Social engineering is a type of email cyber security attack where a bad actor intelligently manipulates an unsuspecting or naïve individual to steal information or assets. These attacks rely on psychological exploitation as much as they do on technology vulnerabilities.
Examples of social engineering attacks in business settings include impersonating a lawyer, compliance officer, or government official to steal corporate assets. This feat requires the criminal to be intimately familiar with a company’s business relationships, unique circumstances, and sometimes even organizational secrets.
One common example of consumer social engineering includes deceptively impersonating a community or family member that is distressed and in need of help due to an unfortunate event. Another example is a criminal posing as a United States IRS agent, targeting an elderly person with a demand to pay overdue taxes. A third example is when a fraudster mimics a foreign dignitary looking to establish an investment in the target’s native land.
Why it Matters
When social engineering happens through email, the fraudsters typically impersonate a trusted sender by putting their name and email address in the From field of their fraudulent messages. With no way to tell if the email is from a bad actor impersonating a lawyer, acquaintance, or government official, the target may be fooled into sending valued assets to a third party. Social engineering transactions typically involve the theft of:
- Access – passwords for future malicious activity
- Information – valued data such tax forms or bank account details
- Money – funds belonging to the naïve individual
However, these attacks can be stopped. If the company being impersonated has adopted DMARC-based email authentication, fraudsters will be unable to use their domains in their messages. At full enforcement, DMARC blocks unauthorized email sent on behalf of the domain owner, with 100 percent effectiveness.