Every business network has one weakness: people. Over the years, cybercriminals have used many social engineering techniques to exploit this weakness. Knowing what the most common types of social engineering attacks are is essential for avoiding them.
What Are Social Engineering Attacks?
Social engineering attacks are used by cybercriminals to get their victims to do something that’s against their best interest, like sharing a password These methods rely on human interaction and use psychological techniques to manipulate behaviour.
Generally, social engineering attacks happen in four distinct phases:
- Information gathering: Attackers start by gathering information on potential victims. They tend to go for high-profile individuals with privileged access to sensitive data and protected systems.
- Planning: Once locked on to a target, attackers begin planning their next steps, which will depend on the chosen social engineering attack.
- Exploitation: Next, it’s time for the execution of the social engineering attack. Sometimes, it can take attackers weeks or even months to reach this step.
- Retreat: Finally, attackers vanish into thin air. It may take the victim a long time to realize that they have been attacked.
9 Social Engineering Attacks to Watch Out For
Now that we’ve explained what social engineering attacks are and how they work, let’s take a look at 9 specific types that are most likely to cause cybersecurity incidents in 2023.
Phishing involves fraudulent email messages that are designed to trick the recipient into clicking on a link leading to a malicious website, downloading an infected file, or revealing sensitive information, among other things.
One reason why phishing attacks are still so effective is that cybercriminals keep evolving their tactics and coming up with new phishing sub-types. These include:
- Smishing: Phishing attacks can be carried out over a text messaging service. They are used to distribute links to mobile malware or malicious websites.
- Vishing: It’s easy to pause for a moment and take extra time to read an email or text message to decide if it’s legitimate. Doing the same when talking with someone on the phone is more difficult, which is why more daring cybercriminals perform phone-based sub-type phishing attacks.
- Angler phishing: This is when phishers pretend to be customer support agents on social media channels to extract passwords, etc from unsuspecting users. Such phishers often wait for users to make public complaints about access issues. Then they create fake customer support accounts and offer assistance to their targets, who happily provide their personal information.
- Consent phishing: The cloud is where most data resides these days. To gain access to it, attackers may attempt to trick users into granting permissions to malicious cloud applications.
- Whaling: Carefully planned phishing attacks on high-profile individuals have been dubbed whaling attacks. They are often prefaced by attacks on lower-ranking employees, whose credentials may be used to send phishing emails that are extremely difficult to spot.
- Deepfake-enhanced phishing: In recent years, AI has gotten really good at creating convincing images, videos, and audio files based on existing content. Phishers are now using readily available AI tools to make their attacks more convincing.
Social engineering attacks in which attackers impersonate well-known brands are called brand impersonation. These attacks via email, text, and voice messages take advantage of the fact that most people receive messages from major brands regularly, so it doesn’t seem suspicious when one extra message arrives.
The most commonly impersonated brands, according to the Q2 2022 Brand Phishing Report released by Check Point Research, are:
- LinkedIn (45%)
- Microsoft (13%)
- DHL (12%)
- Amazon (9%)
- Apple (3%)
- Adidas (2%)
- Google (1%)
- Netflix (1%)
- Adobe (1%)
- HSBC (1%)
Business Email Compromise (BEC)
The vast majority of social engineering attacks are not particularly financially damaging (although their cost does add up). However, there is one particular social engineering attack that has cost businesses around the globe more than $43 billion between June 2016 to December 2021, according to a public service announcement published by the FBI.
We’re talking about Business Email Compromise or BEC for short. This social engineering attack involves the impersonalization of a trusted business contact to convince the target to disclose sensitive company information, pay a fake invoice, or transfer funds. BEC scams usually target executives, leaders, finance employees, and HR managers. But they may also target new employees, who lack experience making it difficult for them to verify the sender’s legitimacy.
Have you ever seen someone leave a garage by tailgating another car as it passed through the gate? Well, that’s how tailgating social engineering attacks (piggybacking attacks) work but in the opposite direction. An unauthorized person follows someone who is authorized to enter a restricted area, slipping undetected past security when the authorized employee scans in.
Once inside the restricted area, tailgaters can steal data storage devices, documents, and laptops. They can also
- access unlocked computers and infect them with malware,
- install key loggers to monitor and record each keystroke an employee makes,
- leave behind malicious USB flash drives for employees to pick up and connect to their machines
These attacks involve storage devices being sent to employees. To nudge employees into connecting them to their machines to see what’s stored on them.
Once an employee takes the bait and opens the fake content, which is designed to appear completely legitimate, their machine becomes infected with malware.
Some social engineering attacks seem to come from unknown senders, while other attacks have known names attached to them. The latter type is called pretexting, it abuses the trust between the victim and someone the victim knows.
Pretexting attacks tend to have a much higher chance of success than attacks coming from unknown senders or callers because they are harder for anti-spam filters to detect, especially when a stolen phone number or a hacked account is used.
The explosion of hybrid work since early 2020 has made shoulder-surfing attacks more relevant and dangerous. An attacker performing this technique waits in a public place, ready to position themselves behind an individual who is working remotely on their laptop or another device.
The goal is to catch a password being entered or some sensitive information being displayed on the screen. Shoulder-surfing attacks are also used to steal PIN numbers of ATM users.
Quid Pro Quo
Not all employees are completely loyal to their employers. Sometimes, a promise of even a small financial reward is enough to convince an employee to switch sides.
The scary thing about quid pro quo social engineering attacks is that they can target both current and former employees. That’s because many organizations don’t immediately get rid of former employees’ accounts when they end their employment.
Watering Hole Attacks
Just like animals gather at watering holes to fulfil their basic need, employees regularly visit certain websites to perform essential work-related tasks. A watering hole attack happens when an attacker infects such a website to distribute malware or steal sensitive information.
How to Defend Against Social Engineering Attacks?
If social engineering attacks target the weakest link in the cybersecurity chain, the human factor, then your goal should be to strengthen it. Here are a few ways that can be done:
- Social engineering awareness training: Employees should be made aware of the social engineering threats they may encounter and be taught how to protect themselves against them.
- Social engineering simulations: To test the effectiveness of social engineering awareness training, it’s critical to conduct periodic social engineering simulations. Employees who score poorly should be provided with additional training until their detection rates improve.
- Security-first culture: Organizations should strive to create a security-first culture where everyone is aware of their role in preventing social engineering attacks from resulting in costly breaches. Employees should always feel that cybersecurity is a top priority, and they must never be pressured to ignore best practices when working with tight deadlines or chasing ambitious performance targets.
When implemented alongside other cybersecurity strategies and controls, such as multi-factor authentication, Privileged Access Management (PAM), and endpoint security, the three above-described methods should reliably stop most social engineering attacks dead in their tracks.
Defeat Social Engineering Attacks With MTS IT
MTS IT can help you defeat social engineering attacks by providing security awareness training, randomized simulated phishing tests, advanced email filtering, and other cybersecurity services.
Our services are tailored to meet the needs of the SME/SMB. Schedule a free consultation with us to address today’s and tomorrow’s social engineering threats.