7 types of social engineering attacks to avoid
Even the most comprehensive security system can fail if you manage to fool the gatekeeper, and this happens far too often in the digital world. In fact, it’s usually easier to exploit a person’s inclination to trust than it is to guess their password or other data to break into their system. This hacking technique is known as social engineering, and by targeting unsuspecting employees, it can compromise your company’s cyber security program before you know it.
Breaking down 7 social engineering techniques
There are plenty of reasons why a cybercriminal would want to dig into and devour your data, and just as many ways to do so. Social engineering is one favourite mechanism among hackers – the latest Verizon data show that phishing and pretexting represent 93% of data breaches.
As the saying goes, knowledge is power. Get familiar with these seven different types of social engineering techniques, so you know what to watch out for, and why.
1. Email from a “friend”
How it begins: Typically, a message from a hijacked or spoofed account will contain a link or a request to download a file to introduce malware. The message might spark your curiosity with a picture, video, or link, and since it seems to come from someone you know, you may be inclined to download or follow that link without a second thought.
What they’re looking for: If an attacker manages to drop malware onto your system and steal your password, your identity and your entire contact list is at risk. If they’re careful enough to compose a believable message and convince your contacts that you wrote that message, everyone who receives that fraudulent, malware-infected message are more likely to open the file or link. Now these accounts could be compromised.
Potential consequences: Once an attacker gains access to your account, they can send messages to all your friends, and possibly reach your friends’ friends, too. The more people who click on the link, the further their malware can travel, potentially compromising hundreds of systems and stealing the identities of hundreds of people.
It’s usually easier to exploit a person’s inclination to trust than it is to hack their software or break into their system.
How it begins: A seemingly legitimate source sends a message asking for your sensitive personal data to complete a transaction, support a cause, claim a prize, or help a colleague or stranger in need. These phishing messages usually include a compelling scenario or story and can prey on your curiosity, fear, kindness, or greed.
What they’re looking for: In some cases, the attacker will imitate a reputable financial institution and request that you provide certain details or click on a link within the message. Often, that link will take you to a phony banking login screen where they can capture your password. In other cases, the message contains an urgent plea for help, request for a charitable donation, a time-sensitive inquiry from a colleague, or notification that you’ve won something. The more emotionally charged the message, the more likely you’ll click or comply before really considering all the details.
The most recent phishing attacks have attempted to take advantage of people who are worried about the COVID-19 pandemic. Scammers have posed as health professionals, claiming to represent well-known organizations like The Canadian Red Cross or World Health Organization, in order to trick people to steal sensitive information.
However, emails aren’t the only medium they’re using. Messages connected to COVID-19 can also come in the form of spam phone calls and text messages. Historically, hackers have also impersonated the Canada Revenue Agency, especially during tax season, or law enforcement officers, using emails or phone calls to extract personal information and money from their victim.
Potential consequences: The extent of damage will often depend on the nature of the target and how much information is shared. A spear-phishing attack that aims to fool a specific high-ranking target can be devastating if that person has access to crucial systems, corporate funds, or confidential information. But even if it’s a broader attack sent to several people, all it takes is one person to fall for it, and the attacker could gain access to your network.
How it begins: Combining thorough research of a target with sophisticated impersonation, pretexting uses a false motive to elicit information. This is more than a simple claim – it’s an orchestrated effort to create a convincing identity to manipulate the target into sharing a wealth of information.
What they’re looking for: Unlike phishing emails that use urgency to their advantage, a successful pretexting attack may begin with a phone call and will rely on building trust to overshadow any doubt you may have about the request.
Pretexting isn’t a new technique: shady salespeople, fortune tellers, and phony medical and legal professionals have been operating for a long time. In the digital space, pretexting often takes the form of tech representatives, credit card providers, lenders, or insurance institutions that foster confidence so you’ll share sensitive info with them.
Potential consequences: In many cases, the attacker will try to get you to perform an action that allows them to exploit any structural weaknesses in your organization. But they can go offline, too: if the fraudster is able to convince your security staff into letting them into the building, they can gain direct, hands-on access to your equipment and any other valuable assets.
4. Sowing distrust
How it begins: Like phishing, this sort of attack often begins by gaining access to an email account, social network, or forum. From there, the attacker can spread nasty rumours about the target or circulate doctored photos or video to create drama or tarnish their reputation.
What they’re looking for: This sort of attack is more often about anger or revenge than it is about financial gain or systems access. However, people do terrible things for many reasons; they could also try to extort money from the victim or from the recipient of the fake message.
Potential consequences: Reputational damage is a major threat, and in an era where social media can carry a message across the globe in the blink of an eye, it can even lead to a company’s downfall. Of course, extortion can be a serious issue for your personal and professional bottom line, too.
How it begins: By offering a tempting deal, attackers can convince you to proceed with a transaction or offer financial details that give them access to your accounts. You’ll often find baiting schemes on peer-to-peer sites that allow you to download shared media, or social networking and other community-oriented sites that involve exchanges between participants.
What they’re looking for: The attacker is probably looking for your financial information, or they may simply want access to your system to introduce malicious software. They may construct false accounts and sales history on a classified or auction site to coax you into a transaction with them.
Potential consequences: Not only will you lose the payment without receiving the expected product or service, you could open your entire bank account to the attacker if you share too much account info. In other cases, you could inadvertently grant access to your system.
How it begins: This type of attack takes place offline, in the real world. The criminal will hang out in commonly used areas near a building entrance – think smoking areas, main doorways, or delivery areas – and slip in the door when an unsuspecting employee pops in or out.
What they’re looking for: The tailgater could be looking for any number of things in the building – it all depends on their end game. The problem is, when the rest of the staff is too focused on their day-to-day tasks, a quiet interloper can go unnoticed for a long time.
Potential consequences: It’s difficult to determine the worst-case scenario when you’re not sure what the tailgater is after, but if you keep any valuable items, devices, and records in your workplace (and it’s safe to say that most businesses do), those can be at risk. From wallets taken out of purses to laptops removed from unattended offices, a sneaky thief could make off with many things.
7. Reverse social engineering
How it begins: Instead of extracting info from the target, a reverse social engineering attack involves convincing a target that they need the attacker’s services. It begins with the attacker posing as a professional (for instance, a technical support expert) and posting or offering their contact information so employees reach out when they have a technical problem. On occasion, the attacker might even create the problem by sabotaging equipment or deleting a critical file.
What they’re looking for: A gateway into your system to either extract information immediately, or to lay the groundwork for a future attack. There’s a lot of planning and a certain amount of luck involved, but if the attack is successful, the rewards can be significant.
Potential consequences: Since reverse social engineering is based on firm trust, the hacker can mine a lot of information. Once they’ve convinced you of their legitimacy, you’re more likely to trust them implicitly, and potentially for much longer before you suspect any nefarious behaviour.
Defend against social engineering attacks
Data breach protocol, a sound data backup plan, and consistently updated security measures are all part of a smart cyber strategy. But what about the people that carry out the operations? Unfortunately, over 50% of data breaches can be traced to negligent employees.
It’s safe to say that cyber-savvy employees help to maintain a safer business. Here are some tips to help strengthen that front line of defence:
- Limit social sharing. Anything you post on social media can be used as fodder, so it’s better to be safe than sorry. Ensure your company has a clear social media policy to guide staff in their online interactions, and privacy controls should be tightly secured. Remind everyone that even seemingly innocuous details could be used against them or the company, so think twice before posting.
- Be suspicious on the phone. If someone calls to ask for sensitive information over the phone, be wary: you never know who’s on the other end of the line. Phone scams are a common tactic – some criminals even find the same on-hold music that company uses. To be safe, instruct employees to get off the call, then source and call the listed number for the corporation and ask them to verify that someone was trying to reach them.
- Double check credentials. In larger offices, people can fairly easily pose as couriers or colleagues to convince employees to let them in, but smaller companies are at risk of tailgating, too. Although it can feel awkward, employees should get in the habit of asking any visitor or unfamiliar colleague to verify their identity before holding the door open for them. A good tactic is to escort the stranger to whomever it is they claim to be visiting. If that person is not available, escort them out to await their arrival.
- Follow up with institutions before you act. Requests to turn over personal, financial, or otherwise sensitive information can sound urgent and important, but hasty actions can have huge consequences. It’s unusual that a legitimate institution would ask for any information like this over email, so make sure employees don’t fall for the trap.
Some cyber criminals are clumsy and obvious; others do their homework. Social engineering attacks can be coordinated, well-researched efforts that take advantage of trusting instincts and helpful gestures. If a criminal manages to breach your system despite your company’s best efforts, you’ll count on your cyber insurance to help you through the fallout. Not sure if your policy would hold up in this situation? Consider adjusting your coverage with the help of a trusted broker who can work with Northbridge experts to develop a policy to suit your needs.