What Are Social Engineering Attacks?
Social engineering attacks are the manipulation of individuals to the point where they give out confidential information. The type of information these attackers may seek varies, but when individuals or employees are targeted, they are usually looking for passwords or banking information. They could also be trying to access your computer to install malware – malicious software – that gives them the passwords and banking information they seek.
The Most Impersonated Brands for Social Engineering and Phishing Attacks
As we move into a more digitized world after the pandemic, customers and businesses are demanding more digital experiences. With a massive amount of online transactions being made every day and the need for secured business accounts, this creates a vibrant ecosystem for cybercriminals to take advantage of. Here are some of the most impersonated brands for social engineering and phishing attacks:
- Wells Fargo
How Do Social Engineering Attacks Work?
Social engineering isn’t as complicated as it sounds. Essentially, a scammer will investigate its victim’s digital footprint to find vulnerabilities, send an enticing email with links or attachments, launch an attack, then steal and disappear. Below, we’ll go into further detail on a socially engineered scenario:
Scammers will start out by stalking their victim so they can find angles to leverage. For example, if an individual were to make an online post about raising money for a charity fund, a scammer can understand you are emotionally attached to a particular cause.
By now, the scammer will know most of your digital footprint, and will also likely be able to determine your email address. This allows scammers to send you personalized emails with a relevant theme, in this case, a charity fund.
Next, you receive an email with an emotionally driven subject line, you immediately open the email and it contains a donation link. As soon as the link is clicked, malware has infected your computer and the malicious attack begins.
Unfortunately, these scammers can vanish into thin air without you knowing. The average data breach takes 287 days to detect and this is with a professional cybersecurity team. A regular person will not have these types of resources. It’s also important to understand to never check personal emails on a company’s network because this can lead to an organization being compromised.
Now that you understand what social engineering is and how it works, let’s take a look at the various types of social engineering attacks.
Understand what it takes to detect and respond to targeted phishing attacks on Office 365 in real-time.
13 Types of Social Engineering Attacks
Criminals like to utilize different types of social engineering tactics to gain trust because exploiting trust is an easier way to gain access to your software than discovering a zero-day remote phishing exploits. Below, we’ll discuss the many forms of socially engineered attacks and the techniques that are most commonly used by cybercriminals.
1. Angler Phishing
Angler phishing is a newer kind of phishing attack which targets social media users via spoofed customer service accounts. They then reach out to disgruntled customers. The fake account will give the user a chance to talk to a live representative who will obtain their personal information or account credentials in the process. They may try to get them to use a link that will automatically install malicious malware onto their computer.
2. Spear phishing
Spear phishing is when cybercriminals target email or electronic communications to scam a specific individual, organization, enterprise, or business. While cybercriminals usually try to install malware onto a user’s computer to gather credentials, they often use spear phishing to gain trust and get users to send the credentials themselves.
Another common social engineering attack targets top-level enterprise executives and even the heads of government agencies. Their aim is to steal money or sensitive information from senior employees who likely have broad access to information and authority over payments. Similar to other attacks, they may try to gain access to their computer systems to steal this information. Also known as CEO fraud, whaling uses similar methods to phishing, such as email and website spoofing. Ransoms are commonly used in whaling attacks since cybercriminals may have embarrassing information they can leak to the public.
4. Diversion Theft
Diversion theft can occur online and offline but by definition, it’s the interception of transactions. In online diversion theft schemes, thieves trick victims into sending sensitive data to the wrong person. The thieves often accomplish this theft by spoofing an email address of someone within the victim’s company. They may also spoof an auditing firm or a financial institution in order to accomplish this.
Baiting is a kind of social engineering attack where victims are lured into providing sensitive information or credentials. They do this by falsely promising something of value for free. The trap may also be in the form of a malicious attachment that has an enticing name. This is a highly effective technique since cybercriminals try to capitalize on your emotions so you act irrationally.
Pretexting is a more sophisticated style of social engineering attack when a scammer creates a fabricated scenario (also known as a pretext) in order to con a user into providing their passwords, financial information, or social security information. They may pretend to be an IRS auditor.
7. SMS Phishing
SMS phishing has become a larger and larger problem since more enterprises have embraced texting as a method of communication. In one SMS phishing method, scammers will send a text message which spoofs a multi-factor authentication request. This may then redirect victims to a malicious web page that collects their credentials or installs malware on their mobile devices.
Scareware is when a scammer inserts a malicious code onto a webpage – causing a pop-up window that has flashing colors and alarming sounds. These pop-ups will then falsely alert you that a virus has been installed onto your device. Once this happens, you will then be told to purchase/download their security software or call an alleged computer technician to help restore your system. At this time, scammers will either steal your credit card information or install actual viruses onto your system. They may also do both.
9. Watering Hole Attack
In this kind of attack, the hacker will infect a legitimate website that their targets actively visit. Then, once their victims log into the site, the hacker can capture their credentials – using them to breach the target’s own network. They may also install a backdoor trojan, which can access the network.
10. Vishing Attack
Vishing, which is short for voice phishing, occurs when a cybercriminal tries to trick victims into disclosing their information or even giving them direct access to the victim’s computer via telephone. One popular vishing scam involves attackers calling victims and pretending they are from the IRS. The caller then threatens or attempts to scare the victim into giving up their personal data or a compensation. Vishing scams often target older individuals, however, anyone can fall for vishing scams if they are not well-trained.
11. Business Email Compromise
Business email compromise (BEC) is a type of cybercrime scheme where an attacker targets businesses to defraud the company. BEC is a growing problem that targets all kinds of organizations across all industries in the world. A subset of BEC is email account compromise (EAC) which is a BEC attack launched using an actual account within the organization rather than a spoofed address. The compromised account used in an EAC attack is often the result of a previous, successful phishing incident.
Honeytraps are a type of scam where cybercriminals create fake social media accounts and dating profiles by using photos they steal online. Once they find their prime victim, they’ll start to build a relationship by sending messages or photos. Once the cybercriminal builds trust with their victim, they entice them to send gifts, money or cosign for large purchases to prove that the victim’s love for them is real.
13. Piggybacking or Tailgating
Piggybacking, sometimes referred to as tailgating, is a type of physical breach that occurs when an unauthorized person compromises an authorized person. Scammers may hang out around entrances that require pin codes and disguise themselves as delivery drivers or groundskeepers so they can steal passwords without you knowing. In another scenario, authorized individuals may give access to an unauthorized individual like a coworker, or let a child play on a company-issued device. If both individuals fall victim to a socially engineered attack, it can compromise an entire organization.
How to Prevent a Social Engineering Attack
Since social engineering attacks are an ever-growing problem, you will need to know some mitigation tactics in order to avoid these kinds of attacks. Below, we explain some of the more popular mitigation tactics that can be used by your organization to stop phishing attacks.
Have a Positive Security Culture
If you or any of your staff fall victim to social engineering attacks, your security team will have to act quickly in order to contain it. The corporate culture must therefore encourage these victims to report any incidents as soon as possible. You want to ensure no malware infection dwells on your system for months. While being able to quickly respond to incidents is important, predicting and preventing attacks is far better.
Test Training Effectiveness
Training your staff to look out for social engineering attacks should not just be a one-off event. You need to regularly test the effectiveness of training and redeploy as necessary. A good example of this is simulating a phishing attack, where your staff is targeted by a controlled phishing attempt. This will help you get an understanding of how susceptible they are and how much your organization is at risk. Using this information, you can retrain employees who need it most, which reduces your exposure.
Implement Layered Technical Controls
In addition to training and testing your staff, you should also implement layered email security measures. At a minimum, this should include an email “hygiene” filter like Microsoft Defender for Office 365, an endpoint security agent, real-time threat detection, and automated remediation of confirmed malicious emails. This approach helps limit the number of attacks that reach your staff – minimizing damage from successful phishing attacks. Of course, these layers are part of an overall enterprise security architecture that may include firewalls, patch management, penetration testing, and access governance.
Leverage Security Training to Engage Your Staff in Real-Time Defense
Users cannot reliably identify social engineering attacks, but they can perform an initial analysis of messages classified as suspicious by machine learning models and other automated real-time detection techniques. For example, a natural language process engine could notify a user that an email is suspicious based on indicators such as:
- Masquerading: A type of threat where an unauthorized entity gains access to a system and is acting like trusted entities, such as familiar brands or people. For example, if a user leaves the terminal open and is logged in, masquerading becomes easier since authentication requirements have been entered and may not need to be entered again.
- Urgency: Confusing victims by creating a false sense of urgency. This can provoke users into a state of fear or excitement so they act quickly. For example, phishing emails may contain a catchy subject line stating the recipient needs to act quickly for a sale that is ending soon. An email like this will likely contain phishing links that can launch malicious attacks on a recipient’s computer.
- Taking advantage: Criminals may try to take advantage of people’s sense of indebtedness or even conditioned responses to authority. For example, cybercriminals may call potential victims and act as authoritative figures, such as managers or fake law enforcement, leveraging fear to gain sensitive information.
Equipped with this real-time information in the specific context of an individual threat, users can apply their training to:
- Stay alert: There should be a sense of suspicion with any unsolicited communications. This is why having protocols set in place enhances email security. If a potential phishing attack includes a strange link and it’s a known protocol not to do so, it can make it easier for an employee to spot a phishing scam.
- Double-check email addresses: Check if your emails genuinely came from their stated recipient. A common technique is to use numbers that resemble letters since recipients may easily overlook them, but in reality, the email is coming from a fake sender.
- Be cautious of attachments: Avoid opening any suspicious-looking email attachments. Always take note of the subscriptions you sign up for and if attachments aren’t typically included or you weren’t expecting them, avoid clicking or downloading.
- Think twice: Make sure to think twice before providing any sensitive information via email. Any type of sensitive information should be on a secured form from a legitimate website and never through a non-business or personal email account.
- Website security: Check any website’s security before you submit sensitive information, even if it seems legitimate. These days, SSL certificates are easy to obtain and there is an increase in malware being delivered through HTTPS, so you’ll want to remain extra cautious.
- Pay attention to URLs: Typosquatting, also referred to as URL hijacking, or sting sites, is when cybercriminals purposely buy misspelled domains and make sites look genuine, or have web addresses that are subtly different in arrangement from the actual site they are imitating.
- Check for spoofing: Determine whether emails have been spoofed by hovering over the sender’s name. This helps to make sure the sender’s name matches the email address. This is a common technique used to gain sensitive information because a cybercriminal will act as a representative of the company.
- Check grammar: Check for spelling errors and other common giveaways. This should be the first thing you look for since it’s the easiest to catch. Bad grammar and formality should warn you to stay vigilant.
These types of social engineering attacks are constantly on the rise, but staying vigilant can ensure that you and your employees do not fall victim to these tricks. Having protocols and guidelines in place can drastically reduce socially engineered attacks, but it can not solve them entirely. This is where Cyren’s Inbox Security for Office 365 or Threat InDepth can help your business stop social engineering attacks in their tracks.
Find out how to investigate targeted phishing incidents.