When we see depictions of hacking in movies and television shows, the camera usually zooms in on a highly caffeinated and sleep-deprived hacker typing on a keyboard at a million miles per minute as loud electronic music rages in the background. The victim's cyber defenses fall, one by one, as the hacker cracks their knuckles and grins.
Although these scenes create dramatic tension, they often gloss over the relationship between social engineering and cybersecurity. Emotional manipulation often plays just as important a role in a successful cyber attack as technical wizardry does. Here's what you need to know about social engineering so you can stay safe online.
What is social engineering?
Bad actors are always looking for the easiest vulnerability they can exploit. They love it when people succumb to password anxiety and fatigue, for example, because that makes it a snap to steal passwords and break into online accounts. When it's too difficult or time-consuming to hack into a sophisticated site or network, they can get the job done by abusing someone's trust or manipulating their feelings. This is where social engineering comes in. Hackers use this technique to dupe victims into giving them confidential data, such as passwords or banking information, so they can accomplish their goals with ease.
Sometimes social engineering takes advantage of the trust people have in colleagues or companies. Other times, it preys on people when they're feeling vulnerable or fearful — for example, when they're lonely and seeking human connection during a once-in-a-century pandemic. Now that so many people are socially isolated from one another during the global health crisis, relying on technology for everything from work to grocery deliveries to virtual happy hours, it's more important than ever to spot the signs of a social engineering attempt.
Phishing, smishing, vishing, and more
You're probably already familiar with phishing, which is the most common kind of social engineering attack. A traditional phishing email looks like it came from a legitimate sender and uses urgent language to get you to click on a malicious link. The website that shows up will then ask you to divulge some information or silently install malware on your device. After you've done as asked, the attacker has what they need to commit their cyber crime of choice.
Variations on phishing, like business email compromise (BEC) or CEO fraud, usually involve impersonating work colleagues to steal information. Once a hacker has tricked an employee into divulging the right data, they can usually gain access to the corporate network in short order. These attacks are even more effective when a hacker does reconnaissance on a target in advance, finding out as much as they can about their intended victim online. This way, the cyber criminal can craft a more authentic, believable message that has a better chance of gaining the victim's trust.
Phishing began on email, but now it happens on all digital channels. A phishing attempt can arrive via SMS, in a technique known as smishing, or pop up in a social media message. Hackers also launch vishing attacks using robocalls, often scaring their intended victims into sharing information on the spot for fear of running afoul of the IRS or losing access to a financial account. Bad actors may even try to get their victims to say specific words over the phone, recording them in the process. They can then use those recordings to pass voice authentication prompts and fraudulently gain access to their victims' accounts later on.
Social engineering on dating apps and social media
Hackers know that people are already alert to phishing attacks that come in via traditional routes like email or text message. So they get creative, targeting dating app users and even sending fake friend requests on social media accounts. Once a connection is made, cyber criminals may attempt to emotionally manipulate their victims into sending them money. These attacks prey on people who may be feeling vulnerable and seeking human intimacy. As a result, they can be very effective. According to the FTC, romance scams caused a record $304 million in reported losses in 2020.
Social media memes are also fertile ground for social engineering attacks. If you've ever seen a meme that invites you to share personally identifying information, such as your birthday, be cautious. Hackers may very well use the details you share to steal your identity, commit financial fraud, break into one of your online accounts, or even trick you into giving up even more personal information in the future. This kind of attack exploits your desire to express yourself and connect with others. It also encourages you to assume that your personal information isn't valuable or sought after. This kind of social engineering is meant to appear fun and harmless, but it can have serious consequences.
How to protect yourself from social engineering attacks
There's a close link between social engineering and cybersecurity. By better understanding how social engineering takes place, you can protect yourself from these sneaky attacks. Here are a few tips that will keep you from falling victim to this kind of online manipulation:
Be suspicious of unsolicited messages. If you receive a message that you were not expecting, your antennae should go up right away. Be wary, even if the message looks legitimate at first glance.
Never use the contact information in a suspicious message. If you received a potentially suspicious message, contact the presumed sender using information you've looked up independently (i.e., don't use any contact information in the message you received) to make sure they actually sent the message.
Don't assume your favorite apps are safe. Hackers know you're more likely to be vigilant about phishing emails, which is why they're increasingly trying to reach you via the apps and sites you trust. They know they have a better chance of catching you with your guard down on social media, for example.
Don't assume your business communications are safe. If you received an email from a coworker that looks off, listen to your instincts. Reach out to that coworker using another method of communication, like a phone call, and make sure they actually sent you that message.
Be stingy about sharing personal information online. Not only will cyber criminals happily harvest your comments on Facebook memes so they can then use your personal information to steal your identity or break into one of your accounts later on, but they will also scrape your public social media posts for morsels of information that they can use to gain your trust in a future phishing attack.
Use multi-factor authentication (MFA). MFA gives you an added layer of protection that comes in especially handy if you've experienced a social engineering attack. Even if a hacker already has your password, they won't be able to get into your account unless they are also able to provide another form of authentication that you've already picked out in advance, like a passcode from an authenticator app. Pro tip: by breaking the cycle of password reuse and maintaining strong passwords on all of your accounts, you can make it even harder for cyber criminals to break in.
Spot the signs of social engineering and stay safe online
Because our popular image of hacking often involves a virtuoso keyboard performance with a techno beat in the background, it overlooks the strong connection between social engineering and cybersecurity. Hackers are as adept at manipulating our human vulnerabilities as they are exploiting vulnerabilities in software code. By learning to spot the signs of social engineering and taking some smart precautions, however, you can prevent yourself from falling victim to a social engineering attempt.
Discover how LastPass Premium helps you stay safe online. 
