Social engineering is an infiltration technique that exploits human error to gain access to valuable or private information. As technological defenses become more rigorous than ever, cybercriminals are increasingly using social engineering tactics to exploit the weakest link in the security chain, humans. Social engineering, often referred to as human hacking, can be implemented over the phone, through digital methods such as email or SMS, or even in person. These ‘human hacking’ methods exploit users by catching them off-guard to grant access to restricted areas or systems, expose data, or spread malware infections. These attacks are often the precursor to larger attacks, including identity theft, data theft, and ransomware. These techniques capitalize on a user’s lack of understanding or can take advantage of someone’s mood, impatience, or trustworthiness. With the rate that technology has been advancing, consumers and employees often lack the knowledge of how to recognize these types of attacks and often do not realize that they have been scammed.
Different types of Social Engineering Attacks
Phishing
Phishing is where an attacker impersonates a trusted person or institution to persuade users to share their data and other valuable information. Attacks using phishing tactics are targeted in primarily two different ways:
- Spear phishing- Uses personalized information to lure con specific people. Under this technique, cybercriminals also use the whaling method to target people of high value such as top government officials, upper management, and celebrities.
- Spam phishing- Also known as mass phishing, is a wider attack directed at multiple users. Such attacks are non-peculiar and intend to attack any unsuspecting individual.
Phishing emails and websites can also contain malicious links and attachments that when opened, or executed, deploy payloads that are designed to infect the user’s device. These payloads can contain listeners or malware that can be used for future attacks.
Tailgating
Another social engineering type is tailgating. It is a simple attack used to gain physical access to an unauthorized location. Tailgating is carried out by following an authorized individual into the area without being noticed. For example, an attacker could impersonate a delivery driver and wait outside the building to follow someone who has access inside, once inside they can carry out their attack.
In some situations, attackers will start a casual conversation with employees and have a reason to get past the front desk, such as to use the bathroom or appear to be there for a legitimate purpose. However, tailgating does not work in all situations and can be severely diminished where proper security measures like an identification pass system are implemented.
Baiting
Baiting is a social engineering attack that exploits a user’s curiosity. An example of a simple baiting attack could entail an online promotion that is offering a free gift card for new users. This lures victims into creating an account, which potentially divulges their credentials to other sites or services. Baiting abuses a user’s natural curiosity with something exclusive or free. A social engineer could leave USB drives out in high traffic areas, such as a parking lot or on a table at a conference. The audience may assume that they are just some free goodies for attending the conference. However, the attacker could have loaded it with spyware or malware that compromises devices when it is plugged in.
Watering Hole Attacks
This kind of attack targets well-known or well-frequented web pages and infects them with malware to strike multiple victims simultaneously. Watering hole attacks require thorough planning by the attacker to find vulnerabilities in particular websites and exploit them. Attackers look for existing weaknesses that are not patched, commonly known as zero-day exploits, to compromise the website. Once the site has been compromised, the victims visiting the site become infected as well.
Scareware Attacks
Scareware is a form of malicious software, acting as a pop-up, or site redirect, that warns users that their security software needs to be updated or that malicious content has been detected on their system. This sense of urgency works into fooling victims into clicking on the malicious website, calling the listed support number, or buying useless products. These methods are used to gain access and infect the user’s device.
How to avoid these Attacks
Here are some ways users can protect against social engineering attacks:
- Do not open messages or emails from unknown senders.
- Avoid any messages or emails that contain attachments or require you to click on links.
- Check a website’s security before typing in sensitive information, even if they seem genuine.
- Read website URLs from right to left to verify the address is authentic.
- Enable and use multi-factor authentication.
- Update your antivirus software regularly.
- Implement antivirus browser extensions or addons for an additional safeguard.
- Do not allow non-work-related devices to connect to your business Wi-Fi network
- Always log out from your accounts when using devices connected to free Wi-Fi.
Follow us on Facebook, & LinkedIn or Contact us at 406-646-2102 and get your questions answered.
