What is Social Engineering? 4 Types of Attacks

  • 13 August 2020

You may have heard of social engineering, but do you know what it is?

  • What is social engineering?

    Social engineering is the act of tricking someone into handing over information (bank details, PII, etc.) or carrying out a desired action by taking advantage of the victim’s natural emotional responses and reactions. While these attacks occur most frequently over email, they can be delivered by text message (smishing) and phone call (vishing).

Social engineering basics

The key difference between social engineering attacks and brute force attacks is the techniques that hackers employ. Instead of trying to exploit weaknesses in security software, a social engineer will use coercive language, a sense of urgency, and even details about the person’s personal or work life to influence the target to hand over information or access to other accounts or systems. 

How does social engineering work?

There is no set (or foolproof) ‘method’ that cybercriminals use to carry out social engineering attacks. But, the goal is generally the same: they want to take advantage of people in order to obtain personal information or get access to other systems or accounts. Why? Personal data and intellectual property are incredibly valuable. 

While you can read more about the “types” of data that are compromised in this blog: Phishing Statistics 2020, you can learn more about the different types of social engineering attacks below. 

Types of social engineering attacks

When we say “social engineering”, we’re talking about the exploitation of human psychology. But, hackers can trick people in a few different ways and are always working hard to evade security solutions. 

Phishing and spear phishing scams

Phishing is one of the most common types of social engineering attacks and is generally delivered via email.  But, more and more often, we’re seeing attacks delivered via SMS, phone, and even social media. 

Here are three hallmarks of phishing attacks:

  • An attempt to obtain personal information such as names, dates of birth, addresses, passwords, etc. 
  • Wording that evokes fear, a sense of urgency, or makes threats in an attempt to persuade the recipient to respond quickly.
  • The use of shortened or misleading domains, links, buttons, or attachments.

Spear phishing attacks are similar, but are much more targeted. Whereas phishing attacks are sent in bulk, spear phishing attacks are sent to a single person or small group of people and require a lot more forethought. For example, hackers will research targets on LinkedIn to find out who they work with and who they report to. This way, they can craft a more believable email.

Want to learn more? We’ve covered phishing and spear phishing in more detail in these blogs:

How to Identify and Prevent Phishing Attacks

How to Catch a Phish: A Closer Look at Email Impersonation

Phishing vs. Spear Phishing: Differences and Defense Strategies 

COVID-19: Real-Life Examples of Opportunistic Phishing Emails

Pretexting 

While pretexting and phishing are categorized separately, they actually go hand-in-hand. In fact, pretexting is a tactic used in many phishing, spear phishing, vishing, and smishing attacks

Here’s how it works: hackers create a strong, fabricated rapport with the victim. After establishing legitimacy and building trust, the hacker will either blatantly ask for or trick the victim into handing over personal information.  

While there is an infinite number of examples we could give, ranging from BEC scams to CEO Fraud, we’ll use a consumer-focused example.

Imagine you receive a call from someone who says they work at your bank. The person on the other end of the phone (the scammer) tells you they’ve seen unusual transactions on your account and that, in order to review the transactions and pause activity, you need to confirm your full name, address, and credit or debit card number. If you do share the information, the scammer will have everything they need to access your bank account and even carry out secondary attacks with the information they’ve learned.

Together with phishing, pretexting represents 98% of social engineering incidents and 93% of breaches according to Verizon’s 2018 Data Breach Incident Report

Physical and virtual baiting

Like all other types of social engineering, baiting takes advantage of human nature. In particular: curiosity. Scammers will lure the target in (examples below) before stealing their personal data, usually by infecting their computer with some type of malware.

The most common type of baiting attack involves the use of physical media – like a USB drive – to disperse malware. These malware-infected USB drives are left in conspicuous areas (like a bathroom, for example) where they are likely to be seen by potential victims. To really drive interest, hackers will sometimes even label the device with curious notes like “confidential” or logos from the target’s organization to make it seem more legitimate. 

In an effort to identify who the owner of the USB (or simply because they can’t help themselves) employees often plug the USB be into their computer. Harmless, right? Unfortunately not. Once inserted, the USB deploys malware. 

Baiting doesn’t necessarily have to take place in the physical world, though. After the outbreak of COVID-19, several new bait sites were set up. These sites feature fraudulent offers for special COVID-19 discounts, lure people into signing up for free testing, or claim to sell face masks and hand sanitizer. 

Whaling attack

‘Whaling’ is a more sophisticated evolution of the phishing attack. In these attacks, hackers use very refined social engineering techniques to steal confidential information, trade secrets, personal data, and access credentials to restricted services, resources, or anything with economic or commercial value. 

While this sounds similar to phishing and spear phishing, it’s different. How? Whaling tends to target business managers and executives (the ‘bigger fish’) who are likely to have access to higher-level data. 

But, it’s not just their access to data. 

Whaling is also seen as an effective attack vector because senior leaders themselves are perceived to be “easy targets”. Leaders tend to be extremely busy, too, and are therefore more likely to make mistakes and fall for scams. 

Perhaps that’s why senior executives are 12x more likely to be the target of social engineering attacks compared to other employees.

How to defend against social engineering attacks

According to Verizon’s 2020 Data Breach Investigations Report (DBIR), 22% of breaches in 2019 involved phishing and other types of social engineering attacks. And, when you consider the cost of the average breach ($3.92 million) it’s absolutely essential that IT and security teams do everything they can to protect their employees. Here’s how:

1. Put strict policies in place

The best place to start is by ensuring that you’ve got strong policies in place that govern the use of company IT systems, including work phones, email accounts, and cloud storage. 

For example, you could ban the use of IT systems for personal reasons like accessing personal email accounts, social media, and non-work-related websites. You can learn more about why accessing personal email accounts and social media on work devices is dangerous on this blog: Remote Worker’s Guide to: Preventing Data Loss

2. Educate your workforce

Awareness training is key to help employees understand social engineering risks, learn how to spot these types of attacks, and what to do if and when they are targeted. 

In addition to quarterly training sessions either online or in-person, organizations can also invest in phishing simulations. This way, employees get some “real-world” experience, without the risk of compromising data.

But, it’s important to note that training alone isn’t enough. We explore this in detail in this blog: Pros and Cons of Phishing Awareness Training

3. Filter inbound emails

90% of all data breaches begin with email. It’s one of the most common attack vectors used by hackers for social engineering purposes, and more. 

But, with the right threat management tools, IT and security teams can mitigate the risk associated with social engineering attacks by monitoring and filtering inbound emails. 

It’s important that solutions don’t impede employee productivity, though. For example, if a solution issues false positives, employees may become desensitized to warnings and end up ignoring them instead of heeding the advice. 

Tessian protects employees from inbound email threats without getting in the way.

How does Tessian detect and prevent social engineering?

Powered by machine learning, Tessian Defender analyzes and learns from an organization’s current and historical email data and protects employees against inbound email security threats, including whaling, CEO Fraud, BEC, spear phishing, and other targeted social engineering attacks.

Best of all, it does all of this silently in the background in real-time and, in-the-moment warnings help bolster training and reinforce policies. That means employee productivity isn’t affected and security reflexes improve over time.

To learn more about how Tessian can protect your people and data against social engineering attacks on email, book a demo today.