Social Engineering in Cybersecurity: How Hackers Appeal to Your Human Side

This blog is part of ACI Learning's month-long effort observing Cybersecurity Awareness.

When you think of cybersecurity attacks, you probably envision someone hunched over a desk in the dark, lines of code flying by the screen as they furiously type away at a keyboard. However, the CS Hub Mid-Year Market Report states that 75 percent of industry security experts say social engineering attacks are the most dangerous threat they face, not the complicated attacks you might expect.  

When it comes to security, social engineering refers to the emotional or psychological manipulation of individuals, getting them to perform desired tasks or give away valuable information. Why would a criminal fuss with learning complex techniques when they can convince you to give up your password through an email? 

Virtually every single aspect of cybersecurity has a human element to it, so keeping aware of the savviest social engineering tricks is imperative to keeping things secure. Sometimes the beauty of these attacks is in their simplicity. The situation has only been worsened by the unrestricted office environment with BYOD (bring your own device) and remote work.  

How Vulnerable Are We? 

ITProTV Edutainer Adam Gordon says the conversation around information security and risk management in IT needs to switch gears. Most organizations are working in a reactive way, simply handing fires over to IT departments for extinguishing.  

Over the course of 2020, Google removed listings for more than 2 million phishing sites. In the same period, they removed only 27,000 sites for malware related issues. About 84 percent of phishing sites have SSL certificates, which is the http(s) which shows in front of a URL. The addition of “s” was intended to signify that a site is safer, but it seems that is no longer the case.  

According to a survey by GetApp, only 27 percent of companies are training their employees in social engineering. This means the majority are leaving their employees exposed and at risk. Moving into the future, businesses should focus on prevention. This begins with education. 

Phishing, Vishing, and More 

Phishing is a form of cybercrime that uses email communication to trick you into divulging important and personally identifiable information. Vishing is the same criminal activity, but it uses voice communication to achieve its ends. Scammers can use spoofing techniques to alter caller ID to make fishy phone calls look more legitimate and in the heat of the moment, it is easy to give in to social pressure.  

Here are common tricks to look out for:  

Smishing: SMS phishing messages including suspicious links  

You receive a text message that says, “Hey, is this really you in this photo??” along with a fishy looking link. Your first instinct may be to find out what photo they are talking about, but the link is probably taking you to a harmful website. Only click on links from numbers and sources you trust absolutely, and even then, exercise extreme caution.  

Appealing for help  

Be wary of strangers asking for help, especially if you have been identified as an employee of your company. When working in tech, people may approach you for computer help in real life. ITPro Edutainer Adam Gordon has experienced this himself. While in his logo-wear after work, a stranger asked him to pull up something on Adam’s own computer to help with a tech issue. While it may have been innocent, Adam decided to decline and provide different resources for help, rather than put his device at potential risk.  

Impersonating an authority figure  

Be on alert when receiving any in-bound phone calls from authority figures like banks or governmental agencies. Caller ID can be altered easily, meaning anyone can impersonate a legitimate entity. Avoid giving out information when receiving calls, and if information is requested of you, hang up and call directly into a trusted number for that organization to ensure you know who you’re speaking with.  

Pressuring with deadlines  

Often messages trying to gain access to your information will put a short timeline on their request. This is the same whether it is a phone call, email, or text message. The sender will state that you’ve got 24 hours to change your password, or your account will be permanently locked, hoping that the pressure of time will cause you to act rashly and reveal your current password. Remember to keep your cool, and double check the sources of any messages about sensitive information. 

Other Resources for Staying Cybersecure 

Taking advantage of every resource available is essential for every organization, especially now. 83 percent of organizations in the United States were victims of phishing attacks in 2021—a 46 percent increase over the previous year.  

There are many resources you can use to educate yourself and your organization against phishing attacks. Check out the Cybersecurity and Infrastructure Security Agency’s (CISA) page on social engineering to learn more about avoiding attacks. CISA also releases activity reports to keep you up to date on the latest cybercrime news, as well as analysis reports with developing cyberthreats.  

As always, if you are ready to deep dive into the world of cybersecurity, ITPro.TV from ACI Learning has hundreds of hours of cybersecurity training courses available to get you prepared for your next certification. Click here to learn more! 

Your Fast Track to a World of IT Careers