When I first heard of social engineering, about 6 years ago, I couldn’t define it clearly and concisely if you had offered me millions of dollars. So today I thought, ‘Why not take it back to the basics?’ Let’s re-visit what social engineering really means, how people use it, and how you can start protecting yourself from it. Maybe you’re new to the term, or perhaps you have been familiar with it for longer than I have. Either way, let’s refresh and learn together!
Social Engineering: Defined
At Social-Engineer, LLC (SECOM) we define social engineering as “any act that influences a person to take an action that may or may not be in their best interest.” Searching the phrase on the internet will certainly supply a different result, one that focuses more on the negative side of social engineering and manipulation. However, we believe that, like many things, people can use social engineering for either good or bad purposes. For this reason, we define it in these more broad and open terms.
Social Engineering: How it’s Used
As mentioned, people can use social engineering ethically or maliciously. Unfortunately, in the world we live in many choose to use it maliciously. These bad actors use its techniques to build rapport with people and then scam them out of information, money, or other various valuable things.
One example of this is the text scam you likely get saying that your package delivery has failed due to an incorrect address. These text scams are called “SMiSh,” and they almost always contain a link for you to click on to supply that “missing” information. The message also likely contains some urgency, a social engineering technique commonly used, saying that if you don’t reply by a certain time your package will be returned to the sender.
Of course, the above is just one basic example of a social engineering scam. There are many different levels of social engineering scams, ranging from the simple, easy to catch one above, to more complex and professional scams. For example, many security breaches we saw in 2024 leveraged stolen employee credentials. Often, attackers leverage social engineering attacks such as phishing and vishing to obtain these creds. They then utilize the credentials to move across the company infrastructure and deploy the next stage of their attack.
Social Engineering: Why the Scams Work
There are various reasons why these scams work. Maybe you’re caught in a moment where you’re emotionally overloaded, and you take an action that you didn’t think much about or supply some information you normally wouldn’t. What social engineering scams have in common is that they rely on triggering emotions. Emotions such as curiosity, sympathy, or even fear or greed, can be strong motivators. Scams that trigger such emotions are more likely to get a reaction and influence an action.
Social Engineering: How to Protect Yourself
With social engineering being so prevalent, how can we protect ourselves? First, be sure to check in with yourself emotionally. Whether on a call or reading an email or a text, think, “how does this message make me feel?” and “is there a sense of urgency in this message?” Most times, taking a moment to check in or put someone on hold can save you from taking an action that could put your information at risk.
Even if a message doesn’t make you feel odd, you always want to verify it. Think back to the SMiSh we talked about earlier. Instead of clicking on a link from the unknown number, be sure to go to your merchant or store account directly to check on the status of your orders. If there is anything that needs attention, it will be there.
If someone calls you, let’s say your bank, you can always hang up and call back if you don’t recognize the number. Be sure to look up your bank’s number on their trusted website, and call it directly, rather than calling back the number that called you. If the call is legitimate, they should not be mad at you for being cautious. If you receive an email you’re unsure of, follow a similar process. Verify the sender or the content of the email through an outside and trusted source.
Social Engineering: Stay Vigilant
Many people today choose to use social engineering maliciously. Because of this, we always need to stay vigilant. Be sure to check in with how texts, emails, and calls, make you feel, as these are vectors that attackers may use. If something feels off, take a moment to collect your thoughts and really consider what is being asked of you. Even if everything seems normal, always verify who the message is coming from and what they want you to do. These two simple steps can help keep you protected from social engineering scams.
Written by
Shelby Dacko
Human Risk Analyst, Social-Engineer, LLC