Article Body
NEED TO KNOW NEWSLETTER MARCH 2025
Social engineering 101
You answer the phone. The caller claims to be from IT and has seen some suspicious activity on your computer. They need you to type in some commands.
You read an email. The sender appears to be the CEO. Funds need to be transferred ASAP, or an important deal will fall through.
You get a text. The sender is saying they are your boss, and they want you to pick up some gift cards for a company outing.
In all these situations, you may be the target of a social engineering attack. But you don’t have to be a victim.
What is social engineering?
Social engineering is a form of cyber crime that doesn’t rely on technology. Instead, threat actors manipulate you into breaking company policy to give them what they want.
Social engineers use a few different tactics.
- A social engineer may pretend to be an authority figure. For example, they may impersonate a company executive and pressure you into sending them valuable documents.
- A social engineer may use your kindness to get what they want. They might pretend to be a delivery driver and ask you to hold the door open for them.
- A social engineer may use fear and intimidation to get you to comply. For example, they pretend to be an angry customer and threaten to get you fired if you don't give them what they want immediately!
Social engineers are looking for money, access, or data. They often attack organizations that have access to large amounts of data, such as schools, hospitals, and government agencies. If they hit one of these targets, social engineers can steal thousands or even millions of personal records at a time.
Social engineering attack vectors
- Phishing - Phishing is the most common attack method. With phishing, attackers send legitimate-looking emails, hoping to trick you into taking action.
- Spearphishing - Unlike regular phishing, spearphishing targets one specific person. The target has access to money or data and the attack is crafted specifically to appeal to them.
- Vishing - or voice phishing - social engineers use phone calls to impersonate customers or coworkers.
- Tailgating - A social engineer follows someone into a restricted area, often by pretending to have lost their access card or key.
How to avoid social engineering attacks
- Examine all links and attachments to ensure that they are safe and coming from legitimate senders
- If you find something suspicious, contact your security team immediately
- Don't share sensitive or personal information
- If a message might be from an imposter, contact the real person or organization through a known, safe method, such as a public phone number
- Slow down your conversation. Don't be hurried into making a decision that could end poorly
Social engineering and AI1
With the rise in AI tools, attacks have become more advanced. AI can convincingly mimic real empathetic communication, matching how humans think and making it quicker and easier for social engineers to carry out attacks.
Typical social engineering attacks are also becoming more complex, and it is difficult to distinguish reality from fiction. AI deepfakes, for instance, can be extremely convincing, even using someone's voice during virtual meetings or phone calls. Jim Guinn, II EY Cybersecurity Leader, says: “These rapidly evolving technologies, combined with threats from maliciously crafty nation-states amid geopolitical tensions, open the door to threats that many employees just don’t understand or feel equipped to confront. Humans can be the lion at the gate protecting the castle, and they can also be the person opening the door to let what they think is the little kitten in. They must be armed with knowledge and training to make the correct decision.”
1 Why AI fuels cybersecurity anxiety, particularly for younger employees | EY - US