Social Engineering is the use of deceptive tactics to manipulate people into volunteering sensitive information that is then leveraged for fraudulent purposes. Often, perpetrators use social engineering to harvest credentials for Account Takeover (ATO) or Corporate Account Takeover (CATO).
In social engineering, attackers prey upon the trusting nature of people by provoking an emotional impulse to respond. They impersonate a sensitive party such as an executive at the target’s workplace, or a bank employee warning that the target’s funds are at risk. This exploitation of emotional and social cues to extract data often arrives on emails that appear to be a legitimate service’s newsletter. They include a link to a convincing but counterfeit website.
Social engineering scams may also manifest as phone calls seeking access credentials or identity profile information, with added urgency to volunteer it. Once a social engineering attack is successful, the information is weaponized for ATO/CATO or it is sold, adding to the illicit supply of credentials used in subsequent attacks.
“We’ve been targeted in a spear phishing campaign that’s using social engineering in its communication. Hackers on email are impersonating our CEO, telling employees that there’s an urgent need to purchase $500 eCommerce gift cards and share images of them on a return email. It all seems rushed and, to me, suspicious, but some of the new hires are worried that Paul is actually demanding this of them.”