Nothing grinds the proverbial gears quite like being duped. Having someone take advantage of your kindness, desires, obedience, curiosity, or fears exposes an angry hole into the depths of your soul. This is the exact sort of result, plus your passwords and credit card numbers, that hackers and data thieves aim to uncover with Social Engineering attacks.
What is a social engineering attack?
Social engineering, which is essentially the same thing as falling prey to con men, is the dark art of using social interactions to trick someone into making a security mistake. Social engineering attacks aim to get past a security hurdle (password, process, locked door, etc.), by manipulated their soon to be victim into revealing private information ( i.e. username, password, or credit card information), providing access to a locked facility, or installing malicious software on a network or device. A well executed social engineering attack will end without the victim even knowing what has truly occurred.
Below are definitions and examples of 7 of the most prevalent types of social engineering attacks.
One of the most common forms of social engineering attacks, phishing is a fraudulent email or website designed to trick people into revealing private information (username, passwords, credit card info, etc.) or downloading malicious software. Successful phishing emails rely on fear tactics, such as urgent emails from your bank or other financial institution, “too good to be true deals,” such as offers for cheap or hard to find products, or your sense of duty to your employer, where the data thief will impersonate your boss or other high-level figure at your company. The goal of phishing is to get the victim to enter a password or username on a bogus landing page that looks nearly identical to the real thing, or download malware onto their device.
With nearly 1.5 million phishing sites being created each month, phishing continues to plague businesses. If not careful, a successful phishing attempt could lead to a major data leak and could cost your business millions in legal fees and other remediation efforts.
Spear phishing is a more specific and targeted type of phishing attack that aims to get specific credentials from a specific user or business. More heavily researched that a generic phishing attack, spear phishing attacks will generally impersonate one person with the goal of conning another specific person. A common example of spear phishing is when a criminal poses as a CEO and emails someone in the finance department requesting that funds be immediately transferred to a certain bank account. Often, not wanting to offend their boss, the finance person may skirt certain processes in an aim to get this down quickly.
The cyber criminal, in this case, will use an email address that looks very similar to the CEO’s email address. This why it is important to educate employees on common phishing techniques, so that they will know what to look out for.
Voice Phishing, or vishing, is the telephone version of phishing, where someone attempts to scam someone over the phone. One common version of vishing in Canada is a pre-recorded message that calls innocent people claiming to be the Canada Revenue Agency. This type of attack often relies on fear, with the message claiming that the person could face heavy fines or even jail time if they do not immediately return the phone call. In this type of attack, the fraudster will aim to obtain the victim’s social insurance number, or request money in the form of phony, unpaid back taxes.
Pretexting, a type of social engineering attack used for identity theft purposes, is when an attacker creates a “pretext,” or fake scenario, to gain sensitive information. Commonly, the attacker will pretend to be gathering information in order to confirm their target’s identity. The attacker could be imitating a bank, an employer, government agency, police, or other formal entity. Here, the attacker uses their fake position of authority to gain trust, as the victim believes they are providing the information to someone that already has it.
To avoid pretexting, don’t be afraid to question the person asking the information. If you receive a call, ask to call them back and look up the number online on an official website. Often, attackers may be unprofessional or overly authoritative as well.
Another classic conman trick, baiting is the promise of an item, which when the victim goes to obtain the item (whether it be a song, movie, or other enticing download), they will instead infect their device with malware. One common example of baiting is a USB drop, where an infected USB key is left in a public place. Curious people with often plug the device into their computer, and end up infecting their entire network. Baiting is often using in tandem with a phishing email.
Tailgating is a type of social engineering attack primarily aimed at gaining accessing to a locked area. Tailgaters may pose as a delivery person, contractor, or other maintenance employee, and follow an actual employee into a building without showing proper credentials. Many times, the attacker with strike up a conversation in a friendly manner with someone entering a building and simply follow them in. This is a fairly common type of attack, as many employees are used to visitors in their building.
It is important to train employees on common security practices, like making sure doors close behind them, as it can lead to fairly significant problems. Once an attacker is in a building and past the first line of defense, they can steal documents, take photos of employee’s screens and security camera locations, causing major issues down the road.
Quid pro quo
Similar to baiting, quid pro quo attacks offer the victim a benefit in exchange for information or access. The most common form of quid pro quo is an attacker posing as an IT support person. In this case, the attacker will call random numbers at a company, until they eventually reach someone experiencing an IT problem. The attacker will then get the victim to disable their antivirus system, or install malware under the guise of providing assistance.
Tips for Avoiding Social Engineering Attacks
In general, it’s always best to be cautious when it comes to your personal information. Take some time to look at the URL of websites you visit to make sure they seem legit, and remember these few tips:
- If it sounds to good to be true, it probably is.
- Be wary of threatening, urgent, or demanding, messages
- Don’t be afraid to speak up. If something seems out of place or strange, ask your IT team.
Being cautious when it comes to your private information is not only beneficial for you, but for your entire company, so don’t let social engineering attacks rain on your parade.