Sounds pretty deep, but it’s really pretty simple. While cyber criminals are not stupid, they’re not throwing around esoteric behavioral principles in discussions about how best to ply their crooked trade. They just know a sucker when they see one – so don’t be one.

What is social engineering in simple terms?

There are two definitions of social engineering – the first, which is not part of this discussion, is specifically defined by Oxford Languages as: “1. The use of centralized planning in an attempt to manage social change and regulate the future development and behavior of a society.” The concern here is Cybersecurity in regard to IT services. We are not going to get into what pronouns we should use in referring to people.

What is seriously up for discussion here is the second definition, which directly impacts Cybersecurity and IT Support. It is also from Oxford Languages: “2. (In the context of information security) The use of deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes.”

For example: "People with an online account should watch for phishing attacks and other forms of social engineering".

In other words, this type of social engineering is trickery based on human nature that is designed to get you to do things that you should have thought about before doing – things which may or may NOT be in your best interests – or in the best interests of your company.

How this affects you and the Cybersecurity measures put in place by your IT support is simple: it thwarts them. There is no cyber-defense that will keep an unthinking or untrained employee form letting malware into your system.

Damage can be kept to a minimum by a good Managed IT Services provider. Here at IT Support LA, we have had clients who clicked a malicious link, but our system contains the malware inside that single workstation and prevents access to the larger network. This makes it a matter of an hour or two to wipe the workstation clean and reinstall the data from secure backups.

Many phishing scams simply appeal to a universal human weakness: Greed. “You’re a WINNER! Click on the link below to collect your winnings!” All those infamous scams from strangers who have tens of millions of dollars that are frozen – but with your five thousand dollars, they can free up the cash and repay you with a million dollars. Sadly, but seriously – people fall for this.

They often use a more sophisticated approach by finding key personnel in a business they plan to attack, poring over their social media to come up with a phishing ploy they believe the ‘Mark’ will fall for. Crooks learn enough about you to exploit your human weaknesses, which are often benign. From facebook, they can learn if you’re married and have children or pets – all vulnerable areas that can be exploited in phishing emails.

A while back, we saw a phishing email that was a particularly cruel and malicious attempt to get a married man to click on an attachment containing malware.

The email seemed to come from a legitimate law firm and stated that they had been retained by the man’s wife to initiate divorce proceedings. It said that the divorce papers were attached, but they were not divorce papers and his wife was not leaving him: It was Ransomware.

What happens if you get an email that looks like it’s from your child’s school, saying “There’s been an accident and we couldn’t reach you by phone - your child has been taken to the hospital below” – and there’s a link? This socially engineers you into an emergency state where you may not stop to think before you click.

At IT Support LA, our clients usually know to stop, think, and forward the email to our IT HelpDesk. However, even with our urging for ongoing Security Awareness Training, human nature dictates that people get careless when they are busy. Any reputable member of the IT Support Los Angeles Community knows that if an end-user makes a thoughtless click, all the firewalls and Anti-Virus (AV) in the world cannot prevent that workstation from becoming infected.

Frequently Asked Questions

Q: What are the 4 types of social engineering?

A: The most common types of social engineering that affect the IT Services community are 4 different, yet similar tactics that all have the same end in mind: getting you to click on something they shouldn’t. In a business setting any suspicious email that meets these criteria should be forwarded to your IT support for analysis:
1) Baiting: Using a false promise or enticement that appeals to your curiosity or greed.
2) Phishing/Spear Phishing: Primarily through email and texting, – usually masquerading as a legitimate source, like FedEx, your bank, the IRS, and so forth. These create a ‘call to action’: You must check the tracking on a FedEx package; change your password; verify your account number or Social Security Number etc. There is always a link or attachment to click on – DON’T!
3) Pretexting: This is also involved in the other three types of scams: The cyber crooks pretend to be someone they’re not: Trusted parties, your boss, your friend or relative. When your friend ‘Bob’ emails you with the subject line: ‘I think you’ll get a kick out of this’, and provides a link – stop and think:  Does Bob regularly send you this type of thing?
4) Scareware: These are meant to cause alarm. One of the most common is ‘Your computer may be infected. Click here to remove the virus.’ NO – the truth is that you click there to GET the virus.

Q: Is social engineering a cyber crime?

A: In and of itself, no – in the same way that owning a car is not illegal. Using that car to purposely run over someone IS a crime. It’s a fine line – cyber crooks don’t play these games for no gain.

Q: Why do employees need to be trained in cyber awareness?

A: Simple: To reduce cyber incidents. No matter how well prepared your IT team is – an employee that unwittingly triggers an attack stops all productivity for a period of time – even if only at the one affected workstation.

Q: How often should user awareness training be done?

A: The most common time range is one year. To allow for the highest standards of Cybersecurity, IT Support LA, along with The Advanced Computing Systems Association (USENIX) recommends that Security Awareness Training be repeated every 4 to 6 months.

How Secure is Your Network?

IT Support LA offers a FREE, no-risk network and security assessment to all companies in the Greater Los Angeles area with a minimum of 10- computers and 1 server. No strings, no obligation.
Just fill out the form on this page or call us at:
818-805-0909