Get A Quote
Written by Silvia Bitchkei on 17 September 2019

What is Social Engineering? Defining a Popular (Ethical) Hacking Strategy

When it comes to this popular (ethical) hacking practice, what exactly is social engineering and how does it work?

Recently, the CEO of a British company transferred $243,000 over to a Hungarian supplier, after being asked to do so by the parent company CEO. This is a fairly common scenario in business. Unfortunately, the parent company CEO was not who they seemed to be. The British CEO had been scammed by a Deepfake, a fraud that is clever and subtle and uses artificial intelligence to scam people.

Deepfakes and similar modern scams all use the same principles of social engineering to exact their malicious ends.


What is Social Engineering?

According to TechTarget, “social engineering is an attack vector that relies heavily on human interaction and often involves manipulating people into breaking normal security procedures and best practices in order to gain access to systems, networks or physical locations, or for financial gain”.

⇒Indeed, social engineering is nothing new.

The use of psychological controls to trick a person into doing something is as old as human society. An early recorded example of fraud was in 300BC in Greece. Hegestratos bought insurance for his merchant ship to purposely sink it. The story didn't end well, with the scam being outed and Hegestratos drowning himself.

The modern version of social engineering is often centered on financial fraud, identity theft and general theft of data.

⇒Modern social engineering uses a toolbox of tricks.

These tricks use our own natural human behavior to encourage us to do something, for example clicking on a link in a phishing email or move a large amount of money to a fraudster’s bank account. Modern social engineering is often a mix of human interaction and technology.

⇒Social engineering is a highly successful form of cyber-attack.

Often times, it is much easier to trick someone into doing something they would naturally do than to hack an account from the outside. In other words, if a cybercriminal wants to steal a password, it is much easier to get the password holder to share it than to hack into an account.


Social Engineering & Ethical Hacking

Ethical Hacking

In ethical hacking, social engineering has become a popular (and very effective) strategy of testing how vulnerable an organization’s staff really is.

When used in an ethical way, social engineering allows you to detect weaknesses to better address your staff-related security issues. An additional objective of a social engineering mandate is to establish solutions to increase the global level of the confidentiality, integrity and availability of your corporate data.


Why Does Social Engineering Work?

Social engineering works because it uses our own natural behavior against us. Examples can help to point out the tricks of the social engineering trade.

Example 1: Phishing Emails

The recipient receives an email, seemingly from their bank. However, this is a phishing email attempting to steal login credentials and other personal data. The fraudster behind the phishing email exploits certain human behavior to ensure that their scam works:

  1. Trust: The email is branded as the bank in question, including the logo, email sender name, etc. This helps to establish trust in the email content.
  2. Urgency: Often phishing emails will have a sense of urgency, for example with warnings such as “your account will be closed if you do not act NOW”.
  3. Fear, Uncertainty, and Doubt (FUD): Add into the mix something that can harm a person and you have an explosive mix. Using FUD techniques such as “your account has been hacked and subsequently closed, please click here to reinstate your account” are highly effective in exerting control over a person’s actions.

Related Post: Tips For Protecting Yourself From Phishing Attacks


Example 2: Deepfake Extortions

The story at the beginning of this article is a perfect example of the use of technology to augment social engineering. Deepfakes use the same psychological tricks as other fraud but add artificial intelligence into the mix.

The CEO in the Deepfake scam was tricked through a phone call. The caller seemed to be his boss, but it was a manipulation of the fraudsters voice using AI. It sounded in every way like the expected voice and so it tricked the CEO to transfer money. Again, it used trust and urgency to exert an outcome in the fraudster’s favor.

New call-to-action


Breakdown of a Typical Socially Engineered Scam

Here are some typical steps that a fraudster will take to steal your personal data, login credentials, money or all of these things.

1.    Surveillance

Fraudsters often carry out surveillance on an individual and/or an organization. This can come in many forms, even calling employees and building up a relationship – effectively grooming an individual. The intelligence gathered is used to make the scam successful.

2.    The Bait

Psychological tricks are the way that social engineering works.

3.    Executing the Scam

The execution of the scam takes many forms. In the case of Business Email Compromise (BEC), this may be a direct transfer of money to a fraudster’s bank account; in the case of a phishing email it may be the collection of login credentials using a spoof website.


The Results of Social Engineering

Social engineering is a very successful way to exploit human behavior and execute a cyber-attack. Recent statistics show just how successful it is as a technique:



Social engineering and confidence tricks are part of human society since days of old. The tricks may have been updated using technology to augment the scam, but the sentiment remains the same: manipulating natural human behavior is easier than forcing your way in.

The modern enterprise has to counter this clever use of our own behavior through the use of smart security. The best ways to fight-back against the likes of phishing, BEC scams, and Deepfakes is to use a similar mix of socio-technical measures. This includes using security awareness training and applying robust security measures such as two-factor authentication and antimalware endpoint solutions. It also requires that a business becomes cybersecurity aware and improves its security posture by putting the necessary checks and balances in place, such as having a business process to double-check when a large money transfer is requested. Using these measures can stop social engineering in its tracks.

Cybersecurity Posture Assessment Checklist

Related Posts

Don't Wait.
Get a quote today.

Toll Free 1 866-430-8166Free Quote
Secure Your Organization Today.