August 11, 2020
5 Types of Social Engineering Attacks
Social engineering scams have been going on for years and yet, we continue to fall for them every single day. This is due to the overwhelming lack of cybersecurity training available to the employees of organisations big and small. In an effort to spread awareness of this tactic and fight back, here is a quick overview of common social engineering scams.
Managed service providers (MSPs) have an opportunity to educate their small and medium business clients to learn to identify these attacks, making avoiding threats like ransomware much easier.
Social Engineering Definition
Social engineering is a type of crime that manipulates people into giving up their confidential information to bad actors. Masters of social engineering work to acquire sensitive information through means of trust, as opposed to hacking someone’s account. The theory behind social engineering is that humans have a natural tendency to trust others, which makes it easier to trick someone into divulging personal information than it is to hack an account.
How are social engineering attacks designed?
To build trust, and then exploit it, social engineers follow a lifecycle to victimise their targets:
- Investing: This phase allows the attacker to identify victims and determine the best method of attack
- Hooking: Is when an attacker actually starts to engage with their victim and begins to create trust through messaging
- Attacking: This is when an attacker finally deploys their method of attack and begins to collect the targeted data
- Exiting: When the attacker has what they want, they will remove traces of malware and cover their tracks so they can move to the next victim
Because a social engineer’s strategy is built on trust, victims often don’t recognise they’ve been attacked until it’s too late.
Common Types of social engineering attacks
Phishing is a leading form of social engineering attack that is typically delivered in the form of an email, chat, web ad or website that has been designed to impersonate a real system, person, or organisation. Phishing messages are crafted to deliver a sense of urgency or fear with the end goal of capturing an end user’s sensitive data. A phishing message might come from a bank, the government or a major corporation.
The call to actions vary. Some ask the end user to “verify” their login information of an account and include a mocked-up login page complete with logos and branding to look legitimate. Some claim the end user is the “winner” of a grand prize or lottery and request access to a bank account in which to deliver the winnings. Some ask for charitable donations (and provide wiring instructions) after a natural disaster or tragedy. A successful attack often culminates in access to systems and lost data. Organisations of all sizes should consider backing up business-critical data with a business continuity and disaster recovery solution to recover from such situations.
Baiting, similar to phishing, involves offering something enticing to an end user, in exchange for login information or private data. The “bait” comes in many forms, both digital, such as a music or movie download on a peer-to-peer site, and physical, such as a corporate branded flash drive labeled “Executive Salary Summary Q3” that is left out on a desk for an end user to find. Once the bait is downloaded or used, malicious software is delivered directly into the end users system and the hacker is able to get to work.
Quid Pro Quo
Similar to baiting, quid pro quo involves a hacker requesting the exchange of critical data or login credentials in exchange for a service. For example, an end user might receive a phone call from the hacker who, posed as a technology expert, offers free IT assistance or technology improvements in exchange for login credentials. Another common example is a hacker, posing as a researcher, asks for access to the company’s network as part of an experiment in exchange for $100. If an offer sounds too good to be true, it probably is quid pro quo.
Piggybacking, also called tailgating, is when an unauthorised person physically follows an authorised person into a restricted corporate area or system. One tried-and-true method of piggybacking is when a hacker calls out to an employee to hold a door open for them as they’ve forgotten their ID card. Another method involves a person asking an employee to “borrow” his or her laptop for a few minutes, during which the criminal is able to quickly install malicious software.
Pretexting, the human equivalent of phishing, is when a hacker creates a false sense of trust between themselves and the end user by impersonating a co-worker or a figure of authority well known to an end user in order to gain access to login information. An example of this type of scam is an email to an employee from what appears to be the head of IT support or a chat message from an investigator who claims to be performing a corporate audit. Pretexting is highly effective as it reduces human defences to phishing by creating the expectation that something is legitimate and safe to interact with. Pretexting emails are particularly successful in gaining access to passwords and business data as impersonators can seem legitimate, so it’s important to have a third-party backup provider .
Best practices to protect yourself from a social engineering attack
Social engineering attacks are both sneaky and prevalent. That makes it critical for everyone to stay aware of the threat.
A few best practices you can follow to ensure you’re protecting yourself from social engineering attacks include:
- Never respond to a request for financial information or passwords. Legitimate organisations will never send a message asking for personal information.
- Adjust your spam filters. Every email program has spam filters, make sure yours is set too high to block out potential threats.
- Secure your computing devices and accessories. This means protecting your digital space with anti-virus software, firewalls, and email filters. It also means securing flash drives, external hard drives, and other pieces of equipment that could be compromised.
For all employees to be aware of the various forms of social engineering is essential for ensuring corporate cybersecurity. If users know the main characteristics of these attacks, it’s much more likely they can avoid falling for them.
Aside from education and awareness, there are other ways to reduce the risk of being hacked. Employees should be instructed not to open emails or click links from unknown sources. Computers should never be shared with anyone, even for a moment.
Ensure you have a reliable backup and recovery solution
By default, all company desktops, laptops, and mobile devices should automatically lock when left idle for longer than five minutes (or less).
Lastly, ensure your business is prepared to quickly recover from this kind of attack in case an employee does fall victim to one of these schemes. Humans are humans after all. By leveraging a solid backup and recovery solution, everyone can rest easy.
Datto SIRIS is a reliable, all-in-one business continuity and disaster recovery (BCDR) solution built for MSPs to prevent data loss and minimise downtime for clients.