Social Engineering: How You Get Scammed Online

By Murithi Magiri

Social engineering is the art of manipulating, influencing, or deceiving you in order to gain control over your computer system rather than by breaking in or using technical cracking techniques. In most cases the attacker never comes face-to-face with the victim. Social engineering accounts for up to 90% of the attacks.

Did you know that the majority of cyber breaches are caused by human error?

Every now and then you will see someone online screaming about their social media accounts like Facebook and Twitter or messaging platforms like WhatsApp and Telegram having been hacked. In organizations of different sizes and varied industries it is common to hear of compromised email accounts and ransomware attacks leading to reputational damage, financial loss, blackmail et al. How does it happen? How do attackers gain access to user accounts and consequently to information and systems?

Social engineering is the art of manipulating, influencing, or deceiving you in order to gain control over your computer system rather than by breaking in or using technical cracking techniques. In most cases the attacker never comes face-to-face with the victim. It has also been defined as “any act that influences a person to take an action that may or may not be in their best interests.” Social engineering accounts for up to 90% of the attacks. Why is it that hackers exploit this to the maximum? It has to be because of success rates.

When people think of cybersecurity, they almost always think of firewalls, anti-malware and patch management solutions. These are controls that define a solid cyber security fabric. But they do not take people’s habits, emotions and state of mind into account. Human beings are habitual creatures and often vain in pursuits. We are so used to certain things in our life that when faced with them, we don’t think twice before acting on them. As an example; we are aware that there are a lot of attempts to by hackers to compromise social media accounts, so if one receives an email from your preferred social media site that there was an attempt to break into your account or an email to review your accounts security settings, most people will click on the link and log into their account to check what’s going on. A hacker will use this against a victim, all they need to do is swap a real link with a malicious one with the look and feel of the real one. Hackers are opportunistic as they come.

Hackers use different social engineering tactics and techniques with the most common one being phishing and malware attack. Phishing is a significant problem for many organizations as attackers often use deceptive tactics to trick people into revealing sensitive information like passwords or financial details. According to research in different African countries by KnowBe4 – arguably the world’s largest integrated security awareness platform, nearly 40% of respondents have fallen for an online scam, 33% have come across one, 19% have never fallen for a scam, while 8% did not know what it is. Most of the respondents fell victim of financial scams, followed closely by investment scams that and crypto scams that caught 29% of respondents. Most of those who were successfully scammed, 53% were convinced the offer was legitimate because the website looked real. Are we that gullible? Not really.

With the emergence of Artificial Intelligence (AI) cybercriminals are getting more sophisticated and alluring to their victims. The key is to understand what these threats are and how they have evolved so people can protect themselves from the costly and negative impacts.

Organizations therefore ought to allocate more resources and time for user awareness and training. Individuals also have to be aware that apart from phishing, the rule of the thumb is that there are no free lunches and more so on the internet.

The “devil” lies in the games and puzzles we play and apps we download online. Therefore, we ought to have our hands on the deck, always vigilant and careful while connecting digitally to the internet, be it for work, financial transactions, social networking, playing games or research.

Remember social engineering attacks are premised on your errors of commission and omission. The hazmat suit for social engineering attacks is to do the right thing at all times and to embrace zero-trust clarion call.

Murithi Magiri is the Lead IT Consultant at Magtech Solutions. You can commune with him via email at: solutions@magtech.co.ke.