Social engineering attacks represent one of today's biggest cybersecurity risks, currently ranking as the second most common source of data breaches after compromised credentials, according to the latest IBM data. Attackers have developed many types of social engineering attacks exploiting different methods and media. Any effective business cybersecurity strategy must prioritize preventing social engineering.
In this blog, we'll describe the most common types of social engineering and offer some tips for countering them. We'll cover:
- What social engineering is
- 20 types of social engineering attacks
- 9 best practices for protecting businesses against social engineering
What Is Social Engineering?
Social engineering is a type of crime that relies on psychological manipulation to trick targets into revealing sensitive information or performing compromising actions. The best-known type of social engineering, phishing, frequently uses email to trick recipients into clicking malicious links and providing sensitive information.
Criminals may use social engineering in both digital and non-digital environments. In a cybersecurity context, social engineering differs from other attack methods in that it targets human vulnerabilities rather than technological vulnerabilities.
Social engineering targets both consumers and businesses. When targeting businesses, attackers may focus on stealing employee credentials or taking over executive accounts.
Social engineering attacks employ a variety of methods and media. Attacks may seek to gain target trust, lure targets to compromised software applications, or trick targets into using insecure hardware. Attackers may use email, voicemail, SMS texts, websites, in-app popups, search engines, mobile devices, and external storage devices. Some attacks may unfold in stages, employing social engineering as part of a broader campaign to access employee credentials and escalate privileges in order to steal data or spread malware.
Types of Social Engineering Attacks
Attackers have developed many tactical variants of fundamental social engineering strategies.
Oftentimes, prior to a social engineering attempt, attackers will conduct reconnaissance research on their target. This could include sifting through publicly available data from previous data breaches, public profiles like LinkedIn, or other recon methods. This can be mitigated by understanding your digital risk profile and being suspicious to avoid falling victim to a phishing attack.
Here are some of today's most common tactics:
- Pretexting (blagging)
- Phishing
- Email phishing
- Clone phishing
- Spear phishing
- Whaling
- Business email compromise (BEC)
- Voice phishing (vishing)
- SMS phishing (smishing)
- Angler phishing
- HTTPS phishing
- Popup phishing
- Pharming
- Page hijacking
- Browser hijacking
- Water holing
- Evil twin phishing
- Search engine optimization (SEO) poisoning
- Baiting
- Tailgating (piggybacking)
Note, that some of these categories are more commonly associated with network attacks. They’re included here in the list of social engineering attacks because they often require the user to take action for an attack to be successful.
1. Pretexting (Blagging)
Pretexting (also known as blagging) tricks the target into divulging sensitive information by employing a phony story to cloak the attacker's true purpose in the guise of a plausible scenario for requesting the information.
For example, a bad actor who has compromised a smartphone customer's account might call their provider claiming their phone has been lost in order to get their number switched to a different device owned by the attacker. Pretexting predates computers and may be used in both digital and non-digital environments. Most social engineering attacks are variants of pretexting or employ pretexting in some way.
Read more about pretexting and how to keep your digital identity safe.
2. Phishing
Phishing is a digital form of pretexting that uses a false story as a lure to trick the target into divulging credentials, opening a file containing malware, or visiting a malicious site where their credentials can be stolen or malware can be installed.
Phishing is today's most common form of social engineering. It can be deployed through various media, including email, voicemail, SMS texts, websites, and popups. Several of the social engineering attack methods covered below are variants of phishing.
3. Email phishing
Email phishing is the most common form of phishing. It typically deploys emails purporting to be from a trusted, legitimate source, such as a software or financial provider. The email may include a pretext requesting the customer to provide sensitive information.
For instance, an email customer may be told they will lose access to their account unless they click a link and update their password. Phishing messages often contain phony links impersonating legitimate sites but with the name spelled slightly differently to fool the casual eye. Phishing emails also may include attachments such as PDF files containing malware that will be installed on the recipient's device if they open the file.
4. Clone Phishing
Clone phishing is a variant of email phishing that copies the format of a legitimate email previously sent by a trusted source. This gives the email an authentic appearance. The cloned email contains an altered element with malicious intent, such as a link directing the recipient to a phony website.
5. Spear Phishing
Spear phishing is a variant of phishing that targets specific individuals or groups of individuals. For instance, a bad actor may target a support team representative in order to gain access to customer account data.
6. Whaling
Whaling is a variant of phishing that seeks to compromise high-value targets. For example, a whaling attack may seek to gain access to a CEO's financial data. Whaling attacks often follow upon the takeover of executive accounts, which the bad actor then uses to impersonate the executive and gain trust.
7. Business Email Compromise (BEC)
Business email compromise is a form of phishing that uses an employee email account that has been taken over by a bad actor. The attacker uses the account to imitate the employee, send phishing messages, or launch other attacks.
8. Voice Phishing (Vishing)
Voice phishing attacks use phone calls or voice mails to impersonate legitimate sources. The impersonation may be performed by a live caller, a text-to-speech synthesizer, or an AI-powered audio deepfake.
9. SMS Phishing (Smishing)
SMS phishing attacks use text messaging to trick recipients into clicking links, calling numbers, or contacting emails. Texting services often abbreviate links, making it harder to detect phony links.
10. Angler Phishing
Angler attacks use fake social media posts to trick users into disclosing sensitive information or clicking malicious links. For instance, a bad actor may pose as a company's customer service representative in order to initiate conversations with complaining customers and get them to disclose account information.
11. HTTPS Phishing
In HTTPS phishing, the attacker makes malicious websites look trustworthy by installing an SSL certificate, causing a "lock" icon to appear next to the site's URL. The HTTPS prefix and lock icon instill a false sense of confidence in visitors.
12. Popup Phishing
Popup phishing attacks use website or browser notifications to display deceptive messages to Internet users. For instance, the popup may display a message claiming the user's device has been compromised by malware and directing them to a link to install antivirus software, but the link actually will install malware if clicked.
13. Pharming
Pharming steers visitors from a legitimate site to a malicious site by manipulating the site's domain name. Websites simplify URLs for human users by using a protocol called the Domain Name System (DNS) that maps the site's plaintext name to its corresponding Internet Protocol (IP) address, keyed to the device or network hosting the site. In pharming attacks, bad actors use malware on the victim's device or vulnerabilities in DNS server software to route visitors from an apparently legitimate URL to a malicious IP address.
14. Page Hijacking
In page hijacking, a bad actor creates a duplicate of a legitimate page to lure visitors. The malicious page then requests the visitor's credentials or installs malware on their device. Page hijacking may be used in conjunction with other attack methods such as phishing, browser hijacking, or SEO poisoning.
15. Browser Hijacking
Browser hijacking alters a user's browser settings in order to redirect them to a malicious site. Attackers may use browser hijacking to artificially boost ad clicks, promote hijacked pages, or install malware.
16. Search Engine Optimization (SEO) Poisoning
Search engine optimization poisoning misuses SEO techniques to boost the search rankings of malicious sites. This serves to increase traffic to these sites and increase their appearance of legitimacy.
17. Water Holing
Water holing compromises legitimate pages frequently visited by targets, such as employees of target organizations. Bad actors use water holing attacks to distribute malware or compromise target credentials.
18. Evil Twin Phishing
Evil twin phishing lures targets onto a compromised wireless network by setting up a fake Wi-Fi access point resembling a legitimate one. Once victims connect, the bad actors running the network can see everything they send, including sensitive credentials. Evil twin phishing is a social engineering form of man-in-the-middle (MitM) attack.
19. Baiting
Baiting tricks targets into using compromised sites or hardware, such as laptops or flash drives. For instance, attackers may leave compromised hardware in locations where targets would be likely to find it, such as employee workspaces, cafeterias, or restrooms. Another version of baiting uses phony online ads, giveaways, or prizes to lure victims into clicking malicious links or disclosing credentials.
20. Tailgating (Piggybacking)
Tailgating exploits trust to gain physical access to a sensitive location or device. For example, a bad actor may impersonate a delivery driver to get an employee to let them in, or they may pretend to be a tech support representative in order to install malware.
How to Protect Your Business Against Social Engineering Attacks
Most business social engineering attacks can be prevented by following basic cybersecurity strategies. Critical best practices include:
- Keep mobile and desktop device software updated.
- Follow password best practices, including rotating passwords frequently and avoiding the reuse of passwords for multiple accounts.
- Use multi-factor authentication.
- Know common email phishing scams, and avoid opening suspicious emails or attachments or clicking on links to suspicious sites.
- Avoid visiting suspicious websites.
- Only download applications from legitimate sources.
- Avoid friending questionable contacts on social media or disclosing sensitive information through social chat.
- Train employees to follow best practices for preventing social engineering attacks.
- Run simulated social engineering tests to verify security safeguards and raise employee awareness.
To implement these best practices, businesses should incorporate them into standard operating procedures and employee onboarding and training.
Stop Social Engineering Attacks with Cobalt
While social engineering attacks take many forms, they all involve similar methods that can be spotted through training and experience. Training your security team and employees to recognize and respond to social engineering attacks will significantly reduce your company's exposure to this threat vector. It’s important that end users remain skeptical when interacting online to avoid falling victim to a social engineering attack. One way to do this is when in doubt, don’t trust but confirm the accuracy before taking action online.
Cobalt helps companies mitigate threats by providing social engineering services designed to test and raise employee awareness of common attacks. Drawing from our industry-leading offensive security expertise, we help you develop realistic simulations of attacks on your organization so you can test employee vulnerability. Based on the results, we help you develop effective mitigation strategies and build a security-aware employee culture.
Talk to our team to discuss how we can help you secure your company against social engineering risks.