This article was also published as an infographic in the September/October 2024 issue of CPABC in Focus.
Social engineering, along with AI and automation, is making cyberattacks both easier to launch and harder to detect. In addition to increasing the volume of attacks, these tools are enabling threat actors to leverage personalization to lend legitimacy to their schemes. As the Canadian Anti-Fraud Centre (CAFC) has noted, “Fraud is becoming more personal.”
What is social engineering?
Social engineering exploits human nature to trick individuals into providing access to sensitive personal information, such as social insurance number and financial information, and/or entry into systems, networks, or devices. Unlike traditional hacking, which often involves breaking through technical barriers, social engineering targets the psychological and emotional vulnerabilities of individuals.
The social engineering life cycle
The Canadian Centre for Cyber Security breaks the social engineering life cycle into four stages:
- The bait: Threat actors research individuals and organizations through social media and other sources. This research helps them craft personalized and convincing scams.
- The hook: Once the groundwork is laid, threat actors use social connection, sympathy, urgency, or threats to hook their victims.
- The attack: This is the critical phase where victims are tricked into giving access to their financial assets or other sensitive information.
- The escape: After successfully executing the scam, the threat actors disappear, making it difficult for victims or authorities to trace them.
Common scams
The CAFC estimates that only 5-10% of fraud and cybercrime is reported, which makes the available figures all the more staggering. Consider, for example, the dollars lost by the Canadians who reported being victimized by the following social engineering scams in 2022.
- Romance fraud ($59 million lost)
- Threat actors target victims through online dating sites and apps, building emotional connections before exploiting them for financial gain.
- Spear phishing ($58 million lost)
- Threat actors send customized messages containing malicious links to potential victims, often appearing to come from trusted sources.
- Emergency/grandparent fraud ($9 million lost)
- Threat actors contact a senior, claiming to be a family member in an emergency situation.
- Job fraud ($7 million lost)
- Threat actors target job seekers with fake job opportunities.
AI in social engineering
The CAFC warns that use of the following AI technologies is on the rise in the fraud environment:
- Dialogue-based generative AI: Threat actors are using apps such as ChatGPT to impersonate others in text-based conversations.
- Voice cloning: With a few soundbites, threat actors can replicate voices to make their scams more convincing.
- Deepfakes: Threat actors are increasingly using AI-generated video and images to defraud victims, making it difficult to distinguish between real and fake content.
- Malicious bots: The most widespread tool used by threat actors, bots can be programmed to send emails, texts, and social media messages and are becoming more sophisticated.
Related articles
Beware of these social engineering tactics as well
- Quid pro quo: Convincing a victim to give up sensitive information in exchange for the promise of a service.
- Spoofing: Masking or forging a website, email address, or phone number so that it appears to originate from a trusted source.
- Smishing: Sending scam messages by SMS or text to launch a phishing attack (e.g., getting recipients to click on malicious links).
- Typo-squatting: Registering malicious sites with URLs similar to legitimate sites to prey on users who mistype.
Protect Yourself
Visit the CAFC site for tips on how to protect yourself from cyber scams. If you are a victim, report the incident to the local police and the CAFC by calling 1-888-495-8501.
Anthony Green is manager, security operations and compliance at CPABC
