Social engineering is the tactic of manipulating, influencing, or deceiving a victim in order to gain control over a computer system, or to steal personal and financial information. It uses psychological manipulation to trick users into making security mistakes or giving away sensitive information.
Social engineering attacks happen in one or more steps. A perpetrator first investigates the intended victim to gather necessary background information, such as potential points of entry and weak security protocols, needed to proceed with the attack. Then, the attacker uses a form of pretexting such as impersonation to gain the victim’s trust and provide stimuli for subsequent actions that break security practices, such as revealing sensitive information or granting access to critical resources.
Types of Social Engineering Attacks
Social engineering attacks come in many different forms and can be performed anywhere where human interaction is involved. The following are common forms of digital social engineering attacks.
Phishing: The process of attempting to acquire sensitive information such as usernames, passwords, and credit card details by masquerading as a trustworthy entity using bulk email, SMS text messaging, or by phone. Phishing messages create a sense of urgency, curiosity, or fear in the recipients of the message. The message will prod victims into revealing sensitive information, clicking on links to malicious websites, or opening attachments that contain malware
Baiting: A type of social engineering attack where a scammer uses a false promise to lure a victim into a trap which may steal personal and financial information or inflict the system with malware. The trap could be in the form of a malicious attachment with an enticing name.
The most common form of baiting uses physical media to disperse malware. For example, attackers leave the bait of a malware-infected flash drives in conspicuous areas where potential victims are certain to see them. When the victim inserts the flash drive into a work or home computer, the malware is automatically installed on the system. Baiting scams are also online in the form of tempting ads that lead to malicious sites or encourage users to download a malware-infected application.
Tailgating: Also known as "piggybacking". A physical breach where an unauthorized person manipulates their way into a restricted or employee only authorized area through the use of social engineering tactics. The attacker might impersonate a delivery driver, or custodian worker. Once the employee opens the door, the attacker asks the employee to hold the door, thereby gaining access to the building.
Scareware: Scareware involves victims being bombarded with false alarms and fictitious threats. Users are deceived to think their system is infected with malware, prompting them to install software that grants remote access for the criminal or to pay the criminal in a form of bitcoin in order to preserve sensitive video that the criminal claims to have.
Dumpster Diving: A scammer will search for sensitive information e.g., bank statements, pre-approved credit cards, student loans, other account information, in the garbage when it hasn’t been properly sanitized or destroyed.
Quid Pro Quo: Quid pro quo involves a criminal requesting the exchange of some type of sensitive information such as critical data, login credentials, or monetary value in exchange for a service. For example, a computer user might receive a phone call from the criminal who, posed as a technology expert, offers free IT assistance or technology improvements in exchange for login credentials. If an offer sounds too good to be true, it most likely a scam and not legitimate.
Social Engineering Prevention
- Don't open email attachments from suspicious sources. Even if you do know the sender and the message seems suspicious, it's best to contact that person directly to confirm the authenticity of the message.
- Use Multi-Factor Authentication (MFA). One of the most valuable pieces of information attackers seeks are user credentials. Using MFA helps to ensure your account's protection in the event of an account compromise. Follow Computing Services instructions for downloading DUO two-factor authentication to add another layer of protection for your Andrew account.
- Be wary of tempting offers. If an offer seems to good to be true, it's probably because it is. Use a search engine to look up the topic can help you quickly determine whether you're dealing with a legitimate offer or a trap.
- Clean up your social media. Social engineers scour the Internet searching for any kind of information they can find on a person. The more information you have posted about yourself, the more likely it is that a criminal can send you a targeted spear phishing attack.
- Install and update antivirus and other software. Make sure automatic updates are turned on. Periodically check to make sure that the updates have been applied and scan your system daily for possible infections. Visit Secure Your Computer on the Computing Services website for more instructions on using and updating antivirus software.
- Back up your data regularly. If you were to fall victim to a social engineering attack in which your entire hard drive was corrupted, it is essential that you have a backup on an external hard drive or saved in the cloud.
- Avoid plugging an unknown USB into your computer. When a USB drive is found unattended, please give it to a cluster consultant, the Computer Services Help Center, a residence assistant (RA), or to Carnegie Mellon campus police.
- You should also Disable Autorun on your machine. Autorun is a feature that allows Windows to automatically run the startup program when a CD, DVD, or USB device is inserted into a drive.
- Destroy sensitive documents regularly. All sensitive documents such as bank statements, student loan information, and other account information should be physically destroyed in a cross-shredder or placed in one of the blue or gray locked receptacles which are incinerated.
Originally published by New Context.
One of the biggest weaknesses in any organization’s cybersecurity strategy is human error. Social engineering attacks take advantage of this vulnerability by conning unsuspecting people into compromising security and giving out sensitive information. Social engineers use various psychological hacks to trick you into trusting them or create a false sense of urgency and anxiety to lower your natural defenses. Attackers can then breach your physical or technological security to steal money or confidential information.
The only way to prevent being targeted by social engineering is to study the methods, psychological triggers, and technological tools these attackers use. Scammers use many different types of social engineering attacks, but some common giveaways can help you spot and avoid them.
10 Types of Social Engineering Attacks
To prevent a social engineering attack, you need to understand what they look like and how you might be targeted. These are the 10 most common types of social engineering attacks to be aware of.
1. Phishing
Phishing is the most common type of social engineering attack, typically using spoofed email addresses and links to trick people into providing login credentials, credit card numbers, or other personal information. Variations of phishing attacks include:
- Angler phishing – using spoofed customer service accounts on social media
- Spear phishing – phishing attacks that target specific organizations or individuals
2. Whaling
Whaling is another common variation of phishing that specifically targets top-level business executives and the heads of government agencies. Whaling attacks usually spoof the email addresses of other high-ranking people in the company or agency and contain urgent messaging about a fake emergency or time-sensitive opportunity. Successful whaling attacks can expose a lot of confidential, sensitive information due to the high-level network access these executives and directors have.
3. Diversion Theft
In an old-school diversion theft scheme, the thief persuades a delivery driver or courier to travel to the wrong location or hand off a parcel to someone other than the intended recipient. In an online diversion theft scheme, a thief steals sensitive data by tricking the victim into sending it to or sharing it with the wrong person. The thief often accomplishes this by spoofing the email address of someone in the victim’s company—an auditing firm or a financial institution, for example.
4. Baiting
Baiting is a type of social engineering attack that lures victims into providing sensitive information or credentials by promising something of value for free. For example, the victim receives an email that promises a free gift card if they click a link to take a survey. The link might redirect them to a spoofed Office 365 login page that captures their email address and password and sends them to a malicious actor.
5. Honey Trap
In a honey trap attack, the perpetrator pretends to be romantically or sexually interested in the victim and lures them into an online relationship. The attacker then persuades the victim to reveal confidential information or pay them large sums of money.
6. Pretexting
Pretexting is a fairly sophisticated type of social engineering attack in which a scammer creates a pretext or fabricated scenario—pretending to be an IRS auditor, for example—to con someone into providing sensitive personal or financial information, such as their social security number. In this type of attack, someone can also physically acquire access to your data by pretending to be a vendor, delivery driver, or contractor to gain your staff’s trust.
7. SMS Phishing
SMS phishing is becoming a much larger problem as more organizations embrace texting as a primary method of communication. In one method of SMS phishing, scammers send text messages that spoof multi-factor authentication requests and redirect victims to malicious web pages that collect their credentials or install malware on their phones.
8. Scareware
Scareware is a form of social engineering in which a scammer inserts malicious code into a webpage that causes pop-up windows with flashing colors and alarming sounds to appear. These pop-up windows will falsely alert you to a virus that’s been installed on your system. You’ll be told to purchase and download their security software, and the scammers will either steal your credit card information, install real viruses on your system, or (most likely) both.
9. Tailgating/Piggybacking
Tailgating, also known as piggybacking, is a social engineering tactic in which an attacker physically follows someone into a secure or restricted area. Sometimes the scammer will pretend they forgot their access card, or they’ll engage someone in an animated conversation on their way into the area so their lack of authorized identification goes unnoticed.
10. Watering Hole
In a watering hole attack, a hacker infects a legitimate website that their targets are known to visit. Then, when their chosen victims log into the site, the hacker either captures their credentials and uses them to breach the target’s network, or they install a backdoor trojan to access the network.
How to Prevent a Social Engineering Attack
Social engineering represents a critical threat to your organization’s security, so you must prioritize the prevention and mitigation of these attacks as a core part of your cybersecurity strategy. Preventing a social engineering attack requires a holistic approach to security that combines technological security tools with comprehensive training for staff and executives.
Your first line of defense against a social engineering attack is training. Everyone in your organization should know how to spot the most common social engineering tactics, and they should understand the psychological triggers that scammers use to take advantage of people. A comprehensive social engineering and security awareness training course should teach staff to:
- Determine whether an email has been spoofed by hovering over the sender’s name to make sure it matches the email address and checking the email address for spelling errors and other common giveaways.
- Be suspicious of any unsolicited communication, especially from someone they don’t know.
- Avoid downloading suspicious email attachments.
- Hover over links in emails to make sure the website URL is valid.
- Verify someone’s identity through an alternate contact method (e.g. in person or by calling them directly) before providing any sensitive information.
You also need to follow up your security awareness training with periodic tests to ensure your staff hasn’t become complacent. Many training programs allow for the administration of simulated phishing tests in which fake phishing emails are sent to staff members to gauge how many people fall for the social engineering tactics. Those staff members can then be retrained as needed.
Creating a positive security culture within your organization is critical for containing a social engineering attack that’s already happened. Your staff needs to feel comfortable self-reporting if they believe they’ve fallen victim to a social engineering attack, which they won’t do if they’re concerned about facing punishment or public humiliation. If these issues are reported as soon as they occur, the threat can be mitigated quickly before too much damage has occurred.
Finally, you need to implement technological security tools to prevent attacks on your organization and minimize the damage from any successful breaches. These tools should include firewalls, email spam filters, antivirus and anti-malware software, network monitoring tools, and patch management.