Sign in Subscribe
ABCs

Social Engineering: Cybercriminals In Your Socials

Miguel Maloney Thompson

Miguel Maloney Thompson

5 min read
Social Engineering: Cybercriminals In Your Socials

Someone jokingly said that social engineering is how cybercriminals socialize. But on a serious note, it is one of the most powerful methods used by cybercriminals in their efforts to steal your identity.

Cybercriminals do not only rely on computer systems, hacking tools and systems; they also rely on their socially interacting with you and others, it’s called social engineer which fills in the missing pieces needed to break into computer systems.

Social engineering is like a cybercriminal’s playbook used to respond to scenarios where they need important data to compromise systems. For example, who is able to do wire transfers, which account(s) have the highest system privileges and so on. Information like this is only possible through social interactions, manipulating people to gain their trust, and helpfulness so that they will give the cybercriminal what they need.

How Social Engineering Work: It's All About the Manipulation

Social engineers are in a sense like spy’s working both online and offline. They often pretend to be someone that they're not, to gain trust. For example, pretending to be tech support staff to gain the trust of staff members, or pretending to be a celebrity to gain the trust of their fans. A red flag is the sense of urgency or fear that they always use to pressure you into acting quickly without thinking or appealing to your kindness and willingness to help.

Their aim is to get you to do the following:

  • Reveal sensitive information or the missing piece: This could be your password, credit card information, customer details for example their contacts, Information about your co-workers or other type of information related to your job that would be critical to them getting the information they need. For example, the recent increase in the use of AI based scams to trick persons into revealing sensitive information as reported by TrendMicro
    Stealing personal data
  • Installing malware: If they need time to monitor a system for example to steal credentials or credit card details by using a keylogger or to gain access to specific files, malwares provide options to get needed data so the cybercriminal could pretend to be a technician or service provider who needs to install a needed utility software. For example, the Copy-and-Paste malware scam that targeted Google Chrome users in 2024 as reported by New York Post
    Download malware
  • Gaining access to your computer: Following up on the installed malware, this could also give remote access to the cybercriminal or allow them to use systems on your computer to elevate their access allowing them to cause disruptions to an entire computer network or to control it. For example, when MGM resorts computer systems were disrupted in 2023 as reported by Cybernews
    Gain access to world

Social Engineering Methodologies: Be Aware!

Social engineers employ different methods and techniques. Here are some common ones:

  • Phishing: This is like a fishing net for fishes but in this case its phishing for your data. You may receive an email or SMS message that bears resemblance to that of a legitimate company or organization that you are associated with. Links are used to either take you to fake website or to download a malware or infect document.
  • Pretexting: This is where the cybercriminal creates a false story impersonating someone or an organization you interact with, for example your bank, IT support, or the accounts department. While you believe you are communicating with someone one you know you inadvertently give away important information that can result in identity theft.
  • Baiting: This is where the cybercriminal takes advantage of our curiosity by leaving something around to like a USB drive that has a malware installed or an online form or a free online game free emoticon, even free ringtones. Basically, things that in of themselves are not usually bad but their bait resemble these things. And once you fall for it you inadvertently infect your computer system with a malware.
  • Tailgating: This is when the cybercriminal follows closely behind you to gain access to a restricted area. This is usually done to gain access to locations that restricted. For example, the cybercriminal impersonates a technician from your ISP who is doing an emergency upgrade, when in fact they want to gain access to the server or network room.
    (Reference: Imperva)

Protecting Yourself: Things Are Not Always What They Seem to Be

Awareness is the best defense against social engineering. The following steps can protect you:

  • Think before clicking: Break the habit of being quick to click links or open email attachments. Take some time to be sure the email or SMS message can be trusted.
  • Verify requests: Acquiring sensitive information or completing important tasks such as doing a wire transfer should have some form of verification with another individual or follow some procedure to reduce possibility of an error. This can be done by making a phone call to verify an email request.
  • Verify urgent requests: We established that all requests must be verified, however special emphasis is being made for urgent requests because we may skip the verification due to the urgency. Remember that this could be the cybercriminal’s plan to avoid you from doing your verification that would expose them.
  • When in Doubt, Say No: If you are not able to verify requests, just say no. It’s better to be safe than sorry.
  • Keep Software updated: Cybercriminals are aware of vulnerabilities in software and usually exploit these in their social engineering campaigns.
  • Use strong passwords: If you have multiple accounts, ensure that the passwords are not the same.
  • Enable two-factor authentication (2FA): In the event that your password maybe compromised, adding another layer of authentication in the form of 2FA helps to delay possible attack and also makes you aware of a compromised password.
  • Education is Key: Cyber related threats keep evolving especially when new forms of technology are being used. Keep yourself up to date with current information and methods that are being used by cybercriminals.

Conclusion

Social engineering attacks by cybercriminals exploit weaknesses not only in computer systems but also in physical spaces, such as offices, homes, and personal behaviors. Cybercriminals understand that even the most advanced security systems are only as strong as their weakest link which is the human behavior and when exploited, can expose sensitive information and provide elevated access.

It is important to stay informed about the latest developments in cybersecurity. One way to do this is by joining our FREE MasadaOffensive Guide subscription, and If you want to go deeper and learn how to implement simple solutions like our howTo: Deploy DMARC on a $0 Budget guide and others guides that we will be adding soon or engage in discussions, consider subscribing to our paid MasadaOffensive Mastery monthly or annual plan. These are designed for individuals, small businesses, and schools seeking have security strategies to stay ahead of cyber threats.

Read more