What is Social Engineering?
My definition of social engineering:
“Using a fraudulent identity to trick someone into performing an action you benefit from”
Definition of Social Engineering / E.g. A criminal might pretend to be your CEO, and ask you to process a fraudulent payment for them; their object in this example is financial gain.
Note: Social engineering in the media and popular culture is 99% malicious. So I only refer to SE (Social Engineering) in the context of it being used by criminals, to do criminal kinda things.
The 4 types of social engineering
There are 4 types of social engineering:
Email / Phishing
Phone Calls / Vishing
SMS/TXT Messages / Smishing
In-Person / Physical
I personally focus on email based social engineering, so when I mention social engineering it's usually in that context.
Is Phishing the same as social engineering?
No, but it can be confusing.
Let me explain the differences.
I define ‘Phishing’ as:
“The act of sending emails under a fraudulent identity”
Definition of Phishing / So a sent email would be referred to as a phishing email.
There are different types of phishing.
How they’re named references the intent of emails.
For example, spear phishing is very targeted, and is usually sent to just one person within an organisation.
There’s also credential phishing, which tries to steal usernames and passwords. These emails contain a link to a fake website, and when you login, that’s when they record your details.
So ‘phishing’ is the act of sending the emails, but they can’t be blank!
So next, they need some content.
This is where ‘social engineering’ comes in.
The decisions a scammer makes at this point bring the phishing email to life. Their goal is to ‘engineer’ the recipients into doing something they can profit from.
First, a goal needs defining. What is it the scammers want?
Do they want to trick victims into paying a fake invoice? Or maybe to install a virus contained within an attachment? Or perhaps something else entirely.
Goal decided, they must establish who the most suitable target would be.
If a scammer wants to trick someone into paying a fake invoice, they need to target employees who process payments. Otherwise it won't have even a slim chance of being successful.
If distributing a virus was their goal, it can be less targeted, allowing them to send it to a larger group of people.
Goal and target defined, their focus turns to who they are going to pretend to be — who will the phishing email say it’s sent by?
“You can ask someone to do anything over email, but they aren’t going to do it unless they have a relationship with the sender”
Scammers have to put themselves in the target’s shoes, and figure out who can ask them to carry out the action that helps them achieve their goal.
It can be a person they choose, such as their CEO, but it also can also be a service too, like Microsoft.
If we take the example of the fake invoice, it’s the CEO of the Org making the payment that a scammer will pretend to be.
If it’s your login details they want to steal, then they will pretend to be a service, like Microsoft, Dropbox, or eBay. The options they have available are almost endless where services are concerned.
But….
Scammers generally love popular services. If it’s not used by lots of people, it’s less likely the targets will have an existing relationship with them.
And no relationship means no trust to leverage, so when the email lands in their inbox, the scam will fail — it just won’t be plausible to them.
Social engineering has no limits, scammers can be as creative and as cruel as they want. But often the perfect templates for an attack are already sat in our inboxes.
They’re the emails we see every day, the ones we don’t think twice about clicking on. Which is why scammers fake emails that are commonly seen in an inbox — such as a password reset — they’re just hedging their bets it’s something most are used to seeing, and acting on.
Scammers are also very good at making us panic, or even making us excited, or relieved. They know we all need a bit of a prod to do something right there and then, so they try to make us react to what they send us.
This covers the basics of how phishing and social engineering sit together in the cyber world.
You can read more on my blog, or alternatively learn about my social engineering story here.