Skip main navigation

Social engineering

Learn about the different types of social engineering used in the modern world, the types of data they are after and how you can protect yourself.
2.3
Have you ever received an email from your bank or social media asking you to share sensitive information? This is an example of a social engineering cyber attack. It’s designed to steal data like passwords and bank details by deceiving the victim into sharing personal information. In this step, you’ll learn about three types of social engineering attack, phishing scams, pharming, and name generators.
29.5
A phishing attack is disguised to look like it comes from a reputable source. The email tricks the victim into giving up valuable data, either asking for it directly or linking to a website where you can input the information. Sophisticated attacks targeting an individual or group are called spear phishing attacks. How can you identify a possible phishing email? Key things to look out for are unexpected emails with requests for information, unknown email addresses. Look out for spelling errors, lots of random letters and numbers, or domain names that you don’t recognise. For example, this email appears to be from gov.uk. But upon closer inspection, it’s actually from beyond beautiful smilez, who appear to be based in Canada.
79.4
Text that appears to be hyperlinked but does not contain a link. Or hyperlinks to an address that contains spelling errors, random characters, or unknown domain names. Hovering your mouse over this link shows us that the link takes us to Caroline Country Homes, not gov.uk.
100.2
Generic emails that don’t address you by name or emails that are missing information that you would expect the sender to know.
111
The second social engineering attack we are going to look at is pharming. A pharming attack is one in which malware redirects you to a malicious version of a website. The malware may have infected your computer or a DNS server where your antivirus software won’t detect it. Since you typed in the web address yourself, it can be harder to identify a pharming attack, but there are still clues to look out for. Spelling errors or incorrect logos, broken or missing links, a notification from your browser warning you the web page is insecure. Be sure to confirm a website is secure by looking out for the lock symbol in your web browser’s address bar.
159.7
Name generator attacks use an app or social media asking you to combine pieces of information or complete a short quiz to produce a name. For example, your rock star name can be generated if you give and app your name, the year you were born, where you live, and the answers to some personality questions. This attack is trying to find out key pieces of information that help attackers answer the security questions that protect your accounts. To avoid a name generator attack, do not give out any information used to create your passwords or to answer your security questions. And don’t share that information publicly on social media.
199
In the next step, you’ll be exploring two types of interactive social engineering, blagging and shouldering.

Automated social engineering

In the previous step, you saw the value of your data. Now, you will learn about social engineering attacks, in which attackers try to steal your data. In this step, you will be introduced to phishing, pharming, and name generator attacks.

What is social engineering?

Social engineering is the name given to the type of attack that deceives victims into sharing valuable personal data.

There are many different types of social engineering attack. In this step, you will learn about three kinds:

  • Phishing attacks
  • Pharming attacks
  • Name generator attacks

Phishing attacks

A phishing attack is an attack in which the victim receives an email disguised to look like it has come from a reputable source, in order to trick them into giving up valuable data.

The email will either ask for the information directly, or provide a link to another website where the information can be inputted. This attack may also come via phone call or text message.

Phishing email asking recipient to follow link and re-enter payment details

Phishing emails can be recognised in a number of ways. Key indicators to look out for include:

  • Any unexpected email with a request for information
  • Sender email addresses that contain spelling errors, lots of random numbers and letters, and/or domain names that you don’t recognise
  • Suspicious hyperlinks:
    • Text that appears to be hyperlinked but does not contain a link
    • Text that is hyperlinked to a web address that contains spelling errors and/or lots of random numbers and letters
    • Text that is hyperlinked to a domain name that you don’t recognise and/or isn’t connected to the email sender
  • Generic emails that don’t address you by name or contain any personal information that you would expect the sender to know

Some phishing attacks are more sophisticated and target specific individuals or groups of people, for example, by pretending to be from a company that the person has an account with. This is called spear phishing.

To avoid phishing attacks, you should not fill out forms or click on links in emails that you are not expecting.

Pharming attacks

A pharming attack is an attack in which malware redirects the victim to a malicious version of a website. The malware could infect the victim’s computer or the DNS server (the database that allows your browser to find the website you’re visiting — find out more about these in our networking course). Then, when the victim enters a web address into their browser, they visit a website controlled by the attacker, rather than the legitimate website. The attacker can then collect any data that the victim inputs into the website. Links in phishing emails may also redirect victims to pharming websites.

A pharming website with an incorrectly spelt URL As with phishing attacks, pharming attacks can be identified from aspects of the website that seem out of place or incorrect. For example, any of the following could indicate a pharming attack:

  • Spelling errors or incorrect logos
  • Broken or missing links
  • A notification from your browser warning you that the webpage is insecure
  • The lock symbol that your browser uses to confirm that a webpage is secure is missing

A comparison of an insecure vs a secure website, showing a white cross in a red circle for the insecure website, and a green padlock for the secure website

If you suspect that a website is malicious, you should close your browser and run up-to-date antivirus software on your computer, then reload the page to see if it has changed.

Name generator attacks

A name generator attack is an attack in which the victim is asked in an app or social media post to combine a few pieces of information or complete a short quiz to produce a name.

An example of a name generator attack, which asks for your name, birth year, location, mother's maiden name and your first pet

Attackers do this to find out key pieces of information that can help them to answer the security questions that protect people’s accounts.

To protect yourself from name generator attacks, you should avoid providing apps with the following pieces of information or posting this information publicly on social media sites:

  • Your mother’s maiden name
  • Names of current or previous pets
  • Previous or current addresses
  • Your age or birthdate
  • Your lucky number
  • Any of your favourite things (such as your favourite place or author)
  • Any information that you know you have used to create a password or set up a security question

Next step

In the next step, you will learn about two types of social engineering attack that require the attacker to interact with the victim more personally.

Questions

  • What are social engineering attacks used for?
  • Why do you think social engineering attacks are effective?
  • Of the three types of social engineering attack discussed, which do you think is the most likely to be successful?

Share your answers in the comments

This article is from the free online

Introduction to Cybersecurity for Teachers

Created by
FutureLearn - Learning For Life

Our purpose is to transform access to education.

We offer a diverse selection of courses from leading universities and cultural institutions from around the world. These are delivered one step at a time, and are accessible on mobile, tablet and desktop, so you can fit learning around your life.

We believe learning should be an enjoyable, social experience, so our courses offer the opportunity to discuss what you’re learning with others as you go, helping you make fresh discoveries and form new ideas.
You can unlock new opportunities with unlimited access to hundreds of online short courses for a year by subscribing to our Unlimited package. Build your knowledge with top universities and organisations.

Learn more about how FutureLearn is transforming access to education