Social Engineering: New Cyber Manipulation in the Digital Age

When we think of hackers, we tend to think of technological prodigies who use advanced programming to complete rogue missions of espionage, disruption, and theft. And while that view is often correct, the rise of social engineering has ushered in a new wave of cyberattacks that are technologically sophisticated but intentionally benign in their execution. Social engineering seeks to manipulate the most vulnerable part of any cybersecurity plan—people. It’s more than a simple con; it's an intricate and pervasive threat that's shaping the digital landscape in new and unexpected ways. 

What is social engineering? 

Social engineering describes the various methods that use psychological tactics to manipulate people into taking a desired action, like giving up confidential information, downloading malicious software, or visiting a compromised website. Instead of exploiting technical vulnerabilities in systems or devices, social engineering attacks exploit human weaknesses, such as curiosity, greed, fear, or trust, to bypass security controls and gain access to sensitive data, networks, or systems. 

For example, a social engineer might pose as an IT support person and ask an employee for their login credentials or send an email with a malicious attachment that looks like an invoice or a report. Once the attacker obtains the information or installs the malware, they can steal data, spy on the user, or launch further attacks. 

 

Types of social engineering attacks 

Social engineering attacks can take a variety of forms. Though the tactics and strategies may differ, the goal remains the same. Here are four of the most common types of social engineering attacks. 

Phishing: This is the most common type of social engineering attack. In phishing attacks, the attacker sends an email or a message that appears to be from a legitimate source, such as a bank, government agency, or family member. These messages typically ask the recipient to click on a link, open an attachment, or provide personal or financial information. Unknown to the recipient is that these items may lead to a fake website that collects sensitive information or installs malware. If successful, the attacker now has unauthorized access to the recipient’s information or systems. 

Whaling: This is a more specific form of phishing that targets high-profile individuals, such as executives, celebrities, or politicians. The attacker may impersonate someone the victim knows or trusts, such as a colleague or a client, and ask for sensitive information or money transfer. In more sophisticated attacks, the attacker may spoof the email address or phone number of the sender to make it look more authentic. Because of the perceived familiarity of the sender, the recipient may be more susceptible to falling for the scheme. 

Baiting: This is a technique where the attacker leaves a USB drive or other physical device in a public place where an unwitting victim is likely to find it. The device may have a label that arouses curiosity or interest, such as “confidential” or “salary list.” If the victim plugs the device into their computer and unknowingly installs malware, the attacker can gain access to their system. 

Business Email Compromise (BEC): In this scam, the attacker impersonates a senior executive or a business partner of an organization and sends an email to an employee who is responsible for making payments or transfers. The email may request an urgent or confidential payment to a new account or a change in payment details. These attacks can be successful because of perceived power dynamics at play; an employee may not verify the email’s authenticity or want to question their boss about a request, so they simply comply. 

Social engineering in action 

These four social engineering strategies have been successfully deployed across several industries, causing long-lasting effects for both the company and its customers. 

In 2014, hackers used phishing emails to attack Sony Pictures Entertainment. They stole confidential employee information, leaked executive emails, and wiped data from computer systems. Believed to be led by North Korea, the hackers demanded that Sony not release the film, “The Interview.” When Sony ignored the demand, the hackers released more information, causing Sony significant reputational and financial harm.  

In 2016, hackers used whaling emails to gain access to the email accounts of several members of the Democratic National Committee and leaked thousands of emails and documents online. This created significant debate about the integrity of the U.S. presidential election, as evidence points to the attack being part of a Russian interference campaign. 

In 2018, hackers used baiting devices to infect computers at several government agencies in Taiwan with malware that stole confidential data. The hackers left USB drives with labels such as “examination materials” and “confidential documents” near the entrances of the agencies and waited for someone to plug them in. 

In 2019, hackers used BEC scams to steal over $100 million from Facebook and Google by posing as a hardware manufacturer that had legitimate business dealings with both companies. The hackers sent fake invoices and contracts with forged signatures and bank details and convinced the companies to wire money to their accounts. 

 

Get Cybersecurity Ready at Capitol Tech 

Capitol Technology University’s programs in Cyber and Information Security can prepare you to defend against social engineering attacks by creating better methods of identifying and mitigating their impact. For more information,  contact our Admissions team at admissions@captechu.edu.