Most cyberattacks are initiated by real humans who exploit people's natural tendency to trust easily, especially when distracted or under pressure. This manipulation to gain information is known as social engineering, which has evolved from traditional con artistry to more sophisticated modern threats. It's important to note that not all individuals are equally susceptible, and awareness and training can mitigate this vulnerability.
While every social engineering attack may appear different in terms of techniques and goals, they typically follow a cycle consisting of four parts: information gathering, establishing a relationship, exploitation, and execution.
Here are several types of social engineering attacks to watch out for:
Phishing: The most common type of social engineering attack. Attackers exploit human error to obtain credentials or spread malware, often through infected email attachments or links to malicious websites. Some of the many variants include:
Whaling: Phishing attacks targeting top executives.
Vishing: Voice phishing.
Smishing: SMS phishing.
Angler Phishing: Utilizing social media.
Baiting: This tactic promises prizes or money in exchange for small payments, like shipping costs. It often presents a “too good to be true” scenario.
Pretexting: The social engineer assumes a false identity to gain access to sensitive information. For example, a threat actor might pose as a bank teller calling to alert a victim about suspicious activity and ask them to confirm their account number over the phone.
Diversion Theft: A thief tricks a victim into sharing sensitive data with the wrong person, often by spoofing the email address of someone within the victim’s company, such as an auditing firm or financial institution.
Honey Trap: An attacker poses as an attractive individual to lure victims into false relationships to gather personally identifiable information (PII), such as email account details.
Scareware: A form of social engineering where a scammer inserts malicious code into a webpage, causing alarming pop-up windows to appear. These windows falsely alert users to nonexistent viruses on their systems and create panic leading to hasty decisions.
Watering Hole Attack: A hacker infects a legitimate website frequented by their targets. When victims log in, the hacker captures their credentials or installs a backdoor Trojan to access the network. These attacks exploit known websites frequented by the target group rather than individual targets.
Business Email Compromise (BEC): A BEC attack occurs when a user’s email account is compromised and used to gain financial information or request payments from other users. The attacker often sends fake emails requesting the transfer of funds.
Quid Pro Quo: Attackers offer a service or benefit in exchange for information, such as promising tech support or free software to persuade victims to disclose confidential data.
Shoulder Surfing: This involves observing sensitive information in public spaces, such as airports or coffee shops, or monitoring an unattended laptop in an office.
DNS Spoofing: In this attack, a threat actor learns which sites a user visits and injects fake DNS entries into the DNS system. This allows them to redirect users to spoofed versions of legitimate sites, where sensitive information can be collected.
Tailgating: This occurs when an unauthorized person follows an authorized individual into a restricted area, often by taking advantage of their trust or courtesy. For example, they might ask someone to hold the door open while they enter.
Deepfakes: Utilizing artificial intelligence, deepfakes create realistic but fake audio, video, or images that impersonate real people. These can be used in social engineering attacks to deceive targets into revealing sensitive information or taking unintended actions.
By being aware of these social engineering tactics, you can better protect yourself and your organization from potential threats.
Comments