Social engineering is a type of cyber attack that targets people to gain access to buildings, systems, or data. Social engineering attacks exploit human vulnerabilities to get inside a company’s IT system, for instance, and access its valuable information.
Social engineering is one of the most common — and successful — forms of cyber attack. Social engineering attacks are constantly evolving, but they generally follow five main approaches. Here are the most common forms of social engineering attack and how to train your team to spot and manage these threats.
Phishing, vishing, and smishing
Phishing is easily the most common form of social engineering, with attacks up over 200% over the last year. Phishing takes place when a hacker tricks an individual into handing over information or exposing sensitive data using a link (with hidden malware) or a false email. Phishing has many variations, including:
- Vishing: a hacker uses voice communication combined with other forms of social engineering to convince a victim to call a certain number and reveal sensitive information.
- Smishing: a hacker uses SMS or text messages that contain links to webpages, email addresses, or phone numbers. Victims are tricked into revealing sensitive information through those links.
- Angler phishing: hackers create fake customer service accounts on social media and use them to entice victims to reveal sensitive information.
- Whaling: hackers target their phishing attacks at “high-value” targets, such as CEOs or CFOs.
- Spear phishing: hackers carry out a precise, personal form of attack — emails with links containing malware are highly targeted and sent to well-researched victims.
Phishing attacks and their variants are recognizable through a set of common characteristics. Phishing attacks will start with a deceptive subject line or message to attract the attention of a target. There will be a link or download of some sort for the individual to click on. Most phishing messages impart a sense of urgency — creating the impression that if the individual doesn’t resolve the issue immediately, something worse will happen.
How to mitigate phishing: Spam filters and education are the best defenses against a phishing attack. Provide training to employees and team members on how to recognize a phishing attempt. Poor spelling and grammar, as well as an email address that doesn’t match the user, are telling signs of a phishing message. If an offer seems too good to be true, it is a good sign you’re being scammed.
Spam filters and multifactor authentication can stop phishing messages from ever reaching their intended target. Implement filters with DNS filtering and sandboxing to help keep malicious emails from entering your network.
Pretexting attacks start with a “pretext,” a made-up scenario that hackers create to steal personal information. For instance, a scammer will call a target and pretend to need certain personally-identifying information, like a Social Security number, to verify their identity. The scammer is just using the pretext as a way to steal someone’s identity or get deeper into the organization’s network.
“The success of the pretexting attack heavily pretends on the ability’s attacker to build trust,” notes the Infosec Institute. “Most advanced forms of pretexting attacks try to manipulate the victims into performing an action that enables an attacker to discover and exploit a point of failure inside an organization.”
How to mitigate pretexting: Again, user training is one of the best ways to mitigate pretexting. In the U.S., GLBA-regulated institutions are required to offer training that covers pretexting so employees can recognize and avoid succumbing to this type of social engineering.
Likewise, most organizations should build a system of checks before completing any large money transfers, with multiple executives reviewing and signing off any transactions over a certain value.
A watering hole attack takes place when a hacker adds malicious code to a public webpage, compromising sites in a specific sector that are typically visited but specific individuals. Once a victim visits the compromised webpage, a backdoor Trojan or piece of malware is installed on his or her computer.
“With internet tracking tools, hackers find out which websites companies and individual users visit the most. They then attempt to find vulnerabilities in those websites and embed them with malicious software,” said TechAdvisory.org.
Most experts associate this type of attack with state-sponsored hackers. These attacks tend to be more time-intensive for hackers, who must study a victim’s habits and exploit code before even launching the attack. A recent example is the 2017 “NotPetya infection,” politically-motivated attack against Ukraine that infected the Ukrainian government website and spread to the country’s infrastructure.
How to mitigate a watering hole attack: The best way to avoid a watering hole attack is to keep your software up to date. Because these attacks exploit holes and vulnerabilities in your network, make sure that you’re installing regular updates to your browser and your software. Likewise, encourage employees to browse the internet in incognito mode or with a VPN to make it harder for hackers to track their online activity.
Baiting is quite similar to other types of social engineering, but its key premise is the promise of goods.
“A classic example is an attack scenario in which attackers use a malicious file disguised as a software update or as generic software,” wrote Infosec Institute. “An attacker can also power a baiting attack in the physical world, for example disseminating infected USB tokens in the parking lot of a target organization and wait for internal personnel to insert them into corporate PCs.”
Another common iteration of baiting is when a hacker leaves a malware-infected flash drive inconspicuous areas. An unsuspecting victim will insert the flash drive into a computer, and the malware is automatically installed in the system.
How to mitigate baiting: Institute and enforce an IT policy that prohibits users from downloading unvetted files, updates, or new pieces of software without approval from information security. Likewise, make sure that all flash drives are stored in a location where only those who need access have it.
Finally, tailgating is a physical breach in security, where an unauthorized person enters a restricted area to carry out the attack. A hacker may pose as a delivery driver or electrician, and once in the building, they can gain access to the building — and your network.
How to mitigate tailgating: Tighten your security protocols on-site, requiring multiple forms of ID to get into your secure server room and other parts of the office. Encourage employees to be proactive about closing down areas and requiring each member of the organization (and visitors) to sign in with a security team.
It’s also best practice to have a backup plan in case social engineers manage to overcome multi-factor authentication, spam filters, and security training. Nightfall uses machine learning to scan data with over 150 detectors, alerting team members when they share sensitive data in potentially unsafe ways across cloud applications, like Slack, GitHub, and Google Drive. IT administrators can set custom actions to prevent employees from inadvertently (or mistakenly) sharing data and delete messages with sensitive data like usernames and passwords, credit card numbers, or protected health information (PHI).
Learn more about how Nightfall can keep your information secure by scheduling a demo at the link below.