A growing menace

While today’s digital landscape has transformed almost every aspect of human life for the better, it has also exposed both individuals and businesses to new forms of vulnerabilities. As we have become more reliant on technology and social media platforms, we have also become more exposed to their dangers.

Social engineering refers to the techniques used by cybercriminals to manipulate individuals into divulging confidential information that can be used for fraudulent purposes.

According to McAfee, it is essentially an act of tricking people so that they give away their personal information such as passwords, bank account numbers, social security numbers, or other valuable data. This is achieved not through technical means but through human interactions.

Because most people are not aware that they are being targeted until it’s too late, social engineering is considered one of the biggest threats to cybersecurity. McAfee explains that the success of a social engineering attack relies heavily on the ability to make the target believe that the attacker is someone they can trust or someone who has a legitimate reason for needing the information being sought. It exploits the natural tendency of a person to trust others and to want to help others, especially those who appear to be in a position of authority or in distress. For instance, most people will not suspect a friendly phone call or an email from a co-worker to be a potential threat.

Kaspersky for its part explains that scams based on social engineering are built around how people think and act. “As such, social engineering attacks are especially useful for manipulating a user’s behavior. Once an attacker understands what motivates a user’s actions, they can deceive and manipulate the user effectively,” it said.

It adds that most social engineering attacks rely on actual communication between attackers and victims. The attacker tends to motivate the user into compromising themselves, rather than using brute force methods to breach one’s data.

Some common methods used by social engineering attackers are phishing where the attackers pretend to be a trusted institution or individual in an attempt to persuade one to expose personal data and other valuables, baiting where the attacker abuses the victim’s natural curiosity to coax one into exposing himself to an attacker like email attachments for a free offer, to name a few.

Basically, social engineering relies on the manipulation of human psychology and not on technological vulnerabilities.

Rather than hacking into a system directly, attackers now appear to exploit emotions such as fear, urgency, trust, and greed in order to deceive their victims into divulging sensitive information or even performing actions that can compromise security. This psychological exploitation makes social engineering particularly dangerous, as even the most advanced cybersecurity measures cannot fully eliminate the “human factor” in security breaches.

One of the most common tactics used by cybercriminals is fear. Attackers craft messages that instill panic, often claiming that a victim’s bank account has been compromised or that immediate action is required to prevent dire consequences. By triggering the victim’s fear, scammers can easily override logical thinking and pressure individuals to act impulsively rather than have them verify the legitimacy of the requests being made.

For example, phishing emails that mimic legitimate institutions like banks or government agencies claim that unauthorized access has been detected and that immediate password resets or fund transfers are necessary. The poor victims, fearing great financial loss or even legal repercussions, comply without questioning the source. These tactics are highly effective because the human brain is wired to prioritize immediate threats over rational decision-making.

Moreover, urgency is another powerful tool in social engineering. Cybercriminals create a sense of time pressure in order to prevent their victims from considering other options. Messages instructing recipients to act “within the next five minutes” or risk losing access to critical accounts often accompany scams related to banking, online services, and even fake job offers. The effectiveness of urgency lies in its ability to hijack the victim’s attention span and prevent careful scrutiny, leading them to follow instructions hastily and without thought.

Aside from these, greed and curiosity also serve as additional psychological levers for cybercriminals. Scammers dangle the promise of financial gain, exclusive offers, or inside information in order to lure their victims into clicking malicious links or providing their personal details. Fake investment opportunities, lottery winnings, and other too-good-to-be-true discounts all exploit the natural human inclination to seek rewards. Similarly, curiosity-based attacks leverage intriguing subject lines or mysterious messages that tempt their recipients to open the attachments or follow links that ultimately lead to malware infections or credential theft.

The consequences of falling victim to a social engineering attack can be devastating as this may result in financial loss, identity theft, and damage to personal reputation.

The Bangladesh Bank heist is considered as one of the most audacious and successful social engineering attacks in history. In February 2016, hackers targeted the central bank of Bangladesh and with help from insiders, they spent phishing emails containing malware-infected attachments. When their targets eventually opened these attachments, they granted the hackers access to the bank’s network and systems. Using fraudulent SWIFT transactions, the hackers attempted to transfer nearly $1 billion from the bank to their accounts in the Philippines. Although some of the transactions were blocked or reversed, the hackers were able to transfer around $81 million.

Unlike traditional hacking which relies on exploiting software vulnerabilities, social engineering targets human vulnerabilities.

Deep fakes, which user artificial intelligence to create realistic but fake audio, video or images that impersonate real people, are increasingly being used in various social engineering attacks to create compelling but fraudulent scenarios. In the Philippines, the newly appointed finance officer of one of the biggest conglomerates here received a call from the CEO instructing her to transfer money to a supplier. The voice was so convincing that the executive complied with the request.

In order to combat the growing threat of social engineering, individuals and institutions must adopt a proactive approach to cybersecurity. This includes verifying the authenticity of requests and exercising extreme skepticism whenever one encounters an urgent or fear-inducing message, as well as reporting these types of suspicious activities to the proper authorities. The psychological and emotional manipulation at the heart of social engineering exploits fundamental aspects of human nature, making such a persistent and evolving threat.

We should approach this digital age both with optimism and caution. To cope with vulnerability in this digital age, we all have to learn and understand how the enemy works in order to build resilience against manipulation and strengthen our cybersecurity defenses.

For comments, email at [email protected]