A social engineering attack refers to any type of attack where deception, manipulation or coercion is used to elicit information or access from a person for their own purposes. Social engineering refers to any technique used by a threat actor that focuses on people and process, rather than on technology. The most common form of social engineering attack is a phishing email that tricks victims into giving up personal information such as passwords and credit card details. Phishing often masquerades as an official corporate email from an organisation's CEO or another trusted person within the company.
In order to prevent these kinds of attacks, companies must implement strict policies on what employees can and cannot do when it comes to sharing information with external sources.
Most Common Types of Social Engineering Attacks
1. Phishing
Phishing is a form of social engineering attack where the attacker sends an email that leads the victim to believe they are receiving it from a legitimate source. There are many different types of phishing attacks, such as spear phishing where the attacker sends an email with a link that leads to a malicious site designed to steal user credentials.
Besides spear phishing, vishing can also occur when the attacker calls their target while pretending to be someone else to trick them into giving up personal data or money. The attacker may send an SMS message with a link that leads to malicious websites designed for stealing personal information – also known as smishing.
2. Business Email Compromise
Business email compromise (BEC) social engineering attacks are a form of cyber attack that involves sending emails to a company's employees and executives, usually with the intention of obtaining confidential information.
The first step in BEC is for the attacker to find out which email accounts are used by the company. For example, they might use Google search queries or LinkedIn searches to find out who is working at a company and from where.
Once they have identified their target, they will send an email to one or more employees with an attachment that appears harmless but contains malicious software. The attachment could be anything from a virus in an Excel spreadsheet to malware hidden in an image file.
The malware will then give the attacker access to the user's computer and then it will collect information such as passwords.
3. Baiting
Baiting social engineering attacks means taking advantage of the human factor. The attacker would provide something that seems valuable and appealing to the victim and then wait for them to take action.
The main goal of baiting social engineering attacks is to get access to a system or network without being detected by security measures.
4. Quid Pro Quo
Quid Pro Quo is a social engineering attack that involves a person, who is in a position of power or trust, asking for something in return for their help. The attacker may ask for money, information, or other valuable resources.
This attack can be carried out by targeting individuals in the workplace and using the power of persuasion to get them to give up their credentials.
5. Tailgating
This is one of many forms of physical social engineering. Physical social engineering often has the objective of introducing something malicious to a building, such as malware or removing something valuable, such as sensitive paperwork. Tailgating is the act of waiting for an authorized person to access a restricted area and following them through closely before the restriction – e.g. a door – reengages.
What can be done to protect against social engineering attacks?
Social engineering attacks have been around for a long time and are used in many different scenarios it is possible they may also get more sophisticated due to the advancement of AI. This will make it harder for organisations to identify them and defend against them. As such, organisations need to take precautionary measures now to prevent these attacks from occurring. LRQA’s social engineering penetration testing can help businesses protect themselves from all of the methods discussed. Contact us today for more information.