go a long way to help create a strong barrier against potential threats
2) Not just having cybersecurity policies but ensure they are implemented and guidelines adhere to.
3) Regularly updating security software
Are just a few proactive steps a business can take
Hi, thanks for the informative post. The aspects mentioned in the blog post is not necessarily something that I actively consider when going on the web, but I suppose knowledge like this is power in protecting oneself. My wife was just scammed out of a healthy sum of our savings cash through what you describe as phishing, so online security is now a priority on our end. Naturally, though, instances like these are on the rise globally, so yes, vigilance is key and this post is definitely a reality check on all the different ways someone could get scammed in this information age.
Hello Deon,
It is unfortunate that cyber-attacks are on the rise these days. Sorry to hear that you were scammed out of your hard-earned cash. Unfortunately, as you stated, the onus is on us users to protect ourselves.
Introduce your wife to our website, hopefully she will find some useful info here. All the best!
Reading your blog post brought back memories of a time when I fell victim to a phishing scam. It happened a couple of years ago when I received an email seemingly from my bank, informing me of suspicious activity on my account. The email looked authentic, complete with the bank’s logo and formatting. It urged me to click on a link to verify my account details to prevent unauthorized access. Despite having some doubts, the urgency conveyed in the message made me overlook them, and I clicked on the link. It redirected me to a convincing replica of the bank’s website, where I entered my login credentials without a second thought. It was only later that I realized I had been duped when I received notifications of unauthorized transactions. Reflecting on that experience now, I see how easily emotions like fear and urgency can cloud judgment, making us susceptible to social engineering tactics. Your post resonated with me as it reiterated the importance of skepticism and caution in navigating the digital landscape, lessons I learned the hard way.
Hiya Ashley,
I’m really sorry to hear that you’ve been targeted by cyber criminals. It seems that you had the power to overcome this setback, good on you sister and stay strong!
Your article on “Social Engineering in Cybersecurity” provides an incredibly insightful look into the various techniques hackers use to manipulate individuals and gain access to sensitive information. I appreciate how you break down complex concepts into easily digestible sections, giving readers a thorough understanding of terms like blagging, phishing, pharming, and shoulder surfing. Your use of real-life examples, like the copier machine story, makes the topic more relatable and engaging.
The comprehensive explanation of how these methods work, along with practical advice on how to avoid becoming a victim, is extremely valuable. I also like how you emphasize the human element in social engineering—it’s not just about technology, but about psychology and manipulation. The guidance on avoiding public Wi-Fi and being cautious with personal information in public spaces is particularly helpful.
Overall, this article is a must-read for anyone interested in cybersecurity, providing both education and actionable tips to stay safe. It’s clear, well-organized, and effectively raises awareness about the risks and preventive measures we can take in our daily lives. Great job!
Thanks Matthias! Cyber security is a shared responsibility, and your recognition of its significance is crucial for promoting a culture of cyber resilience and awareness.