We all know about the attacker who leverages their technical expertise to infiltrate protected computer systems and compromise sensitive data. This type of malicious actor ends up in the news all the time. But they’re not the only ones making headlines. So too are “social engineers,” individuals who use phone calls and other media to exploit human psychology and trick people into handing over access to the organization’s sensitive information. Social engineering is a term that encompasses a broad spectrum of malicious activity.
Social Engineering is the malicious act of tricking a person into doing something by messing up his emotions and decision-making process.
According to Digital Guardian, “Social engineering attacks typically involve some form of psychological manipulation, fooling otherwise unsuspecting users or employees into handing over confidential or sensitive data. Commonly, social engineering involves email or other communication that invokes urgency, fear, or similar emotions in the victim, leading the victim to promptly reveal sensitive information, click a malicious link, or open a malicious file.”
For the purposes of this article, let’s focus on the five most common attack types that social engineers use to target their victims. These are phishing, pretexting, baiting, quid pro quo, and tailgating.
Phishing is the most common type of social engineering attack. At a high level, most phishing scams aim to accomplish three things:
No two phishing emails are the same. There are at least six different sub-categories of phishing attacks. Beyond that, we all know that phishers invest varying amounts of time into crafting their attacks. Hence why there are so many phishing messages with spelling and grammar errors.
A recent phishing campaign used LinkedIn branding to trick job hunters into thinking that people at well-known companies like American Express and CVS Carepoint had sent them a message or looked them up using the social network, wrote ThreatPost. If they clicked on the email links, recipients found themselves redirected to pages designed to steal their LinkedIn credentials.
Pretexting is another form of social engineering where attackers focus on creating a pretext, or a fabricated scenario, that they can use to steal someone’s personal information. In these types of attacks, the scammer usually impersonates a trusted entity/individual and says they need certain details from a user to confirm their identity. If the victim complies, the attackers commit identity theft or use the data to conduct other malicious activities. More advanced pretexting involves tricking victims into doing something that circumvents organization’s security policies.
An attacker might say they’re an external IT services auditor so that the organization’s physical security team will let them into the building. Whereas phishing uses fear and urgency to their advantage, pretexting relies on building a false sense of trust with the victim. This requires building a credible story that leaves little room for doubt in the mind of their target. It also involves choosing a suitable disguise. As such, pretexting can and does take on various forms.
Many threat actors who engage in pretexting masquerade as HR personnel or finance employees so that they can try to target C-Level executives. As reported by KrebsOnSecurity, others spoof banks and use SMS-based text messages about suspicious transfers to call up and scam anyone who responds.
Baiting is in many ways like phishing.
The difference is that baiting uses the promise of an item or good to entice victims. Baiting attacks may leverage the offer of free music or movie downloads to trick users into handing their login credentials, for example. Alternatively, they can try to exploit human curiosity via the use of physical media.
Back in July 2018, for instance, KrebsOnSecurity reported on an attack targeting state and local government agencies in the United States. The operation sent out Chinese postmarked envelopes that included a confusing letter along with a CD. The point was to pique recipients’ curiosity so that they would load the CD and inadvertently infect their computers with malware.
Like baiting, quid pro quo attacks promise something in exchange for information. This benefit usually assumes the form of a service, whereas baiting usually takes the form of a good.
One of the most common types of quid pro quo attacks is when fraudsters impersonate the U.S. Social Security Administration (SSA). These fake SSA personnel contact random people and ask them to confirm their Social Security Number, allowing them to steal their victims’ identities. In other cases detected by the Federal Trade Commission (FTC), malicious actors set up fake SSA websites designed to steal those people’s personal information instead It is important to note that attackers can use quid pro quo offers that are even less sophisticated, however. Earlier attacks have shown that office workers are more than willing to give away their passwords for a cheap pen or even a bar of chocolate.
Our final social engineering attack type is known as “tailgating.” In these types of attacks, someone without the proper authentication follows an authenticated employee into a restricted area.
The attacker might impersonate a delivery driver and wait outside a building to get things started. When an employee gains security’s approval and opens the door, the attacker asks the employee to hold the door, thereby gaining access to the building. Tailgating does not work in the presence of certain security measures such as a keycard system. However, in organizations that lack these features, attackers can strike up conversations with employees and use this show of familiarity to get past the front desk. In fact, Colin Greenless, a security consultant at Siemens Enterprise Communications, used these tactics to gain access to multiple floors and the data room at an FTSE-listed financial firm. He was even able to set up shop in a third floor meeting room and work there for several days.
As the attacks discussed above illustrate, social engineering involves preying off human psychology and curiosity to compromise victims’ information. With this human-centric focus in mind, organizations must help their employees counter these types of attacks. They can do so by incorporating the following tips into their security awareness training programs.
GET THE REPORT
Analysis of hundreds of thousands of phishing, social media, email, and dark web threats show that social engineering tactics continue to prove effective for criminals. Download the report to learn more.
DOWNLOAD NOW
