Social engineering has been an observable phenomenon since the beginning of history. People with something to gain have always found avenues to manipulate others’ fears or willingness to trust. In the modern world, social engineering attacks most frequently take place over the telephone or internet.
What Are Social Engineering Attacks?
Social engineering is the act of “human hacking” to commit fraud and identity theft.
Hackers use deceptive psychological manipulation to instill fear, excitement, or urgency. Once you’re in a heightened emotional state, they’ll use that against you to cloud your better judgment.
The four phases of a social engineering attacks are:
- Discovery and investigation
- Deception and hook
- Attack
- Retreat
Here are 7 of the most common types, how they work, and how to handle them.
1. Phishing
Phishing is where an attacker attempts to contact users via email, telephone, or text, appearing as a trusted or legitimate source. The aim is to trick users into revealing login credentials credit card details, click on malicious links, or download malicious files.
Phishing attack types include:
- Spear phishing, where the attack is targeted toward a specific person or group of people.
- Vishing involves fraudulent voice messages or calls.
- Smishing, also known as SMS phishing, uses text messages to lure victims.
- Whaling, wherein a perpetrator takes on the guise of a senior member in the organisation to target employees with privileged access.
2.Baiting
The social engineering attack known as baiting is where a bad actor makes a promise to their victim in exchange for something they want, such as a wire transfer of money, a Social Security number, or a credit card. The fraudster will sometimes make direct contact by posing as a trusted entity, like a cop or a bank. Other times, an email might deliver links that lead to fraudulent websites or install malware.
3. Pretexting
The purpose of pretexting is to build a relationship/level of trust with the victim before an attempted attack is made. It is used by the bad actor to create a pretext, or a story, to gain trust with an individual, who they later manipulate to gain key information or data. Often, the attacker poses as a co-worker or an authoritative figure.
4. Quid Pro Quo
Quid Pro Quo, a term when used in cyber security, refers to a combination of tactics used in Pretexting and Baiting whereby an attacker poses as a trusted source and may ask for otherwise inaccessible information in exchange for a gain or offer. The purpose of this is to lure the person into sharing details, rather than pressuring/ scaring them into disclosing information.
5. Water-Holing
Water-Holing is usually targeted toward users belonging to a specific group or industry and is used to infect websites that are typically frequented by the target users. The users may then click on malicious links on the website they usually use (or a bogus website set up to emulate the real site). Once malware is downloaded from the malicious link, this may provide attackers with access to the victim’s machine and network.
6. Tailgating or Piggybacking
This type of social engineering attack is the most personal social engineering attack. Both attacks refer to when authorized personnel gives permits a stranger to access the company building or a restricted area.
Scammers may even dress up as delivery drivers, saying that they forgot their ID or that they are new to the company. Once they are inside, they steal your sensitive information.
7. Mind Games
A SecurityHQ employee, responsible for conducting voice-phishing (vishing) simulations for a client, shared that they were successful in retrieving confidential data from victims 100% of the time when they appealed to the human side. The SecurityHQ employee stated that ‘I did this by pretending like I didn’t really understand how the process worked. A sense of urgency played to my advantage, as I stressed that the data I was requesting, was for a client meeting scheduled minutes from the vishing call’.
Know How to Defend Your Organization
- All social engineering attacks leverage the relative weaknesses of the individual, like a willingness to trust or panic in a crisis.
- It’s vital to use email filtering, regularly train employees, remove unnecessary accounts and credentials, and study normal traffic and user patterns to flag suspicious activity.
- Don’t open emails and attachments from suspicious sources.
- Use multifactor authentication.
Follow Us on: Twitter, Instagram, Facebook to get the latest security news!
Leave A Comment