The weakest link in the security chain is not our processes or our technology: it is us.
Social engineering finds hackers exploiting our emotional vulnerabilities through time-sensitive opportunities and urgent requests, leveraging human psychology to gain access to secure systems. As technologies evolve, so too do the methods used by cybercriminals to steal money, damage data and harm reputations.
The Current Social Engineering Threat Landscape
The most dominant form of social engineering attacks are phishing attacks. Phishing is a form of fraud where an attacker pretends to be a person or company known to the target, and sends them a message asking for access to a secure system in the hope of exploiting that access for financial gain.
The most famous example of this type of attack is the “419” scam, also known as the “Nigerian Prince” scam, which purports to be a message from a — you guessed it — Nigerian prince, requesting your help to get a large sum of money out of their country. It’s one of the oldest scams around, dating back to the 1800s, when it was known as “The Spanish Prisoner.”
While the modern version — the “419” scam — first hit email accounts in the 1990s, the world of phishing has expanded over the decades to include the following methods:
1. Spam Phishing
Also known as mass phishing, spear phishing is a generalized attack aimed at multiple users. This “spray-and-pray" type of attack leans on quantity over quality, as it only needs to trick a fraction of users who receive the message.
2. Spear Phishing
Spear phishing messages are targeted, personalized attacks aimed at a specific individual. These attacks are typically designed to appear to come from someone the user already trusts, with the goal of tricking the target into clicking a malicious link in the message.
Once that happens, the target unwittingly reveals sensitive information, installs malicious programs (malware) on their network or executes the first stage of an advanced persistent threat (APT), to name a few of the possible consequences. Learn more about spear phishing.
Whaling is a form of spear phishing aimed at high-profile, high-value targets like celebrities, public or private companies’ executives and board members, and government officials.
4. Vishing (Voice Phishing)
Also known as Voice Phishing, vishing employs the telephone or VoIP (voice over internet protocol) technology. This type of attack is most commonly used against the elderly. Attackers may, for instance, claim to be a family member who needs an immediate money transfer to get themselves out of trouble. They might also pose as a charity, especially after a natural disaster, to solicit money.
5. SMShing (SMS Phishing)
Also known as SMS Phishing, SMShing is a type of text message fraud attempting to lure victims into revealing account information or installing malware.
6. Angler Phishing
Angler Phishing is actually instigated by the target. The attack begins with a customer complaining on social media about the services of a company or financial institution. Cyber criminals troll accounts of major companies, seeking these type of messages. Once they find one, they send that customer a phishing message using bogus corporate social media accounts.
7. URL phishing
URL phishing involves cybercriminals creating counterfeit websites to trick users into revealing sensitive information. Often these fake websites look strikingly similar to the real ones. Checking for telltale signs like incorrect domain names or unnecessary redirects or subdomains can help protect against attack.
8. In-Session Phishing
This social engineering attack exploits a valid session of a trusted site by launching a pop-up window mid-session, asking the user to re-enter sensitive information. This pop-up window, which the user now believes to be part of the valid session on the trusted site, is then used to steal user data.
9. Quid Pro Quo Phishing
These attacks leverage the “give something, get something in return” idea behind many online contests and giveaways. Attackers exploit the natural psychological excitement that comes from potentially getting something of value. However, once you’ve entered the information required to win, the attacker simply takes your data without offering you a reward.
10. Zelle Phishing
Zelle phishing leverages the instant, person-to-person payment system used by many major banks and millions of their customers to simplify money transfers. These kind of transfer app scams can cost you thousands of dollars and attackers only need your phone number to attempt the phishing. If you ever receive an SMS text, reporting to be from your bank, asking if you initiated a Zelle transfer, do not respond to the message. Delete it.
Ad-based Social Engineering Attack Types
Baiting is a type of social engineering attack that uses a false promise (an online ad for a free game, deeply discounted software, etc.) to trick the victim into revealing sensitive personal and financial information, or infect their system with malware or ransomware. Recently, the FBI issued a warning against using thumb drives you receive in the mail from trusted organizations like Amazon and the US Department of Health and Human Services.
Scareware attacks use pop-up ads to frighten a user into thinking their system is infected with a computer virus, and that they need to purchase the offered anti-virus software to protect themselves. Instead, the software itself is malicious, infecting the user’s system with the very viruses they were trying to prevent.
Physical Social Engineering Attack Types
Tailgating is an attempt to gain unauthorized physical access to secure spaces on company premises through coercion or deception. Organizations should be particularly sensitive to the possibility of recently terminated employees returning to the office using a key card that is still active, for example.
14. Shoulder Surfing
Shoulder surging and eavesdropping involves the surveillance of sensitive data in public spaces like airports or coffee shops, or even an unlocked, unattended laptop in the office.
DNS (Domain Name Server) Social Engineering Attack Types
15. DNS Spoofing
DNS spoofing raises the level of social engineering attack sophistication. Attackers learn the sites you are visiting and, using that information, inject fake DNS entries into the DNS system—the cache of IP addresses and domain names of worldwide websites—allowing them to redirect you from the sites you visit often onto spoofed versions of those sites, where you reveal sensitive information, believing the site to be trustworthy. How do they do this? Through DNS cache poisoning.
16. DNS Cache Poisoning
DNS cache poisoning is how hackers achieve DNS Spoofing, by replacing DNS data with a redirect to an unsafe website. DNS cache poisoning attacks are sneaky and difficult to catch for the average user.