What is social engineering?
Social engineering attacks are the manipulation of individuals to the point that they give up confidential information. The type of information these attackers may seek varies, but when individuals or employees are targeted, they more often than not are looking for passwords or bank information. They could also be trying to access your computer to install malware – malicious software – that gives them the passwords and banking information they seek.
11 types of social engineering attacks
Criminals utilize social engineering tactics to gain trust, because exploiting trust is an easier way to gain access to your software than discovering a zero-day remote exploit. Below, we discuss the many social engineering techniques that are used by cybercriminals.
1. Angler phishing
Angler phishing is a newer kind of phishing attack which targets social media users via spoofed customer service accounts. They then work to reach disgruntled customers – obtaining their personal information or account credentials in the process.
2. Spear phishing
Spear phishing is when cybercriminals target email or electronic communications to scam a specific individual, organization, enterprise or business. While cybercriminals usually try to install malware onto a user’s computer to gather credentials, they often use spear phishing to gain trust and get users to send the credentials themselves.
Another common social engineering attack targets top-level enterprise executives and even the heads of government agencies. Their aim is to steal money or sensitive information from senior employees who likely have broad access to information and authority over payments. Similar to other attacks, they may try to gain access to their computer systems to steal this information. Also known as CEO fraud, whaling uses similar methods to phishing, such as email and website spoofing.
4. Diversion Theft
In online diversion theft schemes, thieves trick victims into sending sensitive data to the wrong person. The thieves often accomplish this theft by spoofing an email address of someone within the victim’s company. They may also spoof an auditing firm or a financial institution in order to accomplish this.
Baiting is a kind of social engineering attack where victims are lured into providing sensitive information or credentials. They do this by falsely promising something of value for free. The trap may also be in the form of a malicious attachment that has an enticing name.
Pretexting is a more sophisticated style of social engineering attack when a scammer creates a fabricated scenario (also known as a pretext) in order to con a user into providing their passwords, financial information or social security information. They may pretend to be an IRS auditor.
7. SMS Phishing
SMS phishing has become a larger and larger problem since more enterprises have embraced texting as a method of communication. In one SMS phishing method, scammers will send a text message which spoofs a multi-factor authentication request. This may then redirect victims to a malicious web page which collects their credentials or installs malware on their mobile devices.
Scareware is when a scammer inserts a malicious code onto a webpage – causing a pop-up window that has flashing colors and alarming sounds. These pop-ups will then falsely alert you that a virus has been installed onto your device. Once this happens, you will then be told to purchase/download their security software or call an alleged computer technician for help restoring your system. At this time, scammers will either steal your credit card information, or install actual viruses onto your system. They may also do both.
9. Watering hole attack
In this kind of attack, the hacker will infect a legitimate website that their targets actively visit. Then, once their victims log into the site, the hacker can capture their credentials – using them to breach the target’s own network. They may also install a backdoor trojan, which can access the network.
10. Vishing attack
Vishing, which is short for voice phishing, occurs when a cyber criminal tries to trick victims into disclosing their information or even giving them direct access to the victim’s computer via telephone. One popular vishing scam involves attackers calling victims and pretending they are from the IRS. The caller then threatens or attempts to scare the victim into giving up their personal data or a compensation. Vishing scams often target older individuals, however, anyone can fall for vishing scams if they are not well-trained.
11. Business Email Compromise
Business email compromise (BEC) is a kind of cyber crime scheme where an attacker targets businesses to defraud the company. BEC is a growing problem that targets all kinds of organizations across all industries in the world. A subset of BEC is email account compromise (EAC) which is a BEC attack launched using an actual account within the organization rather than a spoofed address. The compromised account used in an EAC attack is often the result of a previous, successful phishing incident.
How to prevent a social engineering attack
Since social engineering attacks are an ever-growing problem, you will need to know some mitigation tactics in order to avoid these kinds of attacks. Below, we explain some of the more popular mitigation tactics that can be used by your organization to stop phishing attacks.
Have a positive security culture
If you or any of your staff fall victim to social engineering attacks, your security team will have to act quickly in order to contain it. The corporate culture must therefore encourage these victims to report any incidents as soon as possible. You want to make sure no malware infection dwells on your system for months. While being able to quickly respond to incidents is important, predicting and preventing attacks is far better.
Test training effectiveness
Training your staff to look out for social engineering attacks should not just be a one-off event. You need to regularly test the effectiveness of training and redeploy as necessary. A good example of this is simulating a phishing attack, where your staff is targeted by a controlled phishing attempt. This will help you get an understanding of how susceptible they are and how much your organization is at risk. Using this information, you can retrain employees who need it most, which reduces your exposure.
Implement layered technical controls
In addition to training and testing your staff, you should also implement layered email security measures. At a minimum, this should include an email “hygiene” filter like Microsoft Defender for Office 365, an endpoint security agent, real-time threat detection, and automated remediation of confirmed malicious emails. This approach helps limit the number of attacks that reach your staff – minimizing damage from successful phishing attacks. Of course, these layers are part of an overall enterprise security architecture that may include firewalls, patch management, penetration testing, and access governance.
Leverage security training to engage your staff in real-time defense
Users cannot reliably identify social engineering attacks, but they can perform an initial analysis of messages classified as suspicious by machine learning models and other automated real-time detection techniques. For example, a natural language process engine could notify a user that an email is suspicious based on indicators such as:
- Masquerading: Acting like trusted entities, such as familiar brands or people.
- Urgency: Confusing victims by creating a false sense of urgency. This can provoke users into a state of fear or excitement so they act quickly.
- Taking advantage: Criminals may try to take advantage of people’s sense of indebtedness or even conditioned responses to authority.
Equipped with this real-time information in the specific context of an individual threat, users can apply their training to:
- Stay Alert: They should be suspicious of any unsolicited communications.
- Double-Check Email Addresses: Check if your emails genuinely came from their stated recipient.
- Be Cautious of Attachments: Avoid opening any suspicious-looking email attachments.
- Think Twice: Make sure to think twice before providing any sensitive information via email.
- Website Security: Check any websites’ security before you submit sensitive information, even if it seems legitimate.
- Pay attention to URLs: ‘Typosquatting’ is when sites look genuine and have web addresses that are subtly different from the actual site they are imitating.
- Check for Spoofing: Determine whether emails have been spoofed by hovering over the sender’s name. This helps to make sure the sender’s name matches the email address.
- Check Grammar: Check for spelling errors and other common giveaways.
Social engineering attacks are constantly on the rise, but staying vigilant can ensure you and your employees do not fall for these tricks.
Learn more about Cyren Inbox Security for 365, and how it can help your business stop social engineering attacks in their tracks.