Cybercriminals use several common social engineering techniques to manipulate an individual to divulge confidential information or provide system access. Although some of these techniques appear pretty simple and easy to identify, others are more complex and sophisticated.
The challenge for businesses is that it only takes one moment’s lack of concentration by a single user to accidentally click on a malicious link and start the ball rolling for a full-scale ransomware attack.
At Securus Communications, we firmly believe that a layered Secure Access Service Edge (SASE) service combined with EPP and EDR coupled with user education of the most common social engineering techniques is an effective method to keep your business safe from cyber-attack.
11 Common Social Engineering Techniques
Cybercriminals use several social engineering techniques to gather sensitive data or steal system access credentials. This information will often allow them to deploy well-targeted ransomware attacks or commit data theft. Here is an overview of 11 common social engineering techniques used by cybercriminals.
The criminal attacker may use a simple email, instant messaging, social media, or even SMS to retrieve sensitive information from the unsuspecting victim during a phishing attack. Such an attack is used to lure the victim into clicking a malicious website link.
The message contained in the phishing campaign captures the victim’s attention and calls them to action by piquing their curiosity, pulling an emotional trigger, or asking for help. The message often contains logos, text styles, or images that mirror a legitimate organisation, making it seem like a legitimate message from a colleague or company.
Of course, phishing messages carry a sense of urgency that leads the victim to believe they should respond to avoid negative consequences. Hackers can automate their processes and send thousands of generic emails at a time.
When the phishing message directs victims to a counterfeit domain, that website looks legitimate. There will be minor, easily overlooked details that identify it as fake, such as using similar lettering in the URL. An example would be swapping “rn” for the letter “m.”
The email often contains multiple legitimate links mixed in with the malicious one. Such techniques enable the malicious links and code to get past email security filters.
One of the most common phishing tricks is exploiting the “password reset” function available on most websites. The target will receive an email urgently requesting them to click the link to reset their password as their account may have been compromised.
2. Spear Phishing
Spear phishing is a more sophisticated form of social engineering where messages are more targeted, well-written, and sent to a specific person or group. Criminals tailor and personalise emails to intended targets. The subject lines are distinct and will contain topics of interest to the recipients.
It’s no surprise that 91% of successful cyberattacks begin with a spear-phishing email. The messages are so well-tailored that email security filters and the recipients can miss them. The message appears legitimate and non-threatening.
The creator of the spear-phishing email has taken the time to gather specific details about the victim. Such information is easy enough to obtain from business directories or websites like LinkedIn. From there, any social media site can yield additional personal information that the criminal can exploit to fine-tune a spear-phishing email.
Whaling is another form of social engineering that targets specific individuals who may have elevated access to secure systems or sensitive company information and often target senior executives and network administrators.
Because the target is highly specific, the attacker conducts meticulous research to craft a message that will prompt specific targets to respond and complete the desired action. Whaling emails are often presented as an internal critical business email sent by an employee, investor, colleague, or manager. The request requires urgent action or intervention from the victim.
While email remains the preferred delivery method for phishing attacks, there are others. Vishing attacks, also called voice phishing, are examples because they deploy as phone calls.
In a vishing attack, the victim receives a phone call that appears to be coming from their bank, merchant account, or some other standard service. The phone call begins as an automated call that proceeds to route the individuals to the criminals, who pose as customer service agents. The criminals use mobile apps or other technology to spoof or hide their phone numbers.
Vishing is simply another form of social engineering that fools the target into providing personal, financial, or business information. The attacker may even claim to be an executive at your own company who works off-site. Whatever the fake reason for the call is, they will need to “verify your information” first, which is the information they intend to exploit.
Smishing is short for SMS phishing, and it is delivered to targeted victims via mobile phone as a text message. These malicious text messages trick the user into clicking a malicious link and handing over sensitive information. The message is often disguised as something familiar like a missed delivery or some other urgent need to contact “customer support.”
Sometimes, smishing attacks prompt the recipient to download a malicious app unknowingly. The recipient clicks a link, which sets off an automatic download for an app that deploys ransomware or other functionality that enables the hacker to control the phone remotely. Other times, the link takes the victim to a cloud-based, malicious form. The victim enters personal data, which the hacker then steals.
In a pretexting attack, the attacker creates a detailed, fake identity, which they use to manipulate the victim into providing private information. This more complex form of phishing or smishing is where the attacker spends more time creating the malicious alias, thus, making it all the more believable.
For instance, the attacker may pretend to be a technician from an external IT service provider who needs the user’s account details and login credentials to solve a network issue. An attacker may also pretend to be a representative from the victim’s bank, stating a specific problem with the victim’s account. They will then ask for the login credentials for the victim’s online banking account or confirmation of the bank account number.
Baiting is yet another social engineering technique where an attacker offers a false promise to lure a victim into a trap. The trap, of course, results in financial or personal information theft. Alternately, the goal may be to deliver malware to the user’s system. The trap often arrives as a malicious attachment that has an enticing name.
Most often, baiting tactics employ physical media to distribute malware. For instance, an attacker leaves the bait, which is a malware-infected flash drive, in a conspicuous area where a potential victim will see it. Out of curiosity, the victim inserts the flash drive into a work or BYOD computer, and malware automatically and discreetly installs on the system. An individual may receive an infected flash drive as a gift or as a reward for completing a survey, etc.
Baiting also exists online in the form of attractive ads that lead users to malicious websites or encourage them to download malware. The ad may offer free movie or music downloads, provided they log on to a particular website.
8. Quid Pro Quo
A quid pro quo attack is similar to a baiting attack; instead of promising the victim something valuable, the attacker promises to perform an action that will benefit the victim. Before that happens, of course, the attacker requires a specific action from the victim first.
In one typical scenario, the attacker calls a company’s extensions at random and pretends to be calling to follow up on a technical support inquiry. Eventually, they will reach a person who actually submitted a support ticket. So, the attacker pretends to help them and instructs the victim to perform actions that will compromise their computer.
9. Water Holing
A watering hole attack is difficult to detect because it lies in a legitimate website that the victim frequents. The target visits the familiar website and inadvertently launches or downloads malicious code from a legitimate website, which is commonly visited by the targets of the attack. So, if the individual works in the technology industry, they will frequent websites for IT professionals. A hacker will compromise a selected website and install a backdoor trojan, which, once downloaded, will provide remote access to the victim’s machine.
Watering hole attacks take a higher level of skill from criminals who have learned of a zero-day exploit. They often wait for months before deploying an actual attack to preserve the exploit’s value. Sometimes, attackers launch watering hole attacks directly against vulnerable software their targets use rather than via frequented websites.
Impersonation is another social engineering tactic that cybercriminals use to trick their way into a network by using identity theft. The difference with impersonation is that it occurs in-person or over the phone rather than email or text message.
The cybercriminal impersonates someone the victim is likely to trust and, more specifically, obey. They are convincing enough to fool the victim into permitting access to their office, personal information, or information systems.
This social engineering tactic plays on the human tendency to believe that a person is who they say they are. Thus, they follow instructions when a perceived authority figure asks. It also involves constant manipulation to get the victim to release information without realising that they are participating in a security breach.
As you can imagine, impersonation requires a great deal of preparation, so these attacks occur less often but are far more effective. Social engineers prefer to remain anonymous and stick to phone or email more frequently than appearing in person. To the victim, the imposter is just another in a stream of professionals they encounter daily.
For physical access, an attacker will employ tailgating to gain entry to a restricted area. For the attack to be successful, that access point must be unattended or controlled by electronic access. This way, the attacker can walk in behind someone who has legitimate access. If your organisation has more than one access door or a secondary exit, say, to the parking lot, tailgating is a constant threat.
It’s common for an impersonator to be dressed like a delivery driver waiting outside the building. When an employee opens the door, the attacker either slips in behind them or asks them to hold the door. Most people naturally oblige, thereby enabling the attacker to gain access to the facility.
Tailgating won’t work in corporate settings where security is more restricted. Anyone entering the building is required to swipe a card. However, the attacker will often strike up a casual conversation with employees in mid-sized and smaller companies to establish familiarity. Eventually, they will tailgate their way into the building.
Any of these social engineering techniques exploit fundamental human decision-making and cognitive biases. We are all human and will make mistakes in judgment now and again. Considering how many decisions we need to make daily, it’s only a matter of time before our guard slips.
Cybercriminals who engage in social engineering campaigns understand psychological weak points and waste no time exploiting them. Unfortunately, such attacks can significantly impact your organisation, especially if the result is significant data theft or a ransomware attack.
Recognising these common social engineering techniques is a first step in fortifying your security systems and preventing data breaches. Be sure to train your employees on how to handle potential threats to ensure you are employing the best defence possible. This is where Securus Communications can help, so please get in touch if you require our knowledge and assistance in every aspect of your security requirement.