Monitor your checking account with Ent Protect™

Learn More

icon of two gears to show concept of expanded lessons Expanded Lesson 6 min read

What is a social engineering attack?

  • Facebook
  • Twitter
  • LinkedIn
  • LinkedIn Copied link to Clipboard!

A social engineering attack is a certain type of malicious attack that relies on human error. Hence the word “social.” Human beings are designed to make mistakes, especially when using the internet or corresponding online, and cyber criminals will try and take advantage of the situation. Learn how to protect yourself and others from a social engineering attack.

Monitor your checking account with Ent Protect™

Learn More

Woman scrolling through phone on social media messaging app.
Yellow notepad with pen svg icon Lesson Notes:
  • A social engineering attack is when a scammer deceives an individual into handing over their personal information.
  • This information gives the perpetrator access to bank accounts or software programs, which are accessed to steal funds, hold information for ransom or disrupt operations.
  • Social engineering attacks often mascaraed themselves as websites, emails and other messages from official sources (FBI, IRS, etc.) and are designed to spoof or deceive.

What is social engineering?

The term “social engineering” isn’t inherently bad. It refers to an act or process that relies on social interactions. When it comes to malware and digital fraud, social engineering can take a dangerous turn.

Most of us are used to connecting with other people digitally, whether it’s text messages, email or direct messages on social media. A social engineering attack relies on these methods of communication. The internet makes it relatively easy to conceal a person’s identity by adding a fake photo, username or web address. The perpetrator will usually pretend to be someone they are not, such as an individual, company or organization, also known as spoofing.

Users will then interact with the perpetrator as if they are speaking to a trusted individual. The perpetrator may send the user a message or link asking for their personal information. If the user believes they are interacting with someone they know or trust, they may hand over their personal information to the perpetrator without realizing they are now the victim of a crime.

These kinds of attacks can lead to identity theft, fraud, malware infections and damaged infrastructure if the perpetrators alter or delete data. Perpetrators may target individuals or organizations as they look for ways to gain access to the system.

The social engineering process

Stealing the user’s sensitive information may take time. The perpetrator will use social engineering techniques to make sure that the user will ultimately click on the fraudulent message or link and avoid getting caught. This often requires research and planning.

Preparing the attack

To prepare for the social engineering attack, the perpetrator will first research their potential victim, including what websites or apps they use, where they keep their money and whom they’re likely to interact with on a regular basis.

This gives the perpetrator a sense of how likely the person is to click on the fraudulent message. The hacker will also use this information to select the method of attack, such as an email, text or link based on the person’s previous browsing activity.

Engaging with the user

Once the perpetrator has a sense of how the victim works or engages with others online, they will try to make their first point of contact. This may be an email, text or phone call, depending on which method has the best chance of success.

Then they will pretend to be a person or company the user interacts with on a regular basis, such as their bank, credit union, employer, the government or a friend on social media.

During the interaction, the perpetrator will ask the user to send over their sensitive or confidential information, such as their username, password, email address, social security number, bank account or any other type of data that can be used to steal a person’s identity. If the user believes the perpetrator is who they say they are, they may pass along their information without a second thought.

Using the information

Once the perpetrator has the person’s information, they will use this data to execute the attack either by stealing money or disrupting normal operations. The hacker may even hold the information for ransom to get the person to hand over a large sum of money.

They may ask you to send money or make payments through a prepaid credit or debit card or apps like Zelle or CashApp. Remember that most businesses, especially large corporations, will not ask you for payment through these methods.

Covering their tracks

Once they have obtained the person’s information or hacked their account, they will begin removing all traces of the crime. This includes all points of contact, malicious websites, phishing emails, messages and other signs of fraudulent activity, so they can move on to their next victim without getting caught.

Common methods used in social engineering

Hackers and perpetrators often appeal to the user’s emotions when sending them fake messages online or over the phone.

Here are a few examples:

Claim a prize: The perpetrator may entice the user by sending them a message asking them to claim a prize that they have won or to enter for a chance to win the lottery.

Fear of restitution: The perpetrator may also use fear to get the user to click on a fake message by telling them someone has hacked their account or that they owe the government money. This is also known as “scareware.”

Preexisting: This is when the perpetrator poses as someone the user already knows. They may send the victim multiple messages before ultimately stealing their money or account information.

How to protect yourself against a social engineering attack

Use the following tips to protect your personal information from social engineering attacks:

Watch out for fakes

Perpetrators often masquerade as something they are not. Be on the lookout for misspellings in the URL or person’s email address, images and logos that may have been copied and pasted onto a new background. Look for the lock symbol on the left-hand side of the URL to see if the website is secure.

Confirm before you click

If you receive a suspicious message or someone asks you for your personal information, contact the person or business directly to verify the person’s identity. Look up the number to verify that it’s correct and never call the number that is provided to you. You can always call your bank, credit union, or employer or visit the IRS website to make sure the message is legitimate.

Avoid sharing personal information

It’s always best to avoid sharing personal information over the phone or the internet whenever possible. You should never send out your full Social Security number or bank information over text, unsecured email or the internet. If someone asks you for this information, make sure you trust them or that they are legitimate before sending it over.

Social engineering attacks tend to be more difficult to catch and prevent than other forms of malware. We all make mistakes from time to time and scammers depend on these kinds of errors. If you believe you may be the victim of a social engineering attack, contact the authorities right away.

Ent wants you to stay safe! If an unauthorized party has access to your financial account, call Ent directly at 800-525-9623 or contact infosec@ent.com. We can help you to secure your account. Learn more about how we take fraud prevention seriously to keep your money safe.

Related Resources

View All