Effective cyberdefense requires active participation across all the stakeholders in a company. You need to install and maintain controls commensurate with your threat environment. You also need to account for the ways hackers can victimize your staff through social engineering. Wondering what is social engineering attack and how dangerous it can be, exactly?
Read on to learn about the most common types of social engineering attacks and how to prevent and deal with them.
Different Types of Social Engineering Attacks To Know
Social engineering is a complex set of processes by which malicious actors manipulate your employees, customers, and strategic partners into giving up valuable information. It includes all kinds of techniques, from leveraging advanced technology to simple physical positioning.
In this article, we’ll break down three of the most common categories of attacks, including:
- The many forms of “phishing” via email, phone call, and SMS messages
- Attacks leveraging individuals’ trust of a person or shared “watering hole”
- Social engineering that occurs in physical space or with physical objects
By the end of this blog, you’ll know the warning signs of social engineering. We’ll also share some resources to help prevent them.
First, let’s define the basic terminology.
What is Social Engineering in Cyber Security?
As noted above, social engineering is a complex category made of complex processes. All social engineering techniques share some base similarities, however. Namely, social engineering always involves manipulation of a person — this distinguishes these attacks from hacks, outright theft, and other forms of cybercrime that only leverage non-human systems and controls.
Like any confidence trick (“con”) or scam, social engineering almost always involves a violation of trust. However, that violation is rarely the ultimate goal of the trick. The attackers attempt to get a person to unwittingly give them access to protected systems via login credentials or access to funds via financial information.
Let’s take a look at some of the most common attack types and the methodologies behind them.
Phishing, Vishing, and Smishing Attacks
The most common and well-known form of social engineering is “phishing,” analogous to the fishing techniques of casting out a line and waiting for a bite. A team of attackers sends out a mass email disguised as legitimate communication from a bank or other service. The goal is to trick several unwitting recipients into clicking a malicious link or directly submitting data.
Traditional phishing is through email, but attackers have branched out to other vectors, as well:
- “Vishing” or voice-phishing attacks occur over spoofed spam telephone calls.
- “Smishing” scams happen via SMS (text messages) sent to cellular devices.
Phishing emails are often easy to spot. In most cases, they’re not disguised well, with apparent typos or mistakes that belie the disguise. This is because hackers are banking on a tiny percentage of “bites” converting into optimal ROI on simple, fast, mass-emailed campaigns.
So, why do these phishing emails work if they’re not disguised well? As a simple scenario, imagine a tired employee checking their email after a long workweek. They see a message from someone at the company (despite this being a false address) with a link attached. Without thinking, they click the link and input their credentials to the designated field. Unwittingly, they’ve just fallen victim to a phishing campaign.
Spotlight: Spear Phishing and Whaling Scams
Besides the mass-targeted phishing campaigns designed to reach as many people as possible, there are two tailored types of phishing that are far more dangerous. The technique of “spear phishing” involves customizing a phishing campaign to a smaller audience, adding details that only they would know to make the disguise more believable. These emails are more likely to bypass your firewalls, and they’re also more likely to trick users whose inboxes they hit.
The other advanced phishing technique is known as “whaling.” These are the most detailed and targeted scams, designed to victimize specific individual targets such as CEOs and other people with privileged access to sensitive information.
Abuses of Context, Pretext, and Trust
Closely related to the most targeted forms of phishing is a practice known as “pretexting.” This scam can occur on any communication platform or in physical space. It involves creating a false scenario or pretext that makes it more likely for the victim to believe the attacker. Ultimately, it is an elaborate lie that often involves research and connections.
Examples of pretexting situations that hackers may use to victimize your personnel include:
- Hackers impersonate a manager or supervisor (with work ID numbers) to coax a subordinate into providing information informally and inappropriately, outside protocols.
- Hackers impersonate a client (with social security or other identifying information) to seek out further information that the supposed client has “lost,” which the hacker is stealing.
One approach to preventing these forms of attacks is implementing a “Zero Trust” framework across the institution, requiring strict adherence to protocols and logins regardless of status.
How Waterholing Can Harm Your Company
Another way cybercriminals can abuse the trust of your personnel is through the practice of “waterholing.” Even the most vigilant individuals can fall into rhythms and let their guard down when visiting websites and portals that they know (or believe) to be safe. Hackers understand this and may create a fake website disguised as the waterhole. When the employee logs in to the fake site unknowingly, they compromise their user credentials, compromising the company.
To combat these kinds of scams, robust identity and access management are essential. Using multi-factor authentication as an additional step can prevent these attacks from succeeding.
Social Engineering Within Physical Space
The last category of social engineering scams involves attacks that happen in real-time and physical spaces. The simplest form of physical, social engineering scam is when an attacker illegitimately accesses a protected environment by convincing security or other personnel that he or she belongs. Alternatively, they might enter the space by following an authorized person.
Physical access to devices and spaces is a high priority for companies in every sector. Controls to account for these risks are shared across various compliance frameworks, often under titles like “Physical Security.” While these attacks are less likely in the context of the COVID-19 pandemic and social distancing measures, they still pose a significant cybersecurity threat.
Baiting: Not Just for Virtual Phishing
Physical, social engineering doesn’t need to involve communication or sleuthing. It can also be as simple as a well-placed piece of “bait” that a user unwittingly inserts into their computer. The trick can make use of various physical media, including but not limited to the following:
- A USB stick or other portable storage device, given directly or left unattended
- Media seemingly unrelated to work, such as a mix CD left in a mailbox slot
Employees need to understand that they can only use physical media with their devices if it has been vetted and authorized by the IT team and their supervisors. Any piece of equipment with unknown provenance, no matter how seemingly harmless, can cause irreparable damage.
Prevent Social Engineering, Professionally
To sum up, social engineering is the art of what three things? Namely: phishing and related scams, abuses of context, and manipulation of physical spaces. To protect your company and all its stakeholders from these threats, you’ll need to implement a robust cybersecurity architecture, including firewalls and web filtering, along with detailed vulnerability management.
Enter RSI Security. Our talented team of experts has helped companies of all sizes and industries stave off social engineering for over a decade. We’ll help you install all the patches you may need and reinforce their efficacy with awareness and training. Contact RSI Security today to prevent all types of social engineering attacks.
Download Our Cybersecurity Checklist
Prevent costly and reputation damaging breaches by implementing cybersecurity best practices. Get started with our checklist today. Upon filling out this brief form you will receive the checklist via email.