Understanding Social Engineering and Its Various Attack Types

Understanding Social Engineering and Its Various Attack Types

It is widely believed that there are individuals who possess advanced technical skills and use them to gain unauthorized access to secure computer systems, putting valuable data at risk. This particular type of malicious actor often makes headlines. However, there are other individuals or groups that are also attracting attention. Similarly, there are so-called “social engineers” who use various methods, such as phone calls and other means of communication, to manipulate human psychology and trick people into revealing sensitive organization information. are Social engineering covers a wide range of malicious activities.

What is social engineering?

Social engineering involves manipulating a person's emotions and decision-making processes to trick them into taking certain actions.

As per Digital Guardian, social engineering attacks often rely on psychological manipulation to trick unsuspecting users or employees into revealing confidential or sensitive information. Typically, social engineering tactics rely on emails or other forms of communication that exploit the victim's emotions, such as urgency or fear. This manipulation prompts the victim to unwittingly divulge sensitive information, click on a malicious link, or open a malicious file.

Understanding different social engineering attacks

In this article, we'll narrow our focus to six of the most prevalent attack types that social engineers use to target their victims. Some of the most common types of fraudulent activity are: deception, pretense, betting, quid pro quo, tailgating, and CEO fraud.

1. Phishing

Phishing is a type of cyber attack where scammers try to trick people into revealing sensitive information such as passwords or credit card numbers. It is important to be careful and vigilant to protect yourself from falling victim to phishing attempts.

Phishing stands out as the most prevalent form of social engineering attack. Generally, a phishing scheme has three main objectives:

  • collect personal information such as names, addresses, and social security numbers;
  • Use shortened or misleading links that direct users to questionable websites hosting phishing landing pages, and exploit a sense of fear and urgency to manipulate the user to respond quickly.

Every phishing email is unique in its own way. There are several subcategories of phishing attacks, each with its own characteristics. Also, it is common knowledge that phishers take varying amounts of time to carefully craft their attacks. This is why many phishing messages contain spelling and grammar errors.

Example of Phishing Attack: A phishing campaign was recently discovered that used LinkedIn branding to trick job seekers. According to Threat postThe attackers pretended that people from well-known businesses like American Express and CVS Carepoint had sent them messages or viewed their profiles on social networks. When recipients clicked on links in the email, they were directed to pages specifically designed to steal their LinkedIn credentials.

2. To pretend

Impersonation is a technique used to deceive people by creating a false appearance or identity in order to obtain sensitive information. It is important to be aware of this method of manipulation and take precautions to protect yourself from falling prey to such tactics.

Phishing is a type of social engineering that involves creating a fabricated scenario by attackers. This scenario is used to trick individuals and obtain their personal information. During these attacks, fraudsters often pretend to be trustworthy and request specific information from users to verify their identity. When the victim complies, attackers engage in identity theft or use the data for other malicious purposes. Advanced spoofing techniques aim to trick individuals into bypassing an organization's security measures.

Example of a pretext attack: In this scenario, an individual assumes the role of an external IT services auditor by convincing the physical security team to gain access to the organization's premises. Deception tactics capitalize on fear and urgency, while pretense techniques focus on establishing a deceptive sense of trust with the target. It is important to create a convincing narrative that leaves the least amount of doubt in the minds of the intended audience. In addition, it is important to choose a suitable disguise. Pretense can take different forms, allowing for flexibility in implementation.

Impersonation is a tactic commonly used by threat actors, where they pretend to be HR personnel or finance employees to target C-level executives. According to a report from KrebsOnSecurity, scammers have been known to impersonate banks and send text messages regarding suspicious transfers. They then proceed to call and scam anyone who falls for their scheme.

3. Baiting

Betting and fishing have many similarities.

There is a distinction in the way baiting works, as it relies on the attractiveness of an object or good for attracting unsuspecting individuals. For example, phishing attacks can exploit the lure of free music or movie downloads to trick users into handing over their login credentials. On the other hand, they can explore the potential to increase human curiosity by using physical media.

Examples of typical attacks: I July 2018, KrebsOnSecurity published a report on the attack specifically targeting state and local government agencies in the United States. The operation distributed envelopes with Chinese postmarks, each containing a letter and a CD, which could cause confusion. This was intended to pique the recipients' curiosity, causing them to load the CD and unwittingly expose their computers to the malware.

In modern times, as computers move away from CD drives, attackers are adapting their methods by using USB keys. A surprising result of a study by the Universities of Michigan, Illinois, and Google is that a large number of people, ranging from 45% to 98%, admit their curiosity and the opportunities they encounter. Connect USB drives.

4. Quid Pro Quo

Like betting, quid pro attacks involve offering something in exchange for information. Typically, this benefit is provided as a service, while baiting is usually in the form of a product.

Example of Quid Pro Quo Attack: An example of a common type of attack is when fraudsters impersonate the US Social Security Administration (SSA). There are individuals who pretend to be SSA officials and approach unsuspecting individuals, requesting that they verify their Social Security numbers. This unfortunate situation can lead to identity theft of their victims. In some instances identified by the Federal Trade Commission (FTC), fraudsters set up fake SSA websites with the intention of illegally obtaining personal information from unsuspecting individuals. It's worth noting that attackers have the ability to use quid pro quo offers that are even less sophisticated. Previous incidents have proven that people working in an office environment are easily inclined to reveal their passwords in exchange for cheap items like pens or even a chocolate bar.

5. Tailgating

One type of social engineering attack we'll discuss is called “tailgating.” In these attacks, an individual who lacks the necessary authentication gains access to a restricted area by following an authenticated employee.

Examples of tailgating attacks: An attacker can pretend to be a delivery driver and loiter outside a building to start their plan. After receiving security clearance, the employee opens the door and unwittingly helps the attacker gain access to the building. Attempts to tailgate through security measures, such as a keycard system, are ineffective. However, in organizations that do not have these features, attackers have the ability to leverage this sense of familiarity to engage in conversations with employees and bypass the front desk. Colin Greenless, a security consultant at Siemens Enterprise Communications, successfully used a variety of strategies to gain access to multiple floors and data rooms at an FTSE-listed financial firm. He had the option to set up a workspace in a meeting room on the third floor and use it for an extended period of time.

6. Understanding CEO Fraud

And now, we come to the topic of CEO (or CxO) fraud, which is of great importance. During this attack, cybercriminals spend time gathering information about the organizational structure and key members of the executive team. Like pretexting, attackers exploit the reputation of a requesting individual, such as a CFO, to persuade an employee to make a financial transaction or divulge sensitive and valuable information.

CEO fraud, also known as executive phishing or business email compromise (BEC), falls under the category of phishing attacks.

Examples of CEO fraud attacks: To ensure fraud success, the CEO invests time in understanding the attacker's organizational structure and the overall objectives of the targeted organization. Once key people and targets within the company are identified, the attacker manages to hack into an executive's email account.

As an example, an attacker would approach a member of the accounting or purchasing team, posing as the CFO, and request payment of an invoice. However, the employee is unaware that the invoice is actually fraudulent. It is important to note that this request is often accompanied by a sense of urgency. Attackers are well aware that time is of the essence, because the longer it takes to fulfill a request, the greater the risk of the employee becoming suspicious. gave The FBI reported that organizations lost more than $43 billion due to BEC attacks from 2016 to 2021.

Tips to Protect Yourself from Social Engineering Attacks

The aforementioned attacks show how social engineering exploits human psychology and curiosity to compromise victims' information. It is critical for organizations to help their employees defend against these attacks, keeping in mind their human-centered approach. Here are some suggestions that can be incorporated into security awareness training programs.

  • Be careful when dealing with emails from sources you don't trust. If you receive a suspicious email message from a friend or family member, it is advisable to contact them in person or by phone to clarify the situation.
  • Care must be taken when considering offers from strangers. Caution is important when something seems too good to be true.
  • Always remember to lock your laptop when you are away from your workstation.
  • Consider purchasing antivirus software. While no AV solution can guarantee accurate detection rates, they are effective in protecting against campaigns that use social engineering tactics.
  • It is important to familiarize yourself with your company's privacy policy to have a clear understanding of the protocol for granting access to the building under different circumstances.
  • It is important to validate any urgent requests coming from a contact within your organization to ensure they are valid, especially before transferring money or sharing sensitive information.
  • Establishing a culture of risk awareness is critical to keeping employees vigilant. Social engineering attacks are often successful because of people's awareness and mistakes. It is important to make security a priority within your organization so that employees are empowered to proactively prevent attacks and be aware of the appropriate channels to report incidents if they occur.

About the Author

Leave a Reply