Key Takeaways
Social engineering is the psychological manipulation of people for the purpose of divulging confidential information.
Social engineering takes many forms today, from enticing free USB sticks to deepfake phone calls.
You can avoid social engineering attacks by verifying the source of a message, slowing down, and securing your accounts and devices.
What is social engineering?
Social engineering is the art of exploiting human psychology, rather than technical weaknesses, to gain access to a system. Even if your company has all the latest security products and a top-notch security team, one mistake by an unknowing employee can allow a crafty social engineer to slip right into your network. This is also by far the most popular and successful technique for hackers, according to a 2021 report from PurplSec, 98% of cyber attacks rely on social engineering.
This blog will cover the different social engineering techniques, including ones that have grown in popularity since the start of the pandemic, and how best to defend yourself from them.
Types of social engineering attacks
There are various methods of social engineering attacks. You’ll notice a pattern in all of these methods which once understood will make spotting social engineering attacks much easier.
Baiting
Baiting puts something enticing or curious in front of the victim to lure them into the social engineering trap. An example of this looks like an employee at a conference finding a USB drive in the bathroom labeled “[Competitor]’s Salaries”. The curious man plugs it into his computer and is infected with malware.
Phishing
Phishing is when an attacker sends fraudulent emails, claiming to be from a reputable and trusted source. For example, a social engineer might send an email that appears to come from a customer success manager at your bank. They could claim to have important information about your account but require you to reply with your full name, birth date, social security number and account number first so that they can verify your identity. Phishing, in general, casts a wide net and tries to target as many individuals as possible.
Spear phishing
Spear phishing is a type of targeted email phishing. In a spear phishing attack, the social engineer will have done their research and set their sites on a particular user. Usually the malicious email purports to come from a higher-level executive in the company asking for confidential information.
At a prestigious New England University, the school had a rather ridiculous spear phishing attack a few years ago. Several newly hired professors received an email from the dean of the school saying that they were in an important meeting and asked them to go to Target, buy gift cards, scratch off the back to reveal the gift code, and send pictures of those codes as soon as possible. MULTIPLE professors fell for this. You think it sounds silly, but if you’re new and your boss asks you to do something, usually you don’t ask too many questions.
Whaling
Whaling is another targeted phishing scam. However, in whaling, rather than targeting an average user, social engineers focus on targeting higher-value targets like CEOs and CFOs. Whaling gets its name due to the targeting of the so-called "big fish" within a company. Last year, toy giant Mattel fell victim to a whaling attack after a top finance executive received an email requesting a money transfer from a fraudster impersonating the new CEO. The company almost lost $3 million as a result.
Pretexting
This attack uses a pretext to gain attention and hook the victim into providing information. For instance, an internet survey might start out looking quite innocent but then ask for bank account details. Or someone with a clipboard might show up, looking very official and steal your information.
Vishing, Smishing, and Deepfakes
Vishing (short for voice phishing) occurs when a fraudster attempts to trick a victim into disclosing sensitive information or giving them access to the victim's computer over the telephone. In March 2019, the CEO of a UK energy provider received a phone call from someone who sounded exactly like his boss. The call was so convincing that the CEO ended up transferring $243,000 to a “Hungarian supplier” — a bank account that actually belonged to a scammer. This attack can also be classified as a deepfake, when a fraudulent piece of content has been manipulated or created using AI.
Smishing (short for SMS phishing) is similar to and incorporates the same techniques as email phishing and vishing, but it is done through SMS/text messaging.
Contact Spamming
This type of attack involves hacking into an individual's email or social media accounts to gain access to contacts. Contacts are then scammed by messages from their friend’s account. They may be told the individual has been mugged and lost all their credit cards and then ask to wire money to a money transfer account. Or the 'friend' may forward a 'must see video' which links to malware.
Tips for avoiding social engineering attacks
Verify the source
Checking the source is a quick way to avoid lots of attacks. For instance, with an email, look at the email header and check against valid emails from the same sender. Look at where the links go - spoofed hyperlinks are easy to spot by simply hovering your cursor over them. If you are still in doubt, go to the official website and get in contact with an official representative, as they will be able to confirm if the email/message is official or fake.
Slow down
Social engineering often depends on a sense of urgency. Attackers hope their targets will not think too hard about what's going on. So just taking a moment to think can deter these attacks. If you're feeling pressured, slow the whole thing down. Say you need time to get the information, you need to ask your manager, you don't have the right details with you right now.
Secure your devices
By securing your devices, even a successful social engineering attack will be limited in what it can achieve. The basic principles are the same, whether it's a smartphone, a basic home network or a PC.
Keep your anti-malware and anti-virus software up to date. This can help prevent malware that comes through phishing emails from installing itself.
Keep software and firmware regularly updated, particularly security patches.
Don't use the same password for different accounts. If a social engineering attack gets the password for your social media account, you don't want them to be able to unlock all of your other accounts too.
For critical accounts, use two-factor authentication so that just having your password isn't enough to access the account.
If you just gave away your password to an account and think you may have been 'hacked', change the password straight away.
For the 18th year, October is cybersecurity awareness month. The initiative uses the slogan, “Do your part. #BeCyberSmart” and hopes to help all Americans stay safe online. By verifying the source, slowing down, and securing your devices, you can be cyber smart and avoid social engineering attacks.