Have you ever received a suspicious email or phone call from an unknown number asking for information? Or clicked on that link promising discount deals but ended up entering sensitive information? Chances are you were a victim of a social engineering attack.
Social engineering is a manipulation technique used by attackers to extract information or access from people. In this article, we will learn what social engineering attacks are, how they work, and the twelve latest forms of social engineering attacks. We will also learn how to identify, and protect yourself, and your business from such attacks.
The 2018 Verizon Data Breach Investigations Report found that social engineering was a factor in 32 percent of all data breaches.
The 2019 IBM X-Force Threat Intelligence Index found that phishing was the most common type of attack, making up over one-third of all attacks.
What Are Social Engineering Attacks?
Social engineering attacks are manipulations or deceiving tactics used to gain control over computer systems, data, or sensitive information.
Social engineering attacks have drastically evolved. New methods such as Deep fakes are a growing concern for individuals and businesses. Cybercriminals know their targets and social engineering is used to take advantage of human weaknesses.
Cybersecurity mistakes like this can cost companies huge sums of money. The average cost of a company data breach is $4.24 million.
Protecting against social engineering has become a pressing issue, and defending against these attacks is essential to avoid being a victim. New methods for exploiting technology trends are constantly being developed by cyber attackers, resulting in efficient social engineering techniques.
How Do Social Engineering Attacks Work?
Social engineering attacks can occur in various forms. Once a cybercriminal gains access to your security systems or private information, the damage can be costly. Social engineering attacks pose a threat to various platforms, including iOS, Android, and personal computers.
There are four main phases in social engineering.
- Discovery and investigation — The attacker searches for information about their target through social media platforms, dark web forums, or other public sources of information.
- Deception and hook — Once the attacker has gathered enough information, they will attempt to establish trust with their target by deception. This is done through phishing emails or contacting the target using impersonation techniques.
- Attack — If the attacker is successful, they will then attempt to gain access to their system or information. This is done through malicious software, password guessing, and other methods.
- Retreat — After the attacker has successfully accessed the target system or information, they will then begin to cover their tracks by deleting any evidence of their attack.
The average time to detect a cyber-attack or data breach is close to 250 days, so you won’t even know what’s happened until they’re long gone.
10 Types of Social Engineering Attacks
Now that we know what social engineering attacks are, and how devastating they can be, let's look at 10 types of social engineering attacks.
Phishing attacks are the most common type of social engineering attacks. It involves sending fraudulent emails to a number of people making the email appear to be from a legitimate source, such as a bank or government agency. The email will usually contain a link that leads to a malicious website designed to steal personal information.
In 2017, there was a pretexting attack that targeted Netflix users. The attackers sent out emails that appeared to be from Netflix, asking the recipients to update their payment information. If they did so, they would be redirected to a fake website that would steal their login credentials and credit card numbers.
Spear phishing attacks are like phishing attacks, but they are targeted at specific individuals or organizations. The attacker will customize the email with information about their target, making it difficult for them to spot the fraud.
A new take on spear phishing is known as angler phishing. This occurs when scammers impersonate customer service accounts on social media. Their goal is to get access to their login information with promises of help.
Smishing and vishing
Smishing is a type of phishing attack that uses text messages. The attacker will send a message that appears to be from a legitimate organization, asking you to click on a link or call a phone number.
Vishing is like smishing, but the attacker will use voice calls instead of text messages. They may spoof the caller ID so it appears as if they are calling from a legitimate source or even a friend.
In 2019, there was a massive vishing campaign targeting customers of major US banks. The attackers would call victims and pretend to be from the bank’s fraud department. They would then try to get the victim to give them their login information or credit card number.
Piggybacking refers to an attack where the attacker gains access to a secured area by following someone who has legitimate access.
Tailgating is similar to piggybacking, but the attacker will try to gain access by asking someone for their badge or ID. Once they have the badge, they can use it to tailgate their way into the building.
Baiting attacks use physical media. This includes USB drives or CDs, to lure victims into infecting their own computers. The attacker will leave the infected media in a public place and wait for someone to take it and plug it into their computer.
In 2017, there was a baiting attack targeting staff at the UK’s National Health Service (NHS). The attacker left USB sticks around hospitals and clinics that appeared to contain information about patient care. When plugged in, the devices would actually install malware that could give the attacker access to sensitive patient data.
Business Email Compromise (BEC)
Business email compromise (BEC) is a type of social engineering attack where the attacker gains access to a business email account and uses it to send fraudulent emails.
The most common type of BEC attack is known as invoice fraud. This is when the attacker sends out an email that appears to be from a known vendor, asking the recipient to pay an invoice. The payment will go into the attacker’s account instead of the legitimate vendor.
Quid Pro Quo attacks
In Quid pro quo attacks, the attacker offers something to the victim in exchange for personal information or access to a system.
For example, an attacker may call someone pretending to be from IT. And they offer to help troubleshoot their computer issues if they provide their login credentials.
The term “honeytrap” refers to a social engineering attack, in which an attractive person is used to entice targets.
Honey trapping involves using an attractive individual to seduce and manipulate a target into revealing sensitive information or compromising their position. The attacker uses an attractive person to lure the victim into disclosing personal information or committing a crime.
Honey trapping is also a common espionage tactic that has been used by various intelligence agencies around the world. It helps them to extract sensitive information from individuals in positions of power. There have been some high-profile cases of alleged honey trapping involving individuals associated even with the military.
Scareware is a type of social engineering attack where the attacker uses fear to trick the victim into taking an action. This includes clicking on a link, downloading malware, or buying something online.
For example, how an attacker may send an email that appears to be from a legitimate company like Microsoft. It will then warn the recipient that their computer has been infected with a virus. The email would then tell them to click on a link to download “antivirus software” which would eventually be malware.
In 2012, there was a scareware attack targeting Android users. The attackers created fake antivirus apps and advertised them online. When victims installed the apps, they would display fake virus warnings and prompt the user to buy the “full version” of the app to remove the malware.
How to protect yourself from social engineering?
The best way to protect yourself from social engineering attacks is to be aware of them. Cybercriminals come up with new ways of attacking targets and it’s important to keep up-to-date on the latest threats.
Here is a quick checklist.
- Carefully check emails including names, addresses, and copies.
- Be wary of unexpected attachments.
- Recognize common phishing email subject lines (“urgent action required”, “account has been compromised”).
- Verify the identity of anyone you don’t know personally.
- Be extra careful around social media.
- Never pay a ransom, and report ransomware to the relevant authorities. If you are in the US, you can report to the FBI at www.IC3.gov.
- Always use two or multi-factor authentication (2FA/MFA).
How to protect your business from social engineering?
Here is how we can protect businesses from social engineering attacks.
- Educate and train employees on social engineering attacks.
- Create and enforce strong security policies.
- Install technical safeguards like antivirus and firewalls.
- Track activity and audit logs.
- Implement strong password policies and Multi-Factor Authentication (MFA).
- Restrict access to sensitive information using the Principle of Least Privilege.
- Track employee activity with an SIEM solution.
As social engineering attacks become more advanced, it's essential to be aware of how hackers try to manipulate you, your business, and your family. Most social engineering attacks can be recognized, controlled, and mitigated.
It is crucial that we take social engineering attacks seriously. By employing the right defensive strategies, we can safeguard ourselves against all forms of social engineering attacks.
Stay up-to-date, be alert, and make yourself a hard target.