Cyber-criminals have no shortage of tricks up their sleeves to part us with our valuables, with social engineering attacks topping that list of tricks time and time again.
Social engineering attacks come in many different forms, with statistics indicating that the business of fooling people is a highly effective and lucrative one. This is shown in the 75% of companies worldwide who fell victim to phishing in 2020, with the aftermath of a successful phishing attack including lost data for 60% of companies, compromised credentials for 52%, and malware infection for 29%. Around 18% of phishing victims suffer financial loss.
The psychological manipulation used by a cybercriminal to trick their target into disclosing sensitive information or granting access to restricted systems, corporate networks, or secure/restricted areas is what we refer to as a “social engineering attack”—with successful attacks often resulting in significant and devastating losses.
Social engineering attacks are a common problem in the online world, with cyber-criminals using social engineering tactics in 98% of their scams. And when estimates suggest that cybercrime will amount to a total financial loss of $10.5 trillion by 2025, this is not a threat that organizations can afford to ignore.
What Is Social Engineering?
The term social engineering refers to a variety of tactics used by cybercriminals in an attempt to gain access to sensitive data or other valuables.
Social engineering doesn’t require attackers to exploit software vulnerabilities of hack systems with advanced malware. Instead, scams based on social engineering are built around the ways in which people think and act.
In fact, social engineering techniques often exploit human error—earning them the nickname “human hacking”—and work by manipulating users into unknowingly spreading malware, exposing data, or granting access to restricted systems.
Social engineering attacks aim to manipulate a user’s behavior—often by impersonating trusted sources and exploiting their victim’s trust in certain individuals or entities. As soon as the attacker understands their target’s motivations and who they expect to interact with, they can more effectively deceive and manipulate them.
As well as exploiting users’ trust, habits, and expectations, attackers will also often exploit a user’s lack of knowledge. New cyber threats are constantly being developed, which the majority of users cannot be expected to keep up with. A lot of users are also unaware of the value of their personal data or the full scope at which that data can be used against them.
For instance, users understand why their banking information and personal address should not be shared, as that information gives others access to their money and proximity to them and their families. However, they may not feel the need to protect information like the names of their pets or details of their day-to-day work activities, even though this information can be used to guess their credentials or to target them with phishing attacks.
How Do Social Engineering Attacks Work?
Typically, social engineering attackers set out with one of two goals:
- Sabotage: To cause disruption to regular business processes or to corrupt data, causing harm or inconvenience.
- Theft: To obtain valuables such as sensitive information, money, or access.
Social engineering attacks hinge on the communications between attackers and their victims. Unlike brute force methods, where an attacker relentlessly tries different combinations until they succeed in guessing their victim’s password, during social engineering attacks they instead push users into situations where they compromise themselves.
In a lot of cases, hackers will carry out extensive research on their targets to do so, especially if the target is a particularly valuable one.
A social engineering attack will generally follow these steps:
- Prepare for the attack by collecting information on the target—also known as profiling.
- Infiltrate the organization by establishing contact with a user and building trust.
- Exploit that trust and advance the attack by having the user grant access, hand over data, click a malicious link, or visit a dogy website.
- Disengage once the user has taken the desired action.
These attacks can take place in just one email or can span the length of several months, with back-and-forth communications and a slow building of trust. They can even include face-to-face interactions. Ultimately these attacks lead to users performing a particular action—like sharking data or exposing themselves to malware—that that attacker can take advantage of.
The Most Common Social Engineering Attacks
Here are some of the most common social engineering tactics used in cyberattacks today.
Phishing attacks top of the list of most common social engineering attacks.
These involve a threat actor contacting a targeted company or individual, typically by email. Once a line of communication has been established, the malicious actor will attempt to instill a sense of urgency or fear in the recipient, typically by posing as a figure of authority and presenting a concocted narrative where something terrible could happen if the requested action is not carried out quickly. The hope is that this pressure will get users to do things that—had they taken the time to think it over— they would have thought better of doing, like revealing personal data or financial information, clicking links or visiting malicious websites, and opening malware-infested attachments.
When people think of phishing attacks, they often think of the more outlandish examples first, like attackers who claim to be a stranded Nigerian prince. But the truth is, most phishing attacks are more subtle than that, and are designed not to raise suspicion—with attackers posing as retailers, service providers, upper-level employees, or government agencies.
And, what’s more, phishing attacks only grow more prevalent as time goes on, with 83% of respondents saying their organizations experienced a successful email-based phishing attack in 2021, a significant increase from 57% in 2020.
Other Types Of Phishing Attacks
Alongside the standard email-based phishing, there are different variants of these attacks that all follow the same formula of manipulation, with some differences in approach. These include:
Vishing – Which is essentially the same as phishing, except these attacks are carried out over the phone. These phone calls or voice messages claim to be from trusted, reputable companies and induce individuals into revealing personal information like passwords and credit card numbers.
Smishing – Essentially the same thing as phishing and vishing, but attacks are carried out via text messages. These text messages claim to be from reputable companies and similarly exploit existing brand trust to gain access to valuable information.
Spear Phishing – Instead of casting a wide net, as with a standard phishing attack, a spear-phishing attack involves seeking out specific high-value victims and organizations. This method requires more time invested in research on behavioral habits, personal characteristics, and general contacts, but also has the potential to be high reward.
Whaling – These are phishing attacks specifically
, and meticulously targeted toward the top executives of an enterprise. Whaling also requires a lot of research, as attackers need to be familiar with who their intended victim communicated with and what their day-to-day entails, as these targets know they are high value and will likely be on high alert.
Pretexting is a social engineering attack that involves an attacker staging a scenario—or “pretext—designed to lure its victim and encourage them to disclose valuable information they otherwise would not part with. This information may be credit card information, passwords and logins, personally identifiable information, confidential data, access to the company network, or anything else that attackers could use to their advantage. As indicated by the name, this scam is characterized by the fabricated scenario or lie, i.e., the pretext.
During these types of social engineering attacks, fraudsters will often impersonal someone with authority like a banking institution, a tax person, insurance investigator, law personnel or a more senior colleague of the victim, to quickly establish trust and intimidate victims into parting with valuable information.
Attackers will take on a specific character and act out a cultivated plot, or ploy, that plays on the victim’s existing trust in a presumed figure or authority and fosters further trust. The pretexting attack heavily relies on the attacker’s ability to build and maintain trust throughout all interactions and is considered a success when the victim fully falls for the ruse and takes action.
The most advanced forms of pretexting attacks attempt to manipulate victims into performing an action that enables the attacker to discover and exploit a point of failure within the organization.
Baiting is a social engineering attack wherein an attacker will lure its victim into revealing personal information or installing malware onto their system under false promises. These false promises may take the form of online promotions and enticing ads which promise free downloads for things like music and movies or phone upgrades.
It is the promise of an item or good that defines this form of social engineering attack. Baiters dangle “free goods” in front of their targets to encourage them to hand over login credentials. And, since password reuse is so rampant—with a survey by Google of 3,000 consumers indicating that 52% of respondents use the same password across multiple, sometimes all, accounts—attackers are banking on t their victims re-using an existing password to claim the “offer”, potentially giving the attacker access to their data or allowing them to sell that information on the dark web.
These social engineering attacks can also be carried out in person, often in the form of a malware-infected flash drive left out for the intended victim to find. Victims will often unthinkingly insert the flash drive to find out what is on it and who it belongs to, unaware that malware is being automatically installed onto their device.
4) Quid Pro Quo
Quid pro quo attacks are a variant of baiting, but instead of baiting the victim with the promise of some kind of enticing good, this social engineering attack will promise a service or benefit based upon the execution of a certain action. The desired action is traded by the hacker in exchange for information or access, with the bait taking the form of a desirable commodity.
A common form quid pro quo attacks can take is that of a hacker impersonating an IT team member at a large organization. These types of attacks are more often carried out by low-level attackers who do not have advanced tools at their disposal or the means to conduct extensive research into their targets.
To carry out the attack, the bad actor will cast a wide net and reach out to random targets claiming to be a member of their IT team—which a lot of people will believe as many organizations have several IT team members and employees may not be familiar with all of them. Attackers then give instructions to victims, perhaps telling them to disable their anti-virus software for a short time to install a bogus upgrade or software update.
Employees believe themselves to be following the advice of a knowledgeable IT team member; attackers can exploit that trust to access their machines and install malware. These types of attacks are typically targeted as larger enterprises, as small and medium-sized businesses are more likely to be familiar with all IT team members by name.
Tailgating—also referred to as piggybacking—is an in-person social engineering attack where an attacker attempts to gain access to a secure physical facility or restricted area. These attacks involve an un-authenticated individual following an authenticated employee into a restricted area, gaining access to valuables that should be kept secure.
To carry out these attacks, a threat actor will typically impersonate someone like a delivery driver and wait for an employee to head towards a restricted section. The actor will then following behind or ask them to hold the door open, thereby bypassing whatever security measures are in place (like electronic access control) to protect confidential information and sensitive data.
These attacks rely on the inherent trust and benefit of the doubt people have for those they encounter, as well as the discomfort many people would feel asking a stranger for identification.
6) Diversion Theft
Diversion theft is a common social engineering tactic where an attacker aims to either steal goods and sensitive information or deliver fake or ineffective goods.
This type of attack originates offline, with attackers persuading couriers to pick up or drop off a package at the wrong location, deliver the wrong package, or take the package to the incorrect recipient. But, as with many money-making scams, this technique has been adapted for the online world.
Online diversion theft is more targeted and efficient, with scammers using social engineering to access information about items you have ordered online (information like what specific items you have bought, the date of delivery for those items, and the address they are being sent to). They then use that information to pose as the delivery person to supply fake items, then steal the real parcels.
Say you buy a laptop and fall victim to this type of scam; an attacker could end up getting the new laptop and also deliver to you a malware-infected one, allowing them to carry out further attacks.
Tips For Preventing A Social Engineering Attack
Hackers know that it’s a lot easier to fool people than it is to forcibly infiltrate a secured computer system—which is why more than 70% of all data breaches are the result of a social engineering attack.
But there are steps that you can take to foster a positive security culture and reduce your likelihood of becoming a part of this scary statistic. Some of these steps include:
- Keep your guard up. This means being wary of any emails, instant messages, and phone calls that come your way—whether they claim to be a reliable contact or not. Social engineers will often impersonate institutions that command respect, like financial institutions, credit card companies, government agencies, or other similarly trustworthy entities. Look for little clues that these communications might be unreliable, like spelling errors, suspicious web addresses, citing the wrong location, and a cultivated sense of urgency.
- Verify verify verify. Nothing is 100% credible until you can back it up, so make sure that, before you believe the email urgently asking for gift cards is really from your boss, you take a minute to verify if this communication was genuine. Scammers are well-versed in taking advantage of our existing relationships and established trust.
- Stay educated. Knowledge is power, and in the case of social engineering attacks, security awareness is one of your more powerful tools of defense. You should familiarize yourself and your organization with the most current social engineering attacks, so that they will have less power to trick you. A good Security Awareness Training solution can help with this.
To find the right solution, take a look at our guide: The Top 10 Security Awareness Training Solutions.
- Invest in anti-virus software. Legitimate antivirus solutions which are kept regularly updated can be extremely helpful by informing users of potential dangers in certain files they receive or seemingly legitimate websites they are directed to. With antivirus software in place, users will have more of a safety net and can focus on sharpening their security awareness to prevent cyber attacks.
Take a look at our guide: The Top 10 Antivirus Software For Small Businesses.
- Employ multi-factor authentication. Multi-factor authentication (MFA) is the practice of requiring users to verify their identities in two or more ways before they’re granted access to a particular system. This is generally good cyber security advice, as anything that puts barriers ahead of access to sensitive information can be effective in diminishing the success of a social engineering attack by supporting a positive security culture.
Take a look at our guide: The Top 11 Multi-Factor Authentication (MFA) Solutions For Business.
Social engineers prey on human error and users’ inherent trust in people, businesses, and institutions to gain access to their victim’s computer, redirect them to a malicious site, implement malicious software, or gather confidential information.
Social engineering attacks are many and varied, and also near enough impossible to avoid entirely. This is why it is good practice to familiarize your organization with the most common social engineering attacks and understand what you are up against. Then, you can take the right steps to enhance protection for yourself and any employees.