Social engineering attacks account for a massive portion of all cyber attacks, and studies show that these attacks are on the rise. According to KnowBe4, more than 90% of successful hacks and data breaches start with a common type of social engineering attack called phishing.
Social engineers are clever and use manipulative tactics to trick their victims into disclosing private or sensitive information. Once a social engineer has tricked their victim into providing this information, they can use it to further their attacks.
One of the best ways to keep yourself safe from a social engineering attack is to be able to identify them. Let's explore the six common types of social engineering attacks:
Phishing is a social engineering technique in which an attacker sends fraudulent emails, claiming to be from a reputable and trusted source. For example, a social engineer might send an email that appears to come from a customer success manager at your bank. They could claim to have important information about your account but require you to reply with your full name, birth date, social security number and account number first so that they can verify your identity. Ultimately, the person emailing is not a bank employee; it's a person trying to steal private data.
Phishing, in general, casts a wide net and tries to target as many individuals as possible. However, there are a few types of phishing that hone in on particular targets.
Spear phishing is a type of targeted email phishing. In a spear phishing attack, the social engineer will have done their research and set their sites on a particular user. By scouring through the target's public social media profiles and using Google to find information about them, the attacker can create a compelling, targeted attack. Imagine that an individual regularly posts on social media that she is a member of a particular gym. In that case, the attacker could create a spear phishing email that appears to come from her local gym. The victim is more likely to fall for the scam since she recognized her gym as the supposed sender.
Whaling is another targeted phishing scam. However, in whaling, rather than targeting an average user, social engineers focus on targeting higher-value targets like CEOs and CFOs. Whaling gets its name due to the targeting of the so-called "big fish" within a company.
2. Vishing and Smishing
While phishing is used to describe fraudulent email practices, similar manipulative techniques are practiced using other communication methods such as phone calls and text messages.
Vishing (short for voice phishing) occurs when a fraudster attempts to trick a victim into disclosing sensitive information or giving them access to the victim's computer over the telephone. One popular vishing scheme involves the attacker calling victims and pretending to be from the IRS. The caller often threatens or tries to scare the victim into giving them personal information or compensation. Vishing scams like the one often target older-individuals, but anyone can fall for a vishing scam if they are not adequately trained.
Smishing (short for SMS phishing) is similar to and incorporates the same techniques as email phishing and vishing, but it is done through SMS/text messaging.
See some real life examples of phishing scams by reading our blog Social Engineering Attack Examples.
Pretexting is a type of social engineering technique where the attacker creates a scenario where the victim feels compelled to comply under false pretenses. Typically, the attacker will impersonate someone in a powerful position to persuade the victim to follow their orders.
During this type of social engineering attack, a bad actor may impersonate police officers, higher-ups within the company, auditors, investigators or any other persona they believe will help them get the information they seek.
Baiting puts something enticing or curious in front of the victim to lure them into the social engineering trap. A baiting scheme could offer a free music download or gift card in an attempt to trick the user into providing credentials.
A social engineer may hand out free USB drives to users at a conference. The user may believe they are just getting a free storage device, but the attacker could have loaded it with remote access malware which infects the computer when plugged in.
5. Tailgating and Piggybacking
Tailgating is a simplistic social engineering attack used to gain physical access to access to an unauthorized location. Tailgating is achieved by closely following an authorized user into the area without being noticed by the authorized user. An attacker may tailgate another individual by quickly sticking their foot or another object into the door right before the door is completely shut and locked.
Piggybacking is exceptionally similar to tailgating. The main difference between the two is that, in a piggybacking scenario, the authorized user is aware and allows the other individual to "piggyback" off their credentials. An authorized user may feel compelled by kindness to hold a secure door open for a woman holding what appears to be heavy boxes or for a person claiming to be a new employee who has forgotten his access badge.
See how social engineers fooled big companies like Target, Twitter and more by reading The Top 5 Most Famous Social Engineering Attacks of the Last Decade.
6. Quid Pro Quo
Quid pro quo (Latin for 'something for something') is a type of social engineering tactic in which the attacker attempts a trade of service for information. A quid pro quo scenario could involve an attacker calling the main lines of companies pretending to be from the IT department, attempting to reach someone who was having a technical issue.
Once the attacker finds a user who requires technical assistance, they would say something along the lines of, "I can fix that for you. I'll just need your login credentials to continue." This is a simple and unsophisticated way of obtaining a user's credentials.
Cyber Threats Beyond Social Engineering
While social engineering is no doubt one of the biggest ways bad actors trick employees and managers alike into exposing private information, it's not the only way cyber criminals are exploiting companies small and large.
Know what threats you and your team are up against by downloading our 5-½ Steps to Avoid Cyber Threats ebook.