The Social Engineering Threat
A popular conception of cyberattacks is that they involve a hacker identifying and exploiting a vulnerability in an organization’s systems. This enables them to access sensitive data, plant malware, or take other malicious actions. While these types of attacks are frequent, a more common threat is social engineering. In general, it is easier to trick a person into taking a particular action — such as entering their login credentials into a phishing page — than it is to achieve the same objective through other means.
11 Types of Social Engineering Attacks
Cyber threat actors can use social engineering techniques in various ways to achieve their goals. Some examples of common social engineering attacks include the following:
- Phishing: Phishing involves sending messages designed to trick or coerce the target into performing some action. For example, phishing emails often include a link to a phishing webpage or an attachment that infects the user’s computer with malware. Spear phishing attacks are a type of phishing that targets an individual or small group.
- Business Email Compromise (BEC): In a BEC attack, the attacker masquerades as an executive within the organization. The attacker then instructs an employee to perform a wire transfer sending money to the attacker.
- Invoice Fraud: In some cases, cybercriminals may impersonate a vendor or supplier to steal money from the organization. The attacker sends over a fake invoice that, when paid, sends money to the attacker.
- Brand Impersonation: Brand impersonation is a common technique in social engineering attacks. For example, phishers may pretend to be from a major brand (DHL, LinkedIn, etc.) and trick the target into logging into their account on a phishing page, providing the attacker with the user’s credentials.
- Whaling: Whaling attacks are basically spear phishing attacks that target high-level employees within an organization. Executives and upper-level management have the power to authorize actions that benefit an attacker.
- Baiting: Baiting attacks use a free or desirable pretext to attract the interest of the target, prompting them to hand over login credentials or take other actions. For example, tempting targets with free music or discounts on premium software.
- Vishing: Vishing or “voice phishing” is a form of social engineering that is performed over the phone. It uses similar tricks and techniques to phishing but a different medium.
- Smishing: Smishing is phishing performed over SMS text messages. With the growing use of smartphones and link-shortening services, smishing is becoming a more common threat.
- Pretexting: Pretexting involves the attacker creating a fake scenario in which it would be logical for the target to send money or hand over sensitive information to the attacker. For example, the attacker may claim to be a trusted party who needs information to verify the victim’s identity.
- Quid Pro Quo: In a quid pro quo attack, the attacker gives the target something – such as money or a service – in exchange for valuable information.
- Tailgating/Piggybacking: Tailgating and piggybacking are social engineering techniques used to gain access to secure areas. The social engineer follows someone through a door with or without their knowledge. For example, an employee may hold a door for someone struggling with a heavy package.
How to Prevent Social Engineering Attacks
Social engineering targets an organization’s employees rather than weaknesses in its systems. Some of the ways that an organization can protect against social engineering attacks include:
- Employee Education: Social engineering attacks are designed to trick the intended target. Training employees to identify and properly respond to common social engineering techniques helps to reduce the risk that they will fall for them.
- Least Privilege: Social engineering attacks usually target user credentials, which can be used in follow-on attacks. Restricting the access that users have limits the damage that can be done with these credentials.
- Separation of Duties: Responsibility for critical processes, such as wire transfers, should be divided between multiple parties. This ensures that no single employee can be tricked or coerced into performing these actions by an attacker.
- Anti-Phishing Solutions: Phishing is the most common form of social engineering. Anti-phishing solutions such as email scanning can help to identify and block malicious emails from reaching users’ inboxes.
- Multi-Factor Authentication (MFA): MFA makes it more difficult for an attacker to use credentials compromised by social engineering. In addition to a password, the attacker would also require access to the other MFA factor.
- Endpoint Security: Social engineering is commonly used to deliver malware to target systems. Endpoint security solutions can limit the negative impacts of a successful phishing attack by identifying and remediating malware infections.