Talk to our experts and get more information on which certification you should take to start or advance your information security career. Start your 30-day free trial.
The Most Common Social Engineering Attacks
What Are Social Engineering Attacks?
Social engineering is the method of manipulating people into giving up confidential data. Social engineering assaults, like a burglar who dresses up as a delivery man to get buzzed into a house, may happen face to face. The word social engineering is used for a wide variety of malicious behaviors done through human interactions. To trick users into making security errors or giving away confidential information, it uses psychological manipulation.
Social engineering attacks happen often. An attacker first examines the intended target to obtain the required background information needed to proceed with the attack, such as possible points of entry and inadequate security protocols. The intruder then moves to gain the trust of the victim and provide rewards for subsequent acts that breach security practices, such as disclosing confidential data or granting access to vital resources. Connect with our experts to learn more about our IT security courses.
What makes social engineering so risky is that it depends on human error rather than on software and operating system vulnerabilities. Legitimate user errors are much less predictable, making them harder to detect and thwart than a malware-based intrusion.
Most Common Social Engineering Attacks
A kind of social engineering is used in almost every form of cybersecurity assault. The classic email and virus scams, for instance, are laden with social overtones. In addition to desktop devices, social engineering will impact you digitally via mobile attacks. However, you can just as easily face an in-person threat. To build a scam, these attacks will overlap and layer on each other.
Here are some common methods used by attackers of social engineering:
A concept that covers a wide variety of malicious behaviors is social engineering. Let's concentrate on the five most common attack styles used by social engineers to target their victims for this article. Phishing, pretexting, baiting, quid pro quo and tailgating are common methods.
Start your 30 days free trial to begin your InfoSec career journey today.
Phishing
The most popular form of social engineering attack occurring today is phishing. But what is it? Most phishing scams at a high-level aim to achieve three things:
- Obtain personal data such as names, addresses and social security numbers
- Use shortened or misleading links to guide users to suspect websites that host landing pages for phishing
- Trick the consumer into reacting quickly to integrate threats, apprehension and a sense of urgency
No two emails about phishing are the same. At least six separate sub-categories of phishing attacks currently exist. Also, to the degree that their messages suffer from spelling and grammar mistakes, we all know others are badly written. Such emails, however, usually have the same purpose of using fake websites or forms to steal user login credentials and other personal information.
To send out attack emails, a new phishing campaign used a compromised email address. By clicking on an embedded URL, these messages asked recipients to review a proposed text. This malicious URL redirected recipients to a compromised SharePoint account that delivered a second malicious URL embedded in a OneNote text, wrapped with Symantec's Click-time URL Security. In turn, the URL redirected users to a phishing page representing a login portal for Microsoft Office 365.
Pretexting
Pretexting is another type of social engineering in which attackers concentrate on creating a good excuse or a fake scenario that they use to try to steal personal information from their victims. The scammer typically claims they need some bits of information from their target in these types of attacks to prove their identity. They steal and use the information to commit identity fraud or stage secondary attacks.
Often more sophisticated attacks attempt to trick their targets into doing something that exploits the digital and/or physical vulnerabilities of an organization. An intruder might impersonate an external IT services auditor so that they can speak to the physical security team of a target company to let them into the building.
While phishing attacks primarily take advantage of fear and urgency, pretext attacks rely on creating a false sense of confidence with the victim. This allows the attacker to create a convincing narrative on the part of the attacker that leaves no room for doubt.
The Baiting
Baiting is similar to phishing attacks in several respects. The promise of an item or good that malicious actors use to attract victims is, however, what separates them from other kinds of social engineering. Baiters can use the promise of free music or movie downloads to trick users into handing over their login credentials. Baiting intrusions are not limited to online networks either. Through the use of physical media, attackers may also concentrate on manipulating human curiosity.
For example, back in July 2018, KrebsOnSecurity reported on an attack campaign in the United States targeting state and local government agencies. The operation sent out postmarked Chinese envelopes containing a confusing letter along with a compact disc (CD). The point was to pique the interest of recipients so that they would load the CD and unintentionally infect malware on their computers.
Quid Pro Quo
Similar to baiting, in exchange for knowledge, quid pro quo attacks offer a profit. This advantage normally takes the form of an operation, whereas baiting usually takes the form of a commodity.
One of the most common forms of quid pro quo attacks that have occurred in recent years is when the U.S. is imitated by fraudsters. Fake Social Security Administration (SSA) workers call random people, convince them that there was a computer issue at their end and ask them to check their social security number, all for the purpose of committing identity theft. Malicious actors have set up fake SSA websites in other cases listed by the Federal Trade Commission (FTC) that claim they can help users apply for new Social Security cards, but actually they steal their personal details.
Tailgating Company
The final type of social engineering attack of the day is known as tailgating or "piggybacking." In these forms of attacks, an authenticated employee is followed into a restricted area by someone without proper authentication. The attacker could impersonate a delivery driver and wait to get things started outside a house. When an employee obtains the permission of security and opens the door, the intruder asks the employee to keep the door and thereby gain entry to the house.