June 22, 2022
Let’s answer the first question first: What is social engineering in cyber security?
Social engineering is a form of cyber attack that uses human manipulation and trickery for:
- Finding points of entry and weak security protocols
- Gaining a person’s trust
- Getting a person to give away their personal information or make security mistakes (usually without the person realizing it)
- Executing a cyber attack based on said information or mistakes (again, often without realizing an attack has occurred)
Social engineering attacks in cyber security are accomplished through the following methods:
- Business Email Compromise (BEC)
- Piggybacking or Tailgating
- Quid Pro Quo
- Smishing and Vishing
- Spear Phishing
- Watering Hole Attacks
Using social engineering, cybercriminals stole $6.9 billion in 2021, a 7% rise in one year. Knowing this, don’t you also want to know how social engineering works and how to prevent social media attacks from happening to you and your organization?
Castra is here to explain what you need to know:
How Social Engineering in Cyber Security Works
Social engineering in cyber security works surprisingly well, because it plays on people’s innate trust that other people only have the best interests at heart. And when people are stressed and/or ill-informed, they are all the more vulnerable. Criminals love to take advantage of these tendencies.
There is a well-founded and practiced attack plan that garners cyber criminals great results. Here are the steps they follow:
- Investigation. A cyber criminal prepares the attack by identifying a victim, gathering any possible background information, and selecting which attack method to employ (more on their methods later).
- Hook. The criminal begins to deceive the victim by engaging them, creating a believable story, and asserting control over the interaction.
- Play. Over time, a cyber criminal obtains information and siphons data they need without the victim knowing they’re being attacked.
- Exit. After extracting all they can, the criminal eventually brings the story and interaction to a natural conclusion—and often covers their tracks without causing any suspicion.
The 12 Different Types of Social Engineering Attacks
Can you believe it—there are 12 types of social engineering attacks to be on the lookout for, and more are being contrived and perfected every day.
Here’s a quick overview of the most common types of social engineering attacks that threaten you and your organization:
BaitingBaiting uses a false promise to pique your curiosity and interest by offering something valuable in return.
Example: You click on a too-good-to-be-true ad that leads to a malicious site.
Business Email Compromise (BEC)BEC involves spoofing emails that impersonate trusted employees, clients, and vendors. Once successful, they ask you to perform a seemingly inane task that ultimately exposes you to exploitation.
Example: Your CEO emails you personally and asks you to buy gift cards for her.
HoneytrapsA criminal creates fake social media and online dating profiles, sends flirty messages to you, and asks you to “prove” you like or love them by sending them something.
Example: You’re asked by an online boyfriend to invest in his startup.
PhishingPhishing creates a sense of urgency, curiosity, or fear that induces you to reveal sensitive information, click on malicious links, or open malware attachments.
The most impersonated brands in phishing scams are:
- Google (13%)
- Amazon (13%)
- WhatsApp (9%)
- Facebook (9%)
- Microsoft (7%)
Example: You receive a slightly odd notification email from “Outlook” instructing you to download an attached system patch.
Piggybacking or TailgatingYou allow someone to briefly enter a restricted building, device, or system area without authorized access. The criminal then spies on people, workstations, and programs.
Example: You temporarily provide someone with your account login credentials because they’re volunteering to help you with a task.
PretextingA criminal obtains sensitive information through a series of lies, often regarding needing to perform a “critical” task.
Example: The “IRS” emails you, asking that you confirm your bank account number. The email claims you must reenter it into their system before receiving your tax refund.
Quid Pro QuoSomeone pretends to be from an IT department or other tech service provider and requests your login credentials, perhaps under the guise of verification or security.
Example: An email arrives in your inbox asking you to call your company’s tech support number (a false phone number is given) for help with completing a software upgrade.
ScarewareYou are bombarded with (false) alarms or (fake) threats, leading you to believe your device is infected. As a result, you install (illicit) software to fix it.
Example: You get a popup notification about a computer virus that encourages you to log into a particular system to remain protected.
Smishing and VishingThese are phishing attacks performed via SMS, text messages, or phone calls. A sense of urgency or fear is created, prodding you to reveal sensitive information.
Example: A scammer posing as an HR executive calls your receptionist and asks them to verify your personal information.
Spear Phishing or Angler PhishingThe spear phishing method targets you specifically through email or fake social media customer service accounts, and tailors messages based on your characteristics (job position, contacts, etc.).
Example: As an employee at a certain bank, you receive an email from your “customer service department” with an attachment you’re asked to open “for your information.”
Watering HoleA cyber criminal infects a site you regularly visit and has you download malware or designs a fake version of the site where you sign in with your credentials.
Example: You are diverted away from the legitimate login page of a retailer you frequent to a fake login page, where your credentials are sent straight to a scammer.
WhalingTargets you if you’re a “big fish” like an executive, government official, or celebrity for the purpose of getting valuable data or large ransoms after finding compromising information.
Example: As a C-level employee, you receive a confidential email from a “known” contact within your organization. They claim to have compromising information about another executive in the company. They share this information in an infected PDF, and want you to take a look and tell them your thoughts.
How to Prevent Social Engineering Attacks
To prevent these types of social engineering attacks—including BEC, spear phishing, whaling, and others—here are a few dos and don’ts:
- DO be wary of enticing offers.
- DON’T open suspicious emails or attachments.
- DO verify the identity of anyone requesting action on your part..
- DON’T let your emotions dictate your online or in-person actions.
- DO use multifactor authentication.
- DON’T share your login credentials, or allow unauthorized people into restricted areas.
- DO file a complaint with the FBI.
- DON’T acquiesce to a cyber criminal’s demands.
Here’s one other “DO”: Use cyber threat intelligence tools to prevent data breaches and protect sensitive information, so your organization doesn’t become a victim of fraud.
In addition, while social engineering attacks conducted by outsiders can be devastating, it is equally important to prevent similar attacks from malicious insiders.
For a glass box approach that keeps your IT department in the know of everything that’s happening behind the scenes, schedule a meeting with Castra.