Social engineering attacks account for a massive portion of all cyber attacks. Since COVID-19, these attacks are on the rise. More than 90% of successful hacks and data breaches start with social engineering.
Since knowledge is crucial to developing a strong cybersecurity plan, we’ll discuss social engineering in general, and explain the six types of social engineering attacks out there so you can protect your organization.
What Is a Social Engineering Attack?
Social engineers are clever threat actors who use manipulative tactics to trick their victims into performing a desired action or disclosing private information. The social engineer then uses that vulnerability to carry out the rest of their plans. Many threat actors targeting organizations will use social engineering tactics on the employees to gain a foothold in the internal networks and systems.
Social Engineering Attack Types
1. Phishing
Phishing is a social engineering technique in which an attacker sends fraudulent emails, claiming to be from a reputable and trusted source. For example, a social engineer might send an email that appears to come from a customer success manager at your bank. They could claim to have important information about your account but require you to reply with your full name, birth date, social security number, and account number first so that they can verify your identity. Ultimately, the person emailing is not a bank employee; it's a person trying to steal private data.
Phishing, in general, casts a wide net and tries to target as many individuals as possible. However, there are a few types of phishing that hone in on particular targets.
Spear phishing is a type of targeted email phishing. In a spear phishing attack, the social engineer will have done their research and set their sites on a particular user. By scouring through the target's public social media profiles and using Google to find information about them, the attacker can create a compelling, targeted attack.
Imagine that an individual regularly posts on social media and she is a member of a particular gym. In that case, the attacker could create a spear phishing email that appears to come from her local gym. The victim is more likely to fall for the scam since she recognized her gym as the supposed sender.
What Type of Social Engineering Targets Senior Officials?
Whaling is another targeted phishing scam, similar to spear phishing. However, in whaling, rather than targeting an average user, social engineers focus on targeting higher-value targets like CEOs and CFOs. Whaling gets its name due to the targeting of the so-called "big fish" within a company.
2. Vishing and Smishing
While phishing is used to describe fraudulent email practices, similar manipulative techniques are practiced using other communication methods such as phone calls and text messages.
Vishing (short for voice phishing) occurs when a fraudster attempts to trick a victim into disclosing sensitive information or giving them access to the victim's computer over the telephone. The caller often threatens or tries to scare the victim into giving them personal information or compensation.
Smishing (short for SMS phishing) is similar to and incorporates the same social engineering techniques as email phishing and vishing, but it is done through SMS/text messaging.
3. Pretexting
Pretexting is a type of social engineering technique where the attacker creates a scenario where the victim feels compelled to comply under false pretenses. ScienceDirect states that, “Pretexting is often used against corporations that retain client data, such as banks, credit card companies, utilities, and the transportation industry.” During pretexting, the threat actor will often impersonate a client or a high-level employee of the targeted organization.
4. Baiting
Baiting puts something enticing or curious in front of the victim to lure them into the social engineering trap. A baiting scheme could offer a free music download or gift card in an attempt to trick the user into providing credentials.
A social engineer may hand out free USB drives to users at a conference. The user may believe they are just getting a free storage device, but the attacker could have loaded it with remote access malware which infects the computer when plugged in.
5. Tailgating and Piggybacking
Tailgating is a simplistic social engineering attack used to gain physical access to access to an unauthorized location. Tailgating is achieved by closely following an authorized user into the area without being noticed by the authorized user. An attacker may tailgate another individual by quickly sticking their foot or another object into the door right before the door is completely shut and locked.
Piggybacking is similar to tailgating; but in a piggybacking scenario, the authorized user is aware and allows the other individual to "piggyback" off their credentials. An authorized user may feel compelled by kindness to hold a secure door open for a woman holding what appears to be heavy boxes or for a person claiming to be a new employee who has forgotten his access badge.
6. Quid Pro Quo
Quid pro quo (Latin for 'something for something') is a type of social engineering tactic in which the attacker attempts a trade of service for information. A quid pro quo scenario could involve an attacker calling the main lines of companies pretending to be from the IT department, attempting to reach someone who was having a technical issue.
Once the attacker finds a user who requires technical assistance, they would say something along the lines of, "I can fix that for you. I'll just need your login credentials to continue." This is a simple and unsophisticated way of obtaining a user's credentials.
How To Mitigate Risks With Penetration Testing
A penetration test performed by cyber security experts can help you see where your company stands against threat actors. Pentesting simulates a cyber attack against your organization to identify vulnerabilities.
Social engineering testing is a form of penetration testing that uses social engineering tactics to test your employees’ readiness without risk or harm to your organization. This type of pentest can be used to understand what additional cybersecurity awareness training may be required to transform vulnerable employees into proactive security assets.
Defend Against All Types of Social Engineering Attacks
Social engineering is one of the most effective ways threat actors trick employees and managers alike into exposing private information. Preparing your organization starts with understanding your current state of cybersecurity.
The Global Ghost Team — led by Kevin Mitnick — performs full-scale simulated attacks to show you where and how real threat actors can infiltrate, extort, or compromise your organization. To prepare for all types of social engineering attacks, request more information about penetration testing.
