In the context of information security, social engineering is a trending topic. It's a technique used by hackers to increase the credibility of their scams and frauds. Briefly, we can say that social engineering involves manipulation and persuasion, and is directly related to identity theft, impersonation, and spoofing. In practice, hackers use social engineering as a tool to impersonate legitimate people or businesses, earning their victim's trust.
In other words, social engineering is used to induce other people to act in a certain way. Undoubtedly, this isn't a new tactic. Social engineering's been present since the dawn of humanity. Great espionage cases, for example, involve social engineering. If you're a fan of James Bond stories, you know what I'm talking about. The story of the Greek warrior Odysseus and his huge wooden horse that was used to overcome the walls of Troy is another example.
But my favorite example for illustrating and defining social engineering comes from comics. X-Men fictional character Mystique is social engineering "in person". Mystique's a mutant born with the ability of shapeshifting. That is, she can mimic whoever she wants whenever she wants, with extreme precision. So we can say that she's a social engineer.
In real life, social engineering is used in many ways. In most cases, it’s used in cyber attacks, such as spam campaigns and phishing and spear phishing attacks. But it’s also used in frauds that involve phone, SMS and even physical presence.
The term social engineering and information security
Within the cybersecurity world, some people say that the popularization of the term social engineering is due to cybersecurity expert Kevin Mitnick. In 2013, Mitnick published the book "The Art of Deception: Controlling the Human Element of Security". In it, he talks about the concept and techniques of social engineering and relates his own experience as a social engineer and hacker.
Mitnick has already been sentenced in the United States for a variety of crimes, including password theft and unauthorized access to computer networks of major corporations worldwide. In the book, he says that one of his first encounters with social engineering took place in high school in the 1970s.
Mitnick learned how to hack the telephone company by exploiting the company's systems and employees. This allowed him to have access to confidential customer information and even to make free calls. In addition, he used to make pranks. When a victim tried to call from home, for example, he got a message saying that he had to pay for the call because it was a pay phone.
First social engineering cases
Certainly, social engineering already existed before computers and the internet. But the most interesting question to ask is: what would be the first cases of social engineering in the age of computers and the internet?
It's a difficult question to answer because older hacking cases lack resources and sources. What is easily observable is that social engineering gained strength from the 2000s onwards, following the computer and the internet boom in the 1990s.
Despite the difficulty, we created a triple list.These are three real cases of attacks that trace back to the origins and use of social engineering in the age of computers and the Internet.
1. Elk Cloner, 1982
“It will get on all your disks. It will infiltrate your chips. Yes, it’s Cloner! It will stick to you like glue. It will modify RAM too. Send in the Cloner!”. This is the message (or poem?) that would appear on your screen if your computer were infected with Elk Cloner. Cloner is a virus that was created in 1982 as a prank by a 15-year-old boy. It was transmitted via floppy disk and can be cited as one of the earliest cases of social engineering in the electronic age because the victims believed it was just a game.
2. Melissa, 1999
The Melissa virus is considered one of the earliest social engineering cases in history and a milestone because it infected thousands of computers in the late 1990s. Melissa was propagated through a phishing attack using a malicious Microsoft Word attachment. The email fooled the user with the following subject: "Important message from (name of someone known)". The damage caused by Melissa is estimated at USD 80 million.
3. ILOVEYOU, 2000
The ILOVEYOU worm is another iconic case of social engineering. It disguised itself as an alleged love letter that the victim received by email. Obviously, the attachment was a malicious file. In the email, the social engineer (impersonating a poor man in love) asked the victim to kindly look at the letter. In the 2000s, the estimated losses caused by ILOVEYOU reached USD 15 billion.
How to protect against social engineering
The interesting thing to note about social engineering is that it involves psychological manipulation. It plays with the emotions and beliefs of the users (or potential victims). By exploiting people or, as we say, the human factor, social engineering becomes attractive to cybercriminals, allowing them to bypass security tools designed to detect conventional attacks.
If we take a Verizon report as a base, we can say that out of every 10 data leaks in companies, 3 involve social engineering. Note here that we're talking only about companies. Imagine what lies beyond that. Let's just take as an example the flood of attacks using the name and brand of known companies, such as Apple, Amazon, Netflix, Microsoft, Spotify, among others. Hundreds of new scams are created daily.
One of the most important tips for protecting against social engineering attacks is to beware of your data and information. This means not sharing personal information on suspicious websites and feel concerned about your presence on social networks. Another valuable tip is not to interact with suspicious emails, calls or messages. If in doubt, try to confirm the information in another way. Keeping your systems up to date and using protection software also prevents infections.
For businesses, take a look at this post: 4 tips to protect your business from social engineering attacks.