Social engineering is the practice of deceiving people into disclosing personal information that could be used in a cyberattack in the context of cybersecurity.
Attacks utilizing social engineering come in a wide variety. Convincing emails or text messages that contain links to nefarious websites are one type of social engineering. Others take more work, like a phone contact from a cybercriminal posing as tech help and asking for private information.
Cybercriminals frequently utilize social engineering attacks to gain access to networks without having to go through the onerous process of finding and exploiting security weaknesses. Instead, deceived staff essentially give threat actors the network’s control.
Social engineering attacks are becoming more common as a result of how much simpler they make cyberattacks. State of Cybersecurity Survey results show attacks using social engineering take place in one or more steps. A culprit first looks into the target in order to obtain background information, such as possible avenues of entry and lax security measures, needed to carry out the attack. The attacker then makes an effort to win the victim’s trust in order to offer motivation for later actions that violate security protocols, including disclosing private information or allowing access to vital resources (https://www.imperva.com/learn/application-security/social-engineering-attack/ https://www.upguard.com/blog/social-engineering).
13 Examples of Social Engineering Attack Techniques
Common social engineering attacks include:
A form of social engineering when an attacker hides a physical object (such as a USB) that is infected with malware where it is most likely to be found. A process for installing malware is started when a victim plugs the USB into their machine.
Diversion theft is when social engineers trick a delivery company into sending the package to a different location so that it can be intercepted.
A honey trap is when a con artist uses an attractive online identity with the aim of stealing personally identifiable information (PII) from the people they engage with, such as contact information for phone numbers and email accounts.
Phishing attacks pose as a reliable source in order to get private data such as login credentials, credit card numbers, and bank account information. The most typical phishing scam is a bogus email that appears to have been sent by a reliable source. Here is an illustration of a phishing email that purports to be a message from the World Health Organization.
An email spoofing attack known as spear phishing specifically targets a certain company or person. The goal of spear phishing emails is to fool the target into downloading malware or divulging private information.
Smashing or SMS phishing is phishing performed over SMS rather than the traditional medium of email.
Pretexting is the practice of lying to obtain access to private information or other restricted materials. A fraudster might, for instance, pretend to be a third-party vendor and request your full name and job description in order to confirm your identification.
Quid Pro Quo
An attempt at social engineering that takes advantage of people’s propensity to return favours is known as a quid pro quo. For example, an attacker may provide free technical support over a phone call to a victim and then request that they turn off their antivirus to support an upcoming system update.
Rogue Security Software
Fake security software that erroneously detects the presence of malware on a computer is known as rogue security software, often known as scareware. The end-user sees a pop-up after “detection” seeking payment for eradication. Until a payment is completed, pop-ups will appear more frequently.
Tailgating or piggybacking is when an attacker follows a person into a secure area. This type of attack relies on the person being followed assuming the intruder is authorized to access the targeted area.
Vishing or voice phishing is conducted by phone and often targets users of Voice over IP (VoIP) services like Skype. Vishing paired with voice deep fakes is a massive cybersecurity risk. According to The Wall Street Journal, a vishing attack resulted in the CEO of a UK-based energy firm sending $243,000 to an attacker’s bank account because he thought he was on the phone to his boss.
A watering hole attack is when an attacker targets a specific group of people by infecting a website they know and trust. The attack could involve exploiting an outdated SSL certificate, typosquatting, lack of DNSSEC, or domain hijacking.
A variation of spear phishing known as whaling targets prominent people such as public corporation executives, politicians, or celebrities. An example of a whaling attack is when the HR department receives a phony request from the CEO asking them to update their current payroll information to that provided by the phisher.
Social Engineering Prevention
Social engineers manipulate human feelings, such as curiosity or fear, to carry out schemes and draw victims into their traps. Therefore, be wary whenever you feel alarmed by an email, attracted to an offer displayed on a website, or when you come across stray digital media lying about.
- Don’t open emails and attachments from suspicious sources– If you don’t know the sender in question, you don’t need to answer an email. Even if you do know them and are suspicious about their message, cross-check and confirm the news from other sources, such as via telephone or directly from a service provider’s site. Remember that email addresses are spoofed all of the time; even an email purportedly coming from a trusted source may have actually been initiated by an attacker.
- Use multifactor authentication– One of the most valuable pieces of information attackers seek are user credentials. Using multifactor authentication helps ensure your account’s protection in the event of system compromise. Imperva Login Protect is an easy-to-deploy 2FA solution that can increase account security for your applications.
- Be wary of tempting offers– If an offer sounds too enticing, think twice before accepting it as fact. Googling the topic can help you quickly determine whether you’re dealing with a legitimate offer or a trap.
- Keep your antivirus/antimalware software updated– Make sure automatic updates are engaged, or make it a habit to download the latest signatures first thing each day. Periodically check to make sure that the updates have been applied, and scan your system for possible infections.
Featured Image Source: