It is widely understood that there are individuals who possess advanced technical skills and use them to gain unauthorized access to secure computer systems, putting valuable data at risk. This particular type of malicious actor frequently makes headlines. However, there are other individuals or groups that are also attracting attention. Similarly, there are individuals known as “social engineers” who employ various methods, such as phone calls and other media, to manipulate human psychology and deceive individuals into divulging sensitive information of the organization. Social engineering covers a wide range of malicious activities.
What is Social Engineering?
Social Engineering involves manipulating a person’s emotions and decision-making process in order to deceive them into taking certain actions.
As per Digital Guardian, social engineering attacks often rely on psychological manipulation to deceive unsuspecting users or employees into divulging confidential or sensitive information. Typically, social engineering tactics rely on emails or other forms of communication that exploit the victim’s emotions, such as urgency or fear. This manipulation prompts the victim to unknowingly disclose sensitive information, click on a harmful link, or open a malicious file.
Understanding Different Social Engineering Attacks
In this article, we will narrow our focus to the six most prevalent attack types employed by social engineers to target their victims. Here are some common types of fraudulent activities: phishing, pretexting, baiting, quid pro quo, tailgating, and CEO fraud.
1. Phishing
Phishing is a type of cyberattack where scammers try to trick people into revealing sensitive information such as passwords or credit card numbers. It is important to be cautious and vigilant to protect yourself from falling victim to phishing attempts.
Phishing stands out as the most prevalent form of social engineering attack. Generally, phishing scams have three main objectives:
- Collect personal information like names, addresses, and Social Security Numbers;
- Employ shortened or deceptive links that direct users to questionable websites hosting phishing landing pages, and exploit fear and a sense of urgency to manipulate the user into responding promptly.
Each phishing email is unique in its own way. There are numerous sub-categories of phishing attacks, each with its own distinct characteristics. In addition, it is common knowledge that phishers dedicate different amounts of time to carefully construct their attacks. That’s why there are numerous phishing messages that contain spelling and grammar mistakes.
Phishing Attack Example: A phishing campaign was recently discovered that employed LinkedIn branding to deceive job seekers. According to ThreatPost, the attackers made it appear as though people from reputable businesses like American Express and CVS Carepoint had sent them messages or looked at their profiles on the social network. When recipients clicked on the email links, they were redirected to pages that were specifically created to steal their LinkedIn credentials.
2. Pretexting
Pretexting is a technique used to deceive individuals by creating a false scenario or identity in order to gain sensitive information. It is important to be aware of this method of manipulation and take precautions to protect oneself from falling victim to such tactics.
Pretexting is a type of social engineering that involves the creation of a fabricated scenario by attackers. This scenario is used to deceive individuals and obtain their personal information. During these attacks, scammers often pretend to be someone trustworthy and request specific information from users to verify their identity. When the victim complies, the attackers engage in identity theft or utilize the data for other harmful purposes. Advanced pretexting techniques aim to deceive individuals into bypassing an organization’s security measures.
Illustration of a Pretexting Attack: In this scenario, an individual assumes the role of an external IT services auditor to gain access to the organization’s premises by convincing the physical security team. Phishing tactics leverage fear and urgency, while pretexting techniques focus on establishing a deceptive sense of trust with the target. It is important to construct a convincing narrative that leaves minimal doubt in the minds of the intended audience. Additionally, one must select an appropriate disguise. Pretexting can take on different forms, allowing for flexibility in its execution.
Pretexting is a tactic commonly used by threat actors, where they pretend to be HR personnel or finance employees in order to target C-Level executives. According to a report from KrebsOnSecurity, scammers are known to impersonate banks and send text messages regarding suspicious transfers. They then proceed to call and deceive anyone who falls for their scheme.
3. Baiting
Baiting and phishing share many similarities.
There is a distinction in the way baiting operates, as it relies on the allure of an item or good to lure unsuspecting individuals. As an illustration, baiting attacks can exploit the temptation of free music or movie downloads to deceive users into surrendering their login credentials. On the other hand, they can explore the potential of piquing human curiosity by utilizing physical media.
Illustrative Attack Instance: In July 2018, KrebsOnSecurity published a report about an attack that specifically targeted state and local government agencies in the United States. The operation distributed envelopes with Chinese postmarks, each containing a letter and a CD that may cause confusion. The intention was to spark recipients’ curiosity, leading them to load the CD and unknowingly expose their computers to malware.
In the modern era, as computers move away from CD drives, attackers are adapting their methods by utilizing USB keys. A surprising finding of a study by the Universities of Michigan, Illinois, and Google is that a sizable number of people, ranging from 45% to 98%, give in to their curiosity and connect USB drives they come across.
4. Quid Pro Quo
Similar to baiting, quid pro quo attacks involve offering something in return for information. Typically, this benefit is provided as a service, while baiting is usually in the form of a product.
Quid Pro Quo Attack Example: An example of a common type of attack is when fraudsters impersonate the U.S. Social Security Administration (SSA). There are individuals who pretend to be SSA personnel and reach out to unsuspecting individuals, requesting that they verify their Social Security numbers. This unfortunate situation can lead to the theft of their victims’ identities. In some instances identified by the Federal Trade Commission (FTC), deceptive individuals establish fraudulent SSA websites with the intention of unlawfully obtaining personal information from unsuspecting individuals. It’s worth mentioning that attackers have the ability to utilize quid pro quo offers that are even less sophisticated. Previous incidents have demonstrated that individuals working in office environments are readily inclined to disclose their passwords in exchange for inexpensive items such as pens or even chocolate bars.
5. Tailgating
One of the social engineering attack types we will discuss is called “tailgating.” In these attacks, an individual lacking the necessary authentication gains access to a restricted area by following an authenticated employee.
Examples of Tailgating Attacks: An attacker could pretend to be a delivery driver and loiter outside a building to initiate their plan. After receiving security’s approval, the employee opens the door and unknowingly assists the attacker in gaining access to the building. Attempting to tailgate through security measures, such as a keycard system, is ineffective. However, in organizations that do not possess these characteristics, attackers have the ability to engage in conversations with employees and exploit this sense of familiarity to bypass the front desk. Colin Greenless, a security consultant at Siemens Enterprise Communications, successfully utilized various strategies to gain access to multiple floors and the data room at a FTSE-listed financial firm. He had the option to establish a workspace in a meeting room on the third floor and utilize it for an extended period of time.
6. Understanding CEO Fraud
And now, we come to the topic of CEO (or CxO) fraud, which is of great importance. During this attack, cybercriminals invest time in gathering information about the organizational structure and important members of the executive team. In a manner similar to pretexting, attackers exploit the credibility of the individual making the request, like a CFO, to persuade an employee into carrying out financial transactions or disclosing sensitive and valuable information.
CEO fraud, also referred to as executive phishing or business email compromise (BEC), falls under the category of spear-phishing attacks.
Examples of CEO Fraud Attacks: To ensure the success of CEO fraud, an attacker takes the time to understand the organizational structure and overall objectives of the targeted organization. Once the important individuals and objectives within the company are identified, an attacker manages to take control of an executive’s email account through a hack.
As an illustration, the attacker will reach out to a member of the accounting or purchasing team, posing as the CFO, and request payment for an invoice. However, the employee is unaware that the invoice is actually fraudulent. It’s important to note that there is frequently a sense of urgency associated with this request. Attackers are well aware that time is of the essence, as the longer it takes to fulfill the request, the greater the risk of the employee becoming suspicious. The FBI has reported that organizations have incurred losses exceeding $43 billion due to BEC attacks from 2016 to 2021.
Tips for Protecting Yourself from Social Engineering Attacks
The attacks mentioned demonstrate how social engineering exploits human psychology and curiosity to compromise victims’ information. It is crucial for organizations to assist their employees in defending against these attacks, keeping their human-centric approach in mind. Here are some tips that can be incorporated into security awareness training programs.
- It is important to exercise caution when dealing with emails from sources that you do not trust. If you happen to receive a suspicious email message from a friend or family member, it is advisable to reach out to them in person or by phone to clarify the situation.
- It is important to exercise caution when considering offers from unfamiliar individuals. It’s important to exercise caution when something appears too good to be true.
- Remember to always lock your laptop when you step away from your workstation.
- Consider buying anti-virus software. While no AV solution can guarantee a perfect detection rate, they are effective in protecting against campaigns that employ social engineering tactics.
- It is important to familiarize yourself with your company’s privacy policy in order to gain a clear understanding of the protocols for allowing access to the building in various situations.
- It is important to always verify any urgent requests that come from a contact within your organization to ensure their validity, especially before transferring money or sharing sensitive information.
- Establishing a culture of risk awareness is crucial to keeping employees vigilant. Social engineering attacks are often successful due to people’s lack of awareness and mistakes. It is important to prioritize security within your organization to empower employees to proactively prevent attacks and be aware of the proper channels to report incidents if they happen.
tvvsyf