We’re constantly telling our employees to look out for social engineering attacks, but while we can share definitions all day long, humans often learn best by example.
By seeing real phishing emails, hearing stories of clever pretexts and watching live hacking demonstrations, we can bring our teams one step closer to truly understanding the big buzzword “social engineering.”
Here are a few specific examples of what popular social engineering schemes really look like:
1. Spear Phishing Emails, Calls or Texts
Phishing is a term used to describe cyber criminals who “fish” for information from unsuspecting users. Some hackers send out mass messages, casting a wide net and hoping to trick a large pool of recipients. These generic messages, however, are often easy to spot for the scams they are.
To weave a more convincing story, most versed cyber criminals research and obtain deep knowledge about their target— one “phish” at a time. Like a spear fisherman stabs at a single fish, spear phishers oftentimes only bait one particular person per attack.
There are numerous types of spear phishing, all with their own slight variations in naming, but three of the most common are emails, phone calls and SMS messages.
FUN FACT: Phishing is likely an evolution from the word “phreaking,” which is commonly used in the hacking community to describe people who study telecommunication systems, such as phones, and weave clever social engineering pretexts over them. It uses the “ph” from “phreaking” to play off the word “fishing.”
These are emails sent with malicious intent, containing links or attachments that download malware onto your device. We’ve all received scam emails, but some aren’t as easy to spot! Social engineers can spoof email addresses to make it look like a message came from a boss or a trusted source.
In the phishing email examples above from KnowBe4, you can see how these social engineers asked for specific order numbers or payment transfers, digging for important information to use against you.
Voice Phishing (Vhishing)
Vhishing is a combination of "voice" and "phishing." It’s the phone's version of email phishing, where a bad actor calls instead of emails to steal confidential information. These calls often leverage fear and urgency to get quick, impulsive callbacks.
These social engineers often imitate figureheads you’ve never actually talked to or met, so as to be sure you wouldn’t recognize their voice!
You get a voicemail message saying your car insurance is about to expire! You have to call back right away to renew your coverage before you go without it and get penalized. In reality, this is not your real car insurance provider— it’s a scammer trying to get your credit card information during a fake renewal call.
SMS Phishing (Smishing)
Bad actors don’t just leave deceptive voicemails; they are now also texting-savvy! Whether it’s a work phone or your personal device, they’re sending pointed SMS messages to phish.
These tricky phishing texts come in many forms. From a spoofed number imitating Google verifying your device (image from KnowBe4) to your “phone provider” telling you you’re late on a payment with a linked payment portal to avoid a late fee, (wherein the hacker captures your login information or banking details), there are a few ways cybercriminals target your cell phone.
Watch out for COVID-19 related phishing emails, calls and SMS messages right now. Bad actors are shamelessly capitalizing on fear around the virus to send infected links, masquerading as vaccine sign-ups, stimulus check deposits and more!
In order to catch a fish, a fisherman would string some bait on a hook before casting their line. That’s exactly what bad actors do in their messages! They dangle before you some juicy bait— often in the form of a coupon, money, a special prize, etc.
Look out for those “Congrats, you won a gift card!” scams, like the screenshot we shared from KnowBe4. These could also be emails that look like bonus payouts at the end of the year coming from a boss’ spoofed address or even a message saying you received tracking for a package at work (when you weren’t expecting a delivery that day!).
DID YOU KNOW? When a bad actor weaves a false story or situation using real facts to build trust and credibility this is called “pretexting.” They are creating a fake narrative or pretext to get you to perform an action.
3. Quid Pro Quo
Whereas during a baiting attack the social engineer often offers an enticing deal or product, quid pro quo often involves a service offered in exchange for something. After all, it’s named quid pro quo because the phrase is literally Latin for “something for something.”
Oftentimes a social engineer will pose as someone from the IT department, calling a user with a fake problem (i.e. we had a social engineering scam going around and are asking users to reset their passwords). The bad actor offers a temporary solution (reset your credentials and set a temporary password like “1234” for now, then go in and reset it to what you want later). With the person’s username and new temporary password, the engineer gets into the account and resets it to something only they know— and has full access to their account seconds after the call.
4. Tailgating or Piggybacking
When you’re on the road and another car is riding close behind you, you call it tailgating. Social engineers use this same principle. They follow closely behind employees entering a building to gain access— oftentimes, specifically to a restricted, fob/code-accessible area.
A bad actor may dress up as a delivery person juggling many packages or wearing a fake badge and fancy suit to look important. In the embedded video, you’ll see that there are other social engineering hacking techniques they can use too, like hiding a device that clones your key fobs access number to get into a corporate office or building.
See what bad actors are actually up to by reading about some of the biggest social engineering attacks: 5 of the Most Famous SE Attacks of the Last Decade and The Biggest Social Engineering Attacks in History.
Beyond Social Engineering Attacks
Social engineering is one of the top two techniques used to compromise corporations, but these attacks aren’t the only cyber threats out there.
Here are 5-½ truly impactful ways you can increase your digital security to get you started.