Common Types of Social Engineering Attacks
The majority of people are quite familiar with the type of hacker who uses their technological abilities and expertise to compromise secure data by infiltrating protected computer systems. This type of hacker is most likely to appear in the news and be part of high-profile security breaches, and they’re also the most commonly used ‘hacker’ persona used for popular television shows and movies – think ‘computer nerd’ furiously typing as neon green code appears on a black background. Since we hear about this type of hacker all of the time, it’s no surprise that we’re more motivated to work towards preventing their attacks and countering their exploits through the use of antivirus software, firewalls and so on.
But, what about the other type of hacker that rarely gets discussed? These hackers, known as social engineers, use their tactics to compromise company and individual accounts by tricking people into willingly offering them access to sensitive information such as bank details or login credentials. Social engineers know that the one weakness that is found in each and every organisation is nothing other than human psychology, and exploit this in order to get what they want.
Social engineering is more common than most people think, and uses a broad range of different malicious activity. Read on to discover more about the five most common tactics that social engineers use to target their victims, how to recognise this type of activity, and how to best prevent it from happening to you, your employees and your company.
Phishing scams are perhaps one of the most commonly experienced types of social engineering attacks. Most phishing scams demonstrate a number of different characteristics, with the main goal being to obtain sensitive information from users such as login credentials or sensitive financial data.
So, how do phishing scams work? For the most part, they are done via email or other popular web communications. The targeted user will receive an email which appears to be from a trusted entity, such as their bank or an auction site that they visit frequently, for example. This email will often use official logos and include URLs that use link shortening to trick the user into believing that they are being redirected to a legitimate site. Once the user ‘takes the bait’ by clicking on this link, they will be asked to enter sensitive information, for example their banking login credentials or a username and password. In some cases, they may even be asked to enter sensitive financial information, such as credit card details which will then be passed onto the social engineer who uses it to exploit the user by stealing their identity and using their accounts for their own financial gain.
In some cases, a phishing email will contain spelling or grammatical errors which will give it away. Others look completely legitimate – however, it’s important to note that most legitimate companies will never send an email which requests sensitive information from a user. If you receive an email which includes a link, it’s always important to ensure that the following website is secure – check for ‘https’ rather than ‘http’ and look out for the padlock icon in the browser bar.
Pretexting is another common form of social engineering which attackers use to try and steal their victim’s personal information by focusing on a good pretext or a completely made up yet believable story. These types of attacks will mostly come in the form of an attacker who will claim that they need certain additional bits of information from their victims in order to ‘confirm their identity’ or something along those lines.
More advanced pretexting attacks will often try to manipulate their targets into carrying out an action which will subsequently allow the attacker to exploit certain weaknesses of a company or organisation. For example, an attacker could impersonate an external IT auditor, resulting in manipulating the company’s security staff into letting them into the building where they have access to all sorts of sensitive information.
Unlike phishing emails which use a false sense of urgency to coerce information from a target, pretexting is done by building up a false sense of trust with the victim. In order for the attacker to be successful, they must build up a credible story which their target has no reason to question or disbelieve. Pretexting attacks are used in order to gain both sensitive and non-sensitive information.
Baiting attacks are, in many ways, similar to phishing emails. However, what sets them apart as a social engineering attack on their own is the promise of an item or service which attackers use to entice users into handing over sensitive information. An example of this would be a baiting attack which promises free music downloads to users who provide their credit card details, or unwittingly provide the attackers with their login details.
Like phishing emails, baiting attacks usually give nothing away, leaving users with absolutely no reason to believe that they are not legitimate. Baiting attacks are not always restricted to online attacks, either; some attackers focus on exploiting human curiosity by using physical media. An example of such an attack was carried out in 2006 by Secure Network Technologies, Inc. To access the security of a financial client, they dispersed USBs infected with Trojan viruses around the parking lot of the company, where employees picked them up and inserted them into their PCs to discover what was on them. This activated a keylogger, giving away access to a number of employees’ login credentials.
Quid Pro Quo
Similar in fashion to baiting attacks, quid pro quo attacks will offer a reward in return for sensitive information. Unlike baiting where the reward frequently takes the form of a good, quid pro quo attacks use the promise of a service in order to entice information from its targets.
One of the most common types of quid pro quo attacks takes the form of fraudsters who impersonate IT professionals and spam call as many numbers belonging to a company that they can find. These attackers will then offer IT assistance to each victim, promising a quick fix and impressive solutions in exchange for the victim disabling their antivirus software and installing malware on their computers which is disguised as software updates.
However, it’s important to note that some successful quid pro quo attacks can be much less sophisticated. Some real work examples have shown that manipulative attackers have actually managed to get company employees to give up their login details for much less, such as a free lunch or even a branded pen.
Another common form of social engineering attack is known as ‘piggybacking’ or ‘tailgating’. These attacks are usually carried out offline, however can lead to online attacks in future. Tailgating or piggybacking attacks often involve an unauthorised person who follows an employee with authentication into a restricted area, where they can then access sensitive information.
For example, a common type of piggybacking attack involves an attacker who impersonates a delivery driver, waiting outside a building until an employee gains security approval and opens a restricted door. The attacker will then ask the employee to let them through by holding the door, therefore gaining access to restricted areas from somebody who is authorised to enter.
Once inside the area, the attacker may be able to gain access to sensitive information about employees, protected information about the company, and even login credentials which have been left by employees – one of the most common reasons for security breaches is employees writing their login details down and leaving them at their desks.
It’s important to note that tailgating is a type of attack that doesn’t work for all organisations, with some being at less risk than others. For example, if you own or work in a large scale organisation which requires employees to swipe a security card upon entry, attackers may not be able to gain access at all. However, mid- and small-size companies are often at a higher level of risk, with attackers able to build relationships with employees and use the familiarity gained to get past the front desk.
Avoiding Social Engineering Attacks
Hackers who use social engineering to gain access to sensitive data and exploit companies and individuals will prey on human curiosity and psychology in order to compromise their targets’ information. Since these attacks tend to have a very human-centric focus, it’s up to employers, employees and individuals to counter these types of attacks which can often easily get past the strongest of antivirus software and firewalls.
You can never be too vigilant when protecting yourself and your company against social engineering attacks. Never give strangers the benefit of the doubt, always lock devices such as laptops, tablets and smartphones, and never open any emails from untrusted sources. Remember that if something looks suspicious or ‘off’, it most likely will be. Not giving into your own curiosity and taking the time to examine emails, websites or random telephone calls could save you from a nasty social engineering attack.