Social engineering is the art of manipulating human psychology to gain unauthorized access to buildings, systems, or data. Instead of relying on technical hacks, social engineers exploit universal human qualities like curiosity, trust, and politeness. For instance, they might pose as IT support personnel over the phone to trick employees into revealing their passwords.

Let’s explore ten common social engineering tactics that adversaries use to manipulate human behavior and compromise digital security:

  1. Phishing: Cybercriminals send deceptive emails, texts, or messages to trick users into clicking malicious links, downloading infected files, or revealing sensitive information like passwords or account numbers. These scams can masquerade as legitimate organizations or services.
  2. Whaling: Similar to phishing, but highly personalized. Whaling targets high-level executives with tailored messages, often based on extensive research of their behavior and social media activity.
  3. Baiting: Adversaries offer enticing incentives (such as free software, discounts, or exclusive content) to lure victims into downloading malware or revealing sensitive data.
  4. Diversion Theft: Social engineers distract victims (e.g., by creating a disturbance or asking for help) to gain physical access to restricted areas or systems.
  5. Business Email Compromise (BEC): Impersonating a trusted colleague or executive, attackers request fraudulent wire transfers, sensitive data, or confidential information. 
  6. Smishing: A form of phishing via SMS or text messages where users are tricked into clicking malicious links or providing personal details.
  7. Quid Pro Quo: Adversaries promise something in return (e.g., tech support, gift cards, or prizes) in exchange for sensitive information or system access.
  8. Pretexting: Social engineers create a fabricated scenario (e.g., posing as a co-worker or authority figure) to manipulate victims into revealing information or granting access. 
  9. Honeytrap: Using romantic or personal relationships, attackers exploit emotions to access sensitive data or systems.
  10. Tailgating/Piggybacking: Adversaries physically follow authorized personnel into secure areas by blending in or pretending to be part of a group.

Below is a real-world example of social engineering that demonstrates how clever manipulation can compromise security and cause financial hardship:

On July 11, Gotham Restaurant, a long-standing establishment in Greenwich Village, NYC, was forced to temporarily close due to a cyber scam that cost them $45,000. The owner, Bret Csencsitz, fell victim to cyber thieves who sent a seemingly legitimate email from their payroll company, asking to update banking records due to internal issues.

The email address was off by one letter, a detail Csencsitz initially missed. After wiring the money intended for employee salaries, he realized he had been communicating with the thieves, not the payroll company. Csencsitz has shared his experience to warn other businesses to verify any banking changes thoroughly. He plans to reopen the restaurant in the fall, hoping to recover the lost funds.

This case highlights how social engineers exploit trust, manipulate human behavior, and bypass technical defenses. Even with robust security measures, a clever social engineer can find a way in. Learn how to protect yourself. Remember, staying informed is crucial to defending against these tactics. If you need assistance, contact the IS&T Service Desk at servicedesk@chapman.edu.

 

Stay vigilant and stay protected!

Chapman University Information Systems and Technology (IS&T)