Overview of Social Engineering

Social engineering is an act that influences a person to take action, and it is an important concept to understand when learning about how hackers will try to access your network.

Hackers can use social engineering in many ways, and social engineering will be a theme throughout this course. Social engineering might be a new term for some users. Those of you that are aware of social engineering might be wondering how effective it really is. According to the Ponemon Institute, 57% of companies experience a social engineering or phishing attack – that is a staggering number!

Social engineering is effective because it allows hackers to avoid your firewall, intrusion detection, intrusion prevention system, antivirus, and whatever other security measures you have, including locks on your doors. Social engineering doesn’t target your network directly; it targets people. It targets your everyday users; your high-level, high-profile users, such as your CEOs and CIOs; and even your IT personnel. So social engineering is a potential issue for everyone.

Now, what is social engineering? Social engineering is defined as any act that influences a person to take an action that may or not be in their best interest (social-engineer.org). In terms of cybersecurity, the hackers are not influencing you in your best interest or in the best interests of your company.

Social engineering essentially works by what is called amygdala hijacking, a term coined by Daniel Goleman. The amygdala is part of your brain that controls emotion and influences rational thought. Rational thought prevents us from doing irrational things. In amygdala hijacking, emotions override that rational process in our brain and force us to take action. We see this in phishing emails, fake virus pop-ups, and other examples that evoke an emotional reaction in us.

There are many types of social engineering hooks (SE hooks). Common hooks play on fear and insist that you must act now. An example would be a spoofed email from your boss or HR, and it would typically insist that you must take care of something immediately – such as an email from ‘your boss’ telling you to send this amount of money to this company right away because there is not a lot of time. When someone gets an email from their boss, they tend to react immediately. And the urgency of the email (that appears legitimate) may make you act without pausing to think rationally – you simply comply. These types of hooks also use authority as part of their social engineering approach, which is common. They can also pose as someone in a higher position or a law enforcement officer.

Another common SE hook is greed, which typically includes an offer of money or an amazing deal, but only if you act now. These types of hooks try to appeal to your desire to get something for nothing, or at least very little. Ultimately when you think about it, however, it’s either too good to be true or there is going to be some sort of inherent cost that we don’t necessarily see. This is why the message insists on rapid action – they do not want you to take the time to think about it. The hacker may enhance this sense of urgency by implying scarcity, often by adding a time limit to the deal, such as ‘next 24 hours only’.

Social engineering therefore works by targeting a person directly, evoking an emotional response in them, and then urging them to act quickly to prevent them from doing necessary checks or thinking about the instruction for long enough to realize they should not do it. While this may sound like a simple tactic, it is also surprisingly effective.