Social engineering attacks account for a large portion of all cyber attacks, and research shows that these attacks are on the rise. More than 90% of successful hacking and data breaches start with a common social engineering attack called phishing.
Social engineers are smart and use manipulative strategies to trick victims into revealing private or sensitive information. Once social engineers trick their victims into giving them this information, they can use it to carry out more attacks.
One of the best ways to protect yourself from social engineering attacks is to be able to identify them. Let’s explore six common types of social engineering attacks:
Phishing is a social engineering technique through which attackers send fraudulent emails claiming to be from a trusted and reputable source. For example, a social engineer might send an email that appears to come from a successful account manager at his bank. They may claim that they have important information about your account, but they will ask you to respond with your full name, date of birth, social security number, and account number first so that they can verify your identity. In the end, the person who sent the email was not an employee of the bank; it was someone who tried to steal private data.
Generally speaking, phishing will launch a network and try to target as many people as possible. However, there are several types of phishing attacks targeting specific targets.
Spear phishing is a targeted phishing email. In a spear phishing attack, social engineers will complete their investigation and set up your site for a specific user. By searching the target’s public social media profiles and using Google to find information about them, attackers can launch conspicuous and targeted attacks. Imagine a person who often posts on social media saying that they are a member of a certain gym. In this case, the attacker can create a spear phishing email that appears to come from your local gym. Victims are more likely to be deceived because they think their gym is the so-called sender.
Whaling is another targeted phishing scam. However, in whaling, social engineers do not target ordinary users, but instead focus on higher-value goals such as CEOs and CFOs. Whaling got its name from targeting the so-called “big fish” within the company.
Although phishing is used to describe fraudulent e-mail behavior, similar manipulation techniques can be implemented using other communication methods (such as telephone calls and text messages).
Vishing (short for voice phishing) occurs when scammers try to trick victims into revealing confidential information or allow them to access the victim’s computer over the phone. Callers often threaten or try to intimidate victims to provide personal information or compensation. Phishing scams like this one generally target seniors, but if they’re not trained enough, anyone can be fooled.
Smishing (short for SMS phishing) is similar to email phishing and vishing and contains the same technology, but is done via SMS / SMS.
Learn about some real examples of phishing scams by reading our Social Engineering Attack Examples blog.
Pretexting is a method where an attacker creates a scene for the victim to feel compelled to comply with false excuse. Often times, the attacker will pose as someone in a powerful position to convince the victim to obey his orders.
In this type of social engineering attack, bad actors may pose as police officers, corporate executives, auditors, investigators, or any other role they think can help them get the information they need.
Bait puts tempting or curious things in front of victims and lures them into social engineering traps. The bait program may offer free music downloads or gift cards in an attempt to trick users into providing credentials.
Social engineers can distribute free USB drives to users in meetings. The user may think that they just got a free storage device, but the attacker may have loaded it with remote access malware that will infect the computer when connected to it.
Tailgating is a simple social engineering attack used to gain physical access to unauthorized locations. Tailgating is accomplished by closely following authorized users in the area without the authorized users noticing. An attacker can follow another person by quickly inserting a foot or other object into the door before the door is fully closed and locked.
Piggybacking is abnormally similar to tailgating. The main difference between the two is that, in the piggyback scenario, authorized users know and allow others to use their credentials. Authorized users may be forced in good faith to open security doors for women with seemingly heavy boxes or new hires claiming to be new hires who have forgotten their access cards.
Read the five most famous social engineering attacks of the last decade and find out how social engineers misled big companies like Target and Twitter.
Quid pro quo (Latin for “something for something”) is a social engineering strategy in which attackers try to exchange information through services. The exchange of conditions may involve the attacker pretending to be from the IT department, calling the company’s main line, and trying to contact the person experiencing technical problems.
Although social engineering can be said to be one of the most important ways for bad actors to trick employees and managers into exposing private information, it is not the only way for cybercriminals to take advantage of large and small companies.