10 Types of social engineering attacks
A social engineering attack is a cybersecurity attack that relies on the psychological manipulation of human behavior to disclose sensitive data, share credentials, grant access to a personal device or otherwise compromise their digital security.
Social engineering attacks pose a great threat to cybersecurity since many attacks begin on a personal level and rely on human error to advance the attack path. By invoking empathy, fear and urgency in the victim, adversaries are often able to gain access to personal information or the endpoint itself. If the device is connected to a corporate network or contains credentials for corporate accounts, this can also provide adversaries with a pathway to enterprise-level attacks.
With cyber criminals devising ever-more manipulative methods for tricking people and employees, organizations must stay ahead of the game. In this post, we will explore ten of the most common types of social engineering attacks:
- Phishing
- Whaling
- Baiting
- Diversion Theft
- Business Email Compromise (BEC)
- Smishing
- Quid Pro Quo
- Pretexting
- Honeytrap
- Tailgating/Piggybacking
1. Phishing
Phishing is a cyberattack that leverages email, phone, SMS, social media or other form of personal communication to entice users to click a malicious link, download infected files or reveal personal information, such as passwords or account numbers.
While the most well-known phishing attacks usually involve outlandish claims, such as a member of a royal family requesting an individual’s banking information, the modern phishing scam is far more sophisticated. In many cases, a cyber criminal may masquerade as retailers, service providers or government agencies to extract personal information that may seem benign such as email addresses, phone numbers, the user’s date of birth, or the names of family members.
Phishing is one of the most common types of cyberattacks and its prevalence continues to grow year over year. COVID-19 dramatically increased cyberattacks of all kinds, including phishing attacks. During the lockdown period, people generally spent more time online and also experienced heightened emotions — the virtual recipe for an effective phishing campaign. According to the FBI, phishing was the top form of cybercrime in 2020, with incidents nearly doubling compared to 2019.
2. Whaling
A whaling attack is a type of phishing attack that also leverages personal communication to gain access to a user’s device or personal information.
The difference between phishing and whaling has to do with the level of personalization. While phishing attacks are not personalized and can be replicated for millions of users, whaling attacks target one person, typically a high-level executive. This type of attack requires a significant amount of research on that individual, which is usually done by reviewing their social media activity and other public behavior. This in-depth research results in more sophisticated outreach and a higher likelihood of success.
Though whaling attacks require more planning and effort initially, they often have huge payoffs as the targets have access to high value data or the financial resources needed to advance a ransomware attack.
3. Baiting
Baiting is a type of social engineering attack wherein scammers make false promises to users in order to lure them into revealing personal information or installing malware on the system.
Baiting scams can be in the form of tempting ads or online promotions, such as free game or movie downloads, music streaming or phone upgrades. The attacker hopes that the password the target uses to claim the offer is one they have also used on other sites, which can allow the hacker to access the victim’s data or sell the information to other criminals on the dark web.
Baiting can also be in a physical form, most commonly via a malware-infected flash drive. The attacker would leave the infected flash drive in an area where the victim is most likely to see it. This would prompt the victim to insert the flash drive into the computer to find out who it belongs to. In the meantime, malware is installed automatically.
4. Diversion theft
Diversion theft is a cyberattack that originated offline. In this attack, a thief persuades a courier to pick up or drop off a package in the wrong location, deliver an incorrect package or deliver a package to the wrong recipient.
Diversion theft has since been adapted as an online scheme. The malicious actor steals confidential information by tricking the user into sending it to the wrong recipient.
This attack type often involves spoofing, which is a technique used by cybercriminals to disguise themselves as a known or trusted source. Spoofing can take many forms, such as spoofed emails, IP spoofing, DNS Spoofing, GPS spoofing, website spoofing, and spoofed calls.
5. Business email compromise (BEC)
Business Email Compromise (BEC) is a social engineering tactic where the attacker poses as a trustworthy executive who is authorized to deal with financial matters within the organization.
In this attack scenario, the scammer closely monitors the executive’s behavior and uses spoofing to create a fake email account. Through impersonation, the attacker sends an email requesting their subordinates make wire transfers, change banking details and carry out other money-related tasks.
BEC can result in huge financial losses for companies. Unlike other cyber scams, these attacks do not rely on malicious URLS or malware that can be caught by cybersecurity tools, like firewalls or endpoint detection and response (EDR) systems. Rather, BEC attacks are carried out strictly by personal behaviour, which is often harder to monitor and manage, especially in large organizations.
6. Smishing / SMS-phishing
SMS-phishing, or smishing, is a social engineering attack conducted specifically through SMS messages. In this attack, scammers attempt to lure the user into clicking on a link which directs them to a malicious site. Once on the site, the victim is then prompted to download malicious software and content.
Smishing attacks have increased in popularity amongst criminals as people spend more time on mobile devices. While users have become savvier at detecting email phishing, many people are far less aware of the risks associated with text messages.
A smishing attack requires little effort for threat actors and is often carried out by simply purchasing a spoofed number and setting up the malicious link.
7. Quid pro quo
A quid pro quo attack involves the attacker requesting sensitive information from the victim in exchange for a desirable service.
For example, the attacker may pose as an IT support technician and call a computer user to address a common IT issue, such as slow network speeds or system patching to acquire the user’s login credentials. Once the credentials are exchanged, this information is used to gain access to other sensitive data stored on the device and its applications, or it is sold on the dark web.
8. Pretexting
Pretexting is a form of social engineering that involves composing plausible scenarios, or pretext, that are likely to convince victims to share valuable and sensitive data.
Pretexters may impersonate someone in a position of authority, such as a member of law enforcement or a tax official, or a person of interest, such as a talent agency scout or sweepstakes organizer. After explaining the context, the attacker would then ask the victim questions to gain personal and sensitive information, which they could then use to advance other attack scenarios or access their personal accounts.
9. Honeytrap
A honeytrap attack is a social engineering technique that specifically targets individuals looking for love on online dating websites or social media. The criminal befriends the victim by creating a fictional persona and setting up a fake online profile. Over time, the criminal takes advantage of the relationship and tricks the victim into giving them money, extracting personal information, or installing malware.
10. Tailgating/Piggybacking
Tailgating, also known as piggybacking, is a physical breach whereby an attacker gains access to a physical facility by asking the person entering ahead of them to hold the door or grant them access. The attacker may impersonate a delivery driver or other plausible identity to increase their chances. Once inside the facility, the criminal can use their time to conduct reconnaissance, steal unattended devices or access confidential files.
Tailgating can also include allowing an unauthorized person to borrow an employee’s laptop or other device so that the user can install malware.
How to prevent social engineering attacks
While it is impossible to prevent social engineering attacks from taking place, people and organizations can protect themselves through responsible behavior, security awareness, education and vigilance.
Here are some helpful considerations to reference when receiving any form of communication from an unknown, unfamiliar or suspicious source:
Individual Users
Check the validity of the source. Pay close attention to the email header and check that it matches with previous emails from the same sender. Look out for spelling and grammar mistakes, as this is a common sign of a scam. | Click a link or download files from an unfamiliar or suspicious sender. Hover your curser over the link to check its validity (without clicking). |
Regularly update and patch your operating system and applications to reduce the risk of known vulnerabilities. | Share your personal information, including account numbers, passwords, or credit card details. |
Remain vigilant when contacted by third parties. Keep in mind that reputable organizations will never ask users to share passwords or log in credentials. Every conversation should begin with the agent asking you to verify your identity through a security question you selected in the past. | Respond to urgent requests. Scammers will often instill a sense of immediacy to prompt action. Always say you need more time to get the information and then verify the request via another contact method. |
Install a pop-up blocker and spam filter. This will detect many threats and even stop infected emails from reaching your device. | Insert an unknown USB or other device into your computer. If you find an unattended USB or other endpoint, hand it over to an IT professional or member of an information security team. |
Invest in cybersecurity software. This should be from a reputable security vendor and updated regularly. | Allow another user to access your personal device or accounts. Malware can be installed in a matter of seconds. Never share your devices with other users or allow friends or coworkers to use your device unsupervised. |
Only access URLs that begin with HTTPS. Using links that feature secure browsing minimizes the likelihood that you are accessing a malicious or spoofed webpage. | |
Enable multifactor authentication (MFA) to reduce account compromise. | |
Log in via your account or official website. Accessing sites this way, rather than through embedded links or pop-up ads, is one way to ensure legitimacy. | |
Use a password manager. This tool will automatically enter a saved password into a valid site, but will not recognize a spoofed site. |
Enterprise Users
- Train all employees on cybersecurity best practices. Employees should follow good hygiene practices on all their devices. This includes using strong password protection, connecting only to secure Wi-Fi and being on constant lookout for phishing.
- Keep the operating system and other software patched and up to date. This will minimize exposure to known vulnerabilities.
- Use software to detect and prevent unknown threats. The CrowdStrike Falcon® platform provides next-gen antivirus (NGAV) to protect against known and unknown malware using AI-powered machine learning. Falcon looks for indicators of attack (IOAs) to stop ransomware before it can execute and inflict damage.
- Continuously monitor the environment for malicious activity and IOAs. CrowdStrike® Falcon Insight™ endpoint detection and response (EDR) continuously monitors endpoints, capturing raw events for automatic detection of malicious activity not identified by prevention methods alone. Insight also provides visibility for proactive, advanced threat hunting capabilities.
- Integrate threat intelligence into the security strategy. Monitor systems in real time and keep up with the latest threat intelligence to detect an attack quickly, understand how best to respond, and prevent it from spreading. CROWDSTRIKE FALCON® INTELLIGENCE automates threat analysis and incident investigation to examine all threats and proactively deploy countermeasures within minutes.