Can You Recognize a Social Engineering Attack?

If a cybercriminal’s engagement with a potential victim uses psychological manipulation to get sensitive details or make the person do a desirable action, the result is a social engineering attack. 

However, the challenging reality is that criminals continually try new attack methods and make their previous techniques more elaborate or harder to detect. Here are some things to know that can help people be more aware of social engineering attacks and how to stay safe. 

Social Engineering Attacks Rely on Trust

Trust is a foundational element of a social engineering attack. Some hackers infiltrate networks and study victims’ behavior for days or weeks before engaging with them. Then, they can better impersonate a colleague or other person a victim would communicate with and give details to without becoming suspicious. 

Social engineering attacks can also occur when the party orchestrating them pretends to be someone from a well-known organization or brand. There’s often an urgent aspect to the messaging. 

Someone might receive an email supposedly from the tax authorities, warning that they must provide specific details or pay a fine by a particular date to avoid prison time. In other cases, people will get messages about an incoming delivery, with the content saying they must give the requested details to ensure the goods arrive on time. 

A July 2023 study examined the most popular brands populating phishing attack messages. The results showed Microsoft in the top spot, accounting for 29% of mentions. The researchers also said some hackers sent their brand-based phishing messages in a series. LinkedIn, Walmart and Wells Fargo were some of the names featured in that trend. 

It’s easy to assume hackers are choosing these names because they will likely attract the biggest number of victims. Walmart is a popular retailer located in all 50 states. Similarly, many people view LinkedIn profiles as necessities, whether they’re expanding their professional network, job searching or both. 

Human error is a well-known cybersecurity risk. It only takes a second for a person to click on a link that infects a whole network with a virus. The good news is that people can become more aware of phishing scams and other threats with training and frequent reminders to follow best practices.

A Social Engineering Attack May Occur Offline

People primarily discuss social engineering attacks in the context of the internet. Then, it’s easy to forget — or not realize — that they could happen in the physical world, too. Consider a person walking into a building and past the reception desk while having an angry phone conversation. Most individuals dislike confrontation, so a receptionist may hesitate to interrupt them to learn their business. 

Similarly, someone could walk up behind someone about to enter a secured area and mention that they forgot their credentials. Since people usually like to help others, the person closest to the security checkpoint would likely hold the door for the other individual. 

More high-tech examples occur when criminals use artificial intelligence voice-imitation tools to impersonate someone the victim would never refuse. This emerging deepfake trend usually involves large money transfers. 

An executive assistant might get a call from someone who sounds like their boss. The person on the other end of the line requests making an immediate transfer to a new account. Since the caller is apparently someone the assistant knows so well, they never question it. 

An August 2023 study was the first to determine how well humans could detect artificially generated speech. Researchers used two data sets to create 50 fake deepfake speech samples in English, and the same number in Mandarin. 

The results showed people recognized the fakes 73% of the time. That’s promising but still leaves significant room for costly mistakes when they can’t. It’s also concerning that study participants were only slightly more able to detect deepfakes after training.

Generative AI Poses Social Engineering Risks

ChatGPT quickly exposed people around the world to generative artificial intelligence (AI). Since it can create text-based responses in seconds, some people wondered how long it would take for hackers to exploit the tool. As it turns out, they already have. Interested parties can find malicious generative AI products on the dark web. One of the suggested uses is to write phishing emails with them. 

If cybercriminals can use tools that write paragraphs in seconds, they could easily personalize their social engineering attack methods or make the text more realistic. In one case, researchers saw a 135% rise in novel social engineering attacks during the first two months of 2023. They believe the widespread availability of generative AI contributed to that change. 

Researchers noted that manipulative messages sent during the studied period featured more content, longer sentences and more frequent use of punctuation. That’s worrisome because cybersecurity best practices recommend that people look for spelling errors or improperly used punctuation when trying to spot phishing emails. It’s still a good idea to do that, but those may not be such telltale signs for much longer. 

Additionally, an August 2023 report discussed how criminals might create more sophisticated material to lure victims when they depend on generative AI. The authors also mentioned an increase in people using the dark web to advertise malicious services, including creating deepfakes. Then, if a person doesn’t have the knowledge, tools or time to orchestrate a social engineering attack, they could hire someone to handle the primary elements for them. 

Protecting Yourself From a Social Engineering Attack

The best way to stay safe from the ramifications of a social engineering attack is to continue being vigilant and questioning everything. If you receive a phone call about an urgent money transfer, hang up the phone and contact the purported caller directly. Do something similar by contacting the company about any emails received that demand immediate action. 

Social engineering attack methods will continue evolving. However, being defensive means verifying the communications or getting further information through external channels instead of quickly falling for a trick.

Stay cautious about potential physical social engineering attacks, too. If anyone attempts to use you to get information or access, apologize briefly and end the communication. It’s nice to be kind, but not when your gesture could risk your company or job.

As you learn more about how social engineering attacks work, share some of the techniques and safeguards with people you know. Then, your knowledge is an important part of making these efforts less effective.