Social engineering is a common technique that cybercriminals use to lure their victims into a false sense of security. Usually, social engineering involves impersonation, deception, and psychological manipulation that ultimately creates an environment where a victim feels either comfortable or pressured to share sensitive information or perform a specific action. As social engineering tactics become more advanced, it’s important to know how to identify them in the context of cybersecurity.
Social engineering in cybersecurity attacks
Social engineering can manifest itself across a wide range of cybersecurity attacks:
Phishing is a broad category of social engineering attacks that specifically target most businesses’ primary mode of communication: email. These types of attacks usually involve spoofed emails that attempt to impersonate a legitimate sender and convince the recipient to divulge confidential information or click a link or attachment that’s laced with malware.
The social engineering tactics involved with phishing aren’t very sophisticated, but they are effective. Most phishing attacks use only the name and sometimes the contact information of a trusted source. When combined with a feigned sense of urgency and fear, these details are often enough to convince the targeted victim to take the desired action.
Smishing attacks are similar to phishing except they target victims via SMS rather than email. Smished messages usually contain links that launch a malicious site or download when tapped. Because it’s difficult to preview links that are in a text message, the hyperlinked text may be disguised as an email address, phone number, or other unassuming content a user might tap without hesitation. Smishing attackers typically use social engineering to deceive their victims by impersonating a mobile service provider or other “official” source.
Vishing attacks are also similar to phishing and smishing, but these attacks target VoIP and telecommunications services rather than text-based mediums. Voice-based social engineering doesn’t usually attempt to impersonate someone the victim knows personally; instead, attackers try to convince their victims that they are calling from a larger, better known entity like the IRS or a debt collector. Then, the attacker asks the target to provide sensitive information, like their date of birth, Social Security number, or credit card information. In more aggressive cases, the attacker may try to convince the victim to send money via wire transfer.
Whaling attacks are among the most successful cybersecurity attacks because they target a narrow pool of C-level executives. Instead of casting a wide net, whaling attackers identify the top staffers at an organization and collect as much information as they can about them. This may include a victim’s professional history and current job information as well as details about their personal life. Then, the attackers try to convince their targets to reveal information about themselves or their business so they might be able to gain access to broader business systems.
Pharming attacks involve creating a redirect from a legitimate website to a malicious one. Usually this is accomplished either by deploying malware that changes the target computer’s host files, or by using a technique known as DNS cache poisoning. In the latter approach, attackers target the website hosting server and change the DNS table so that users are redirected to a fake website.
Pharming attackers use social engineering to make the fake website mimic the legitimate website as closely as possible so the visitor doesn’t realize they’re not in the right place. The longer a user is on the malicious website, the longer the attacker has to collect data or launch malicious software.
Baiting attacks use physical input and output devices to compromise the victim’s security measures. For example, a baiting attack might involve a USB storage device that’s left on the ground or sent in the mail under the pretense of a giveaway. When the target connects the device to a computer to discover what’s on it, the device automatically launches a computer virus or other type of malware. A baiting scheme might use social engineering to attract victims by advertising something that’s free, or they might simply appeal to a target’s instinctual curiosity.
Unlike other attacks on this list, pretexting attacks require the attacker to gain a victim’s trust with an elaborate backstory. Technology is usually a catalyst for these attacks; for example, attackers might use social media bots to establish a convincing internet presence that supports the story they’re trying to tell. Pretexting attacks are usually played out over a period of time and typically use intricate social engineering strategies to convince the victim to send money or information.
Scareware attacks use fear tactics to manipulate the target into believing their device or software is at risk. This is an emotion-based form of social engineering, as the attacker preys on the victim’s lack of confidence in their IT infrastructure. Scareware attacks may come in the form of a pop up that urges the victim to download a critical software “update” or an alert that their device may be compromised. Any action that the user takes in response usually results in a malware launch or a similar kind of attack.
Deepfake attacks represent a sophisticated emerging trend in social engineering. Deepfakes leverage artificial intelligence and deep learning to make photos, videos, and voice recordings of the attacker impersonating someone important look and sound more convincing. In fact, well executed deepfakes are nearly impossible to correctly identify. Deepfakes are often used in conjunction with other social engineering strategies to deceive victims more effectively. This might look like fraudulent advertising, video calling, or more advanced attack mediums.
See our picks for the Top Secure Email Gateway Solutions
How to prevent social engineering attacks
There are many technologies that can help protect you and your business from social engineering attacks. If an employee mistakenly clicks a malicious link or downloads something they shouldn’t have, you should have measures in place to prevent an attacker from reaching your business-critical systems. These security tools include the DMARC protocol, zero-trust products, and next-generation firewalls.
However, the most effective way to prevent these kinds of attacks is to train your employees to spot social engineering tactics. Share examples of an attacker’s attempt to manipulate a target’s reaction to fear, greed, or altruism and highlight the indicators that it’s something more nefarious. Teach them how to be proactive about detecting an attack by hovering over links to verify the domain or scrutinizing a sender’s information before engaging with an email. Then, test their reactions to simulated attacks so you can address any vulnerabilities before a real attack happens.
Read next: How to Prevent Different Types of Malware