Social engineering is a comparatively low-tech method of cyber attack where a hacker or scammer will use deception to coerce or otherwise manipulate their target into providing information that can be used in a data-related crime.
While there is some overlap between phishing and social engineering, one of the main elements specific to social engineering is that it targets human behavior through personal interaction, rather than more technologically-oriented methods like spoofed phishing pages.
One of the most publicized examples of social engineering was the July 20 hack of Twitter, where more than 130 social media accounts were compromised, including those of Elon Musk, Michael Bloomberg, Jeff Bezos, Joe Biden. It was a cryptocurrency scam that netted $118,000 from its victims. Hackers were able to gain access to administrator access on Twitter by pretending to be employees of the company and quickly changing the email addresses associated with their hijacked accounts, and disabled two-factor authentication.
While the alleged hackers behind the attack were arrested and Twitter adjusted the policies that allowed them to take control of these accounts in the first place, it was a stark reminder that our cybersecurity policies are only as secure as our most vulnerable employees.
“All of the firewalls and encryption in the world can’t stop a gifted social engineer from rifling through a corporate database. If an attacker wants to break into a system, the most effective approach is to try to exploit the weakest link—not operating systems, firewalls or encryption algorithms—but people,” says reformed hacker Kevin Mitnick, who coined the term social engineering.
“Whether you call it social engineering, wetware or the human element, we are often the cause... The bottom line here is that if someone asks for your information, make sure you know who’s doing the asking. If you receive a phone call from a company with which you do business, hang up and call them back. Ditto with a cold call from a company or government entity you either think you know or don’t know,” says CyberScout founder and chairman Adam Levin.
One of the elements that makes social engineering most difficult to protect against is that it’s rooted in organizational culture, rather than policy, according to Levin.
“[P]rinciples--creating a culture of cyber awareness--is generally effective, which is why I favor cyber training that is aimed at minimizing, monitoring, and managing cyber risk,” says Levin.