12 April 2022
Social engineering attacks are having a damaging Impact on enterprise organisations worldwide.
But what is social engineering?
Social Engineering is an act of manipulating people to give out confidential or sensitive information. This can be done by telephone, email, or face-to-face contact. It is one of the oldest methods used for gathering information and is still commonly used today by cybercriminals, both internally and externally. Social engineering is often used with spam and phishing attacks as an entry point to getting into your organisation.
Social Engineering Attacks: Types
1. Phishing: Phishing is a method of obtaining passwords, account details, or credit card details by impersonating as a trustworthy entity, via email. The word 'phish' is a homophone of 'fish' and was chosen because the method involves tricking the victim into gathering information just as a fishing lure imitates the motion of swimming creatures.
Phishing emails often come in the form of carefully crafted, custom-made emails looking like they have come from either a legitimate company, often through your supply chain, and IT person, or from a high ranking official in your organisation, such as the CEO. This email can often inform your employees that their account has been compromised or needs to update their information, or that the ‘CEO’ is really happy with your current performance. Instead, however, many victims are taken to a fraudulent website and/or an attack site where their details are collected once they click on the link.
2. Vishing: Vishing is short for voice phishing, which is phone phishing using the VoIP system. The attack vector for this type of social engineering is the same as phishing, but here it's done over the phone. An attacker makes a spoofed VoIP call to the target and presents himself as an organisation the victim would trust.
3. Spear Phishing: Spear phishing is similar to phishing attacks, but with one notable difference. Attackers will often use spear-phishing to get around firewalls and other security measures since the email comes from someone in the company's domain.
4. Credential Dumping: Credential dumping is when attackers gather login information or database credentials from compromised systems, servers, or websites. The attackers can then use this information to access other, potentially more secure systems.
5. Baiting: When attackers leave USB thumb drives or CDs containing malicious software in an area where they know employees will be near the office printer. They hope that someone will take one of these devices home and plug it into their personal computer, which can be compromised.
6. Smishing: Smishing is a combination of phishing and SMS messaging, sending texts with links to users, tricking them into clicking on the links, and giving up their personal information because they think it comes from someone trustworthy — like a bank or service provider.
7. Spear Phishing via Social Networks: This type of phishing uses social networking services to spread malware, steal users' personal information and gain access to their accounts. Attackers will often try to get people from the same organization or network group to add them as friends, increasing their trustworthiness.
8. Water holing: In this type of attack, a malicious hacker will leave a place or device open, so other attackers can come along and take advantage of it. For example, a malicious hacker could leave a computer with security weaknesses open to the public, hoping that another hacker will exploit those vulnerabilities.
9. Social Engineering for Mobile Platforms: An attacker will access a user's smartphone by asking for sensitive information in this social engineering attack. A scammer might text you, requesting your login credentials or credit card information so that "they can update billing details." Once you do this, they will have access to potentially all of your personal information.
10. Scareware: Scareware is when an attacker tries to trick you into thinking your computer or mobile device has a virus installed. They do this by installing fake anti-virus software that pops up on the screen and falsely claims there are threats present, forcing the users to pay for the bogus program to remove them. The attackers can then use your credit card information to make unauthorized purchases.
11. Tailgating and Piggybacking: This is when an attacker uses someone else to gain entry into a restricted area, like following employees through the door because they know it's being held open for someone. It can also be used by attackers who hope to use your corporate credentials without you noticing or realizing their intentions.
12. Quid Pro Quo: This is when an attacker offers to do something for you in return for your cooperation or silence about their illicit actions. For example, attackers can use Quid Pro Quo by offering to upgrade your computer system if you allow the malicious hacker temporary access to it.
13. Whaling: Whaling is a specific type of phishing attack that targets high-ranking employees, such as C-level executives. Attackers will monitor social media and email for details on the organization's leadership and send targeted messages to those individuals with links or attachments which could compromise their security.
14. Brute Forcing: Also known as "password cracking," brute-forcing is when an attacker uses a program that rapidly guesses passwords to access a user's account or system.
15. Pharming: This type of attack involves hackers modifying DNS records for legitimate websites, like your bank and online shopping sites, so that users are sent to fake (and often malicious) versions of those pages when they try to access the real thing. This way, when you enter your username and password or credit card information into a fake website that looks exactly like the original, the hackers will have access to it instead of a company's IT administrator.
16. Tapping: A malicious hacker might tap into a telephone wire to listen to conversations or steal information from a computer network.
Tips To Prevent Social Engineering Attacks:
Avoid opening attachments from unknown sources. Even if the email comes from someone you trust or know, be cautious as hackers can now spoof these addresses.
If a website looks suspicious or does not feel legitimate, avoid entering your personal or financial information there and contact your IT administrator for further details on the site.
Do not give out any personal information over the phone unless you initiated contact with a reputable company. It is best to follow up with them through an official source like their website.
Use two-factor authentication when signing into websites or apps so that if your password is compromised, attackers cannot access your account without having physical access to your smartphone or another device that doubles as the "key" to your account.
Don’t become a victim:
Unfortunately, many users and organisations are often the targets of social engineering attacks, and most people do not know what they look like or how to defend against them.
For more information on how to protect your organisation from social engineering and cyber attacks, get in contact with us today to learn more.
Askaris are the cyber security specialists providing customers with the complete suite of cyber security solutions and services.
Almost 19% of phishing emails bypass Microsoft Defender
Top 5 Attack Vectors to Look Out For in 2022
Askaris and Custodian360 Unite in New Partnership
Cybersecurity for Small Businesses
Hackers are now hiding malware in Windows Event Logs
Enterprise Organisations Are Falling Victim to Social Engineering
Check Point 2022 Security Overview
What happens to your data once you have been breached?
What Is Data Loss Prevention?
Cyber Security and The Common Types of Cyber Threats
The Role of Cybersecurity In The Education Sector
Cyber security alone, is no longer enough: businesses need cyber resilience
Cyber security challenges in 2022
Remove spyware from your computer: Askaris helping users become safer online