Discover The 5 Most Common Types of Social Engineering Attacks
Have you always wondered what the term Social Engineering actually means, and how attackers use this to target your business? (don’t worry, you’re not alone…)
Simply stated, Social Engineering is all about just what the name suggests, engineering social interactions, or in other words, using influence to manipulate decision-making. Now, this in itself is not necessarily a bad thing, but can easily be used to take advantage of people, and to get information from them that they wouldn’t usually give out.
Now, the real truth is that we’ve all done it. Social Engineered situations for our own benefit. How many times did you trick your mother and lie about finishing your homework for some extra TV when you were younger? Taking advantage of the trust built up between you in order to win one more hour of your favorite cartoon.
If you’re like me, it was a lot… But tricking your way into more screen time isn’t exactly going to cause a large amount of damage, but successful Social Engineering attacks on your employees can be very costly for your business.
It’s important to be aware of these threats so below are 5 common Social Engineering attacks that you may want to look out for.
1. Phishing/Vishing/Spear Phishing/Whaling
These attacks fall under the cyber attacks vectors of email and phone. Now, let’s go deeper into the difference between these forms of social engineering.
This is about sending out communications across various mediums to convince someone to take action. The most common being via email, where an attacker will send the user an email from someone they have never met before in order to try and get them to click on a link, which will direct the user to a corrupted website, or it will be attached to a corrupted file which will infect the system with malware. You can read more about Phishing in our article about Here Are The Top 3 Cyber Threats Facing Your Business (And How To Protect Yourself Against Them)
These are phishing attacks that target users through the phone, either via text message or call. An example of this type of social engineering attack would include the attacker calling the user pretending to be a representative for a reputable company, say Microsoft, in an attempt to trick them into giving the attacker account information. The call could go as follows – “Hi, I’m Bob from Microsoft. I am calling because my records show that you may need to update your computer software. Could I please get your username and password for security purposes…”
This type of Phishing email will be more tailored to look more authentic. It will address the user by name and appear to be from someone in your organization, instructing the user to change some personal information. Spear Phishing campaigns take a lot more effort from the attacker, as they have to research a handful of vetted companies and write a tailored cover letter to each user in each company, as opposed to normal phishing campaigns where they will send thousands of generic emails which aren’t addressed to anyone in particular (You can also find more information on this type of attack in our article Here Are The Top 3 Cyber Threats Facing Your Business (And How To Protect Yourself Against Them)
Whaling demands the biggest investment of time from an attacker, but stands to reap the largest reward if successful. It is a form of spear phishing campaign that targets senior executives in the company, taking advantage of their access and trust level within the company with the goal of obtaining larger amounts of money. Attackers have to spend time researching everything about the targeted executive in order to make the communication seem authentic and to manipulate the employee, making them believe that they have been sent an email from that executive.
Curiosity usually gets the better of all of us, and that’s exactly what this form of social engineering targets. This form of attack is where an attacker actively or passively takes advantage of a person’s greed or curiosity by promising some sort of incentive. Say for example that there is a movie that you have really wanted to watch, and you get an email which includes a download link for it. You know that you shouldn’t download it from a random link, but your curiosity about the movie is killing you, and so you do… and you get malware onto your system which can cause a large amount of damage to the company’s network. Or it could be less malicious – it could be that a man on the street offers you a gift card in exchange for your email address. Your greed told you that the price of your email address is low compared to the giftcard you receive, however once your hour of shopping, you are then spammed with deals for the next year.
3. Tailgating (offline threat)
“Could you hold the door open for me?” – Does this sound like something you’ve heard before? What about “Hold the door for me, I forgot my entry badge at home?”
We’ve all held the door open for someone who is running a little late to the elevator of the grocery store. This small act of kindness takes less than a second, and it seems that we respond to the requests almost automatically, instantly shooting our arm out to catch the shutting entrance. It’s almost impossible to think that something so reactive can cause a hugely negative reaction against us or our business, and this is exactly what social engineers depend on. In fact, have you ever thought about if all the people you have let in truly belonged? Tailgating is when a person gains unauthorized access to an area that requires authorization by using deceptive tactics or manipulation. This attack can incur enormous loss to your company, because once someone who isn’t supposed to be inside your building, or your network server room, gains access, there is no knowing what they can do.
4. Shoulder surfing (offline threat)
Shoulder surfing occurs when a person attempts to gather confidential information by simply looking over your shoulder. This type of attack, as you can imagine, works wonders when incorporated with tailgating, for an attacker who is inside is then able to take a peek at what all your employees are doing, especially when everyone assumes he or she is supposed to be there.
Shoulder surfing can happen in your place of work, but also in public places such as cafes or libraries, on public transport or basically anywhere that is crowded enough to make eavesdropping simple. How many times have you been at a cafe or public place inputting personal details into your laptop? Maybe next time, have a look around to see who is near you before you begin.
Pretexting is what social engineering is all about. It’s the act of creating a persona or background that is used to persuade someone into providing private information or taking some action. Pretexting is essentially the “scripting” stage of any social engineering attack.
The main factors of this form of cyber attack are character and plausibility, as the user has to be convinced that the attacker is who they say they are in order to hand over valuable information. An example of this could be a vishing phone call where an attacker pretends to be from your company’s internet provider asking for login information in order to access accounts, or a spear phishing campaign feigning to be from your company’s IT department.
Social engineering is amongst the most effective forms of cyber attack, and one of the most lucrative ways to steal money from, and cause damage to, your business. It aims to take advantage of the trusting nature of your employees. The good news though is that through proper education and selecting the right people for your cyber security team, you will drastically limit the risk this type of attack poses.
We at Cyber Security Recruitment specialize in connecting business leaders like you with trained professionals that can help secure your business against the damage that Social Engineering attacks can cause. Want help finding the right people for your cyber team? Email or call us today.