What is Social Engineering? - Definition, Types & Threats

Instructor: James Mason

James Mason has been working in the technology sector for over 20 years. He has a Master's degree and has taught Web language programming and design.

Social engineering attacks are methods that scammers use to deceive users to divulge personal and financial information. There are many different scams used to trick people both online and offline. We will examine a few of these techniques.

Social Engineering Methods

Social engineering is a method of technological attack that relies heavily on human interaction and mainly involves deceiving people into failing to observe normal security procedures. Just as a con man tries to use people's greed, ambition, or vanity against them, the modern-day social engineer manufactures ways to do this using technology.

There are many different kinds of social engineering attacks. We will discuss five different attacks.

  1. Baiting
  2. Phishing
  3. Pretexting
  4. Scareware
  5. Watering Hole

Baiting

Baiting exploits our curiosity of the unknown or our love of free stuff. Baiting attacks come in many forms, but one of the most famous types of baiting examples was done to prove a point. In 2006 Secure Network Technologies was making a security assessment of one of their clients. They put a Trojan virus on dozens of USB drives and just dropped them in areas where employees of their client would see them. Many different employees picked up the USB drive and plugged them into their computers, thus giving the Secure Network Technologies team access to the network and the ability to record the employee's login credentials. This example may make you think twice about the free USB drives given out at conferences or trade shows.

An example of an online baiting attack is an ad featuring free music or game downloads. After clicking on the music or game site they may say they need your credentials to sign in to a site that may look legitimate (such as using your Apple ID on a site the looks exactly like the Apple website). After you give them your id, they use it to access your account and they sell your credentials to other online criminals.

Phishing

Phishing is probably the most common form of social engineering. Almost everyone who has an email, social media, instant messaging, or texting account is familiar with this attack. The scammers attempt to trick people into giving out sensitive information or trick them into visiting websites that will compromise their system, most of the time with malware and viruses.

Phishing attacks usually are a message disguised as a legitimate message that requires you to share personal information or visit a link. Oftentimes the links will look like they are a legitimate website but if they are clicked on, they send you to a clone of a legitimate website, so they can steal your login information.

Phishing attempts usually try to draw you in with an alarming subject line, something like, 'Unusual account activity detected', 'UPS Delivery - Last Attempt', 'Revised Vacation Policy - Urgent Action Required'. Some users become alarmed or curious and will click the links that are provided in the fraudulent email.

Pretexting

Pretexting is a lesser known form of social engineering and is not used as often because it requires more time and effort on the part of the scammer. In a pretexting attack, the scammer will lie and deceive someone into giving out personal or financial information. This attack has been compared to another scam called 'catfishing'.

An example of a pretexting attack is members of an organization getting informational emails from a supposed IT person that do not require action, just give information. After sending several of these, 'helpful' emails the scammer will then send a message saying that their account has been compromised. Since the users have gotten used to receiving emails from this supposed IT person there is more of a chance of gaining private information or network access than from a single phishing email.

Scareware

If you have ever seen a pop-up that tells you that your machine is infected with a virus, or that you have illegally downloaded software and you need to download some software to scan and clean your machine, then you have seen an example of scareware.

Scareware usually generates pop-up windows that emulate a Windows system message alert box. Oftentimes these appear to be an antivirus alert message. The fraudulent system alert will inform the user that there have been infected files found on the machine and that they need to scan and clean their system. When the scan button is clicked, malware is installed on the computer. Some may remember some infamous Scareware products such as WinFixer, WinAntivirus, ErrorSare, or DriveCleaner. These 'products' have infected thousands of computers over the years.

To unlock this lesson you must be a Study.com Member.
Create your account

Register to view this lesson

Are you a student or a teacher?

Unlock Your Education

See for yourself why 30 million people use Study.com

Become a Study.com member and start learning now.
Become a Member  Back
What teachers are saying about Study.com
Try it risk-free for 30 days

Earning College Credit

Did you know… We have over 200 college courses that prepare you to earn credit by exam that is accepted by over 1,500 colleges and universities. You can test out of the first two years of college and save thousands off your degree. Anyone can earn credit-by-exam regardless of age or education level.

To learn more, visit our Earning Credit Page

Transferring credit to the school of your choice

Not sure what college you want to attend yet? Study.com has thousands of articles about every imaginable degree, area of study and career path that can help you find the school that's right for you.

Create an account to start this course today
Try it risk-free for 30 days!
Create an account
Support