Social engineering attacks are a type of cybercrime based on deception.
In social engineering attacks, the attacker will pretend to be someone you trust, so users will be more likely to engage with the attack. Regardless of who the attacker is impersonating in social engineering attacks, the goal is to extract money or account information from your company, such as a tax file number, log-in details for an email account or social networking site access.
What makes a social engineering attack so dangerous is the fact it relies on human error as opposed to software vulnerability which can be easier to track.
Phishing attacks are the most common type of social engineering attack, and they can be done over email, social media sites or SMS.
The purpose of a phishing attack is to trick victims into parting with sensitive data, personal information or even money.
In these attacks, information is stolen through malware which is sent over as a URL link. When victims click a phishing link, their operating systems may be compromised.
Phishing can be disguised to look like correspondence from any platform you may trust, such as a credit card company or a government organization.
2. Watering hole
Watering hole attacks target a group of individuals, usually from the same IP address, with malicious codes which cause malware to be downloaded onto a victim's device.
This malware allows hackers to see private information that is usually protected by information security, such as login credentials.
For this scam to work, malicious code is injected into public websites that the target frequently uses, making the attack harder to detect.
This social engineering attack is similar to phishing, but the target is key individuals within an organisation such as the CEO or finance manager.
This technique uses the same social engineering tactics as a spear phishing email, where an email or message is specifically targeted to a specific individual, with the goal to solicit a click or download attachments in order to install malware.
A pretexting attack is based on gaining trust with users so they can be manipulated into providing sensitive information or revealing a vulnerability that can be used to the hacker’s advantage.
During this kind of attack, threat actors may contact a business acting as a software company with whom the business frequently works. By pretending to be someone trusted during pretexting attacks, it is easier for the hacker to ask for sensitive information without seeming suspicious.
By posing as a legitimate and ‘trusted’ business, users are more likely to disclose sensitive information because they believe it is going into safe hands.
5. Quid pro quo
Quid Pro Quo is a Latin term which means 'something for something', and in this kind of attack, a criminal will offer an exchange of services or information as a way to get what they want from their target.
Quid pro quo attacks can happen through websites, email addresses or even through a phone call. In these attacks, the criminal will offer some kind of service or benefit in exchange for information from the target.
A vishing attack, which is not to be confused with phishing attacks, is a form of social engineering that relies on vocal communication. Phone numbers are easily accessible, and with technology such as A.I. it is easy for hackers to pretend to be someone else over a call to obtain sensitive information.
This is a similar tactic to quid pro quo. However, instead of the attack offering a service or benefit in return for data, hackers instead offer a reward to bait their victims. The promise of a prize is an easy way to play on a human's sense of curiosity.
If you're working in an organisation that uses email as the primary means of communication and requests - it can be easy to ignore some of the red flags that come through - especially if it's difficult to get to 'inbox zero'! Being aware of the techniques and taking a pause before acting on any requests in an email can save you and your organisation from financial and reputational stress. For more information about how to spot social engineering scams - contact us for a demo of our award winning training platform today!