7 Common Social Engineering Attacks – What you should know
- Posted by: Hiperdistuae.com
- Category: Security
What is social engineering?
The COVID-19 pandemic last year saw a sharp increase in the number of cyber threats, with social engineering one of the top causes of data breaches in 2020. So what exactly is social engineering?
Social engineering can be defined as the use of deception to manipulate individuals into providing confidential or personal information that can be used for fraudulent purposes. There are many different types of attacks:
1. Phishing –
Phishing is a type of cybercrime where the hacker pretends to be a legitimate organization to get credentials, financial information and personal data via email, phone or text message.
This is one of the most common types of cyber-attack. Typically, the attacker recreates a reputed website and sends malicious links to targets. These attacks can be subdivided into the following types:
- Spear Phishing – These phishing attacks are tailored to a specific individual. Scammers leverage information gathered from public sources (social media profiles, websites, etc.) and create uniquely targeted emails, to trick the users.
- Whaling – Whaling is a phishing attack that is directed at high-level executives, to gain access to their privileged accounts. If the attackers are successful in their attempt, whaling attacks can severely compromise the targeted organizations.
- Vishing – While usually phishing attackers use email as the preferred mode of communication, sometimes they use the VoIP (Voice over IP). This subset of phishing attacks is ‘Vishing’. Typically, they recreate the IVR of a company, attach it to a toll-free number, and ask people for their details.
2. Tailgating –
Tailgating is a type of social engineering attack where the criminal gets access to a building or any other restricted area without the required permissions. It is a physical attack.
In this scenario, the attacker ‘piggybacks’ on the authorized personnel’s credentials, to bypass the security measures of the location.
3. Dumpster Diving –
Dumpster diving is the act of going through personal or organizational documents to collect sensitive documents, physical data or any other form of information that can be used for personal advantage.
4. Pretexting –
Pretexting is a form of social engineering attack wherein the hacker creates a fake scenario to steal the individual’s personal information. For example, the attacker may impersonate a banking official, asking you to give out information, which they say they need to confirm your identity.
Instead, they use this data to commit identity fraud. While phishing uses fear to create urgency, pretexting tries to build trust with the victim. In many cases, the individual does not even realize that a security breach has occurred.
5. Baiting –
In this scenario, attackers entice people with the promise of free services to bait them. Baiting may provide offers of free music or movie downloads, for example, to trick people into entering their credential information. Sometimes, they may leave infected USBs in public places, which people might pick up and use out of curiosity.
6. Shoulder Surfing –
Shoulder surfing is a passive social engineering attack, where the hacker looks over someone’s screens to find out information. It is more common in crowded, public places such as airports, ATMs, etc. Information such as credit card information, ATM PINs, etc. can all be targeted, resulting in security breaches.
7. Lunchtime Attack –
In the lunchtime attack, the perpetrator gains access to someone’s device when they have left it unattended. It is usually an insider threat.
How to Defend Against Social Engineering Attacks:
The best way to safeguard against such attacks is to educate your employees. Conducting comprehensive, regular security awareness training and workshops discourages users from sharing sensitive personal or corporate information. These are some more tactics that can help:
- Protect accounts and devices: Invest in solutions that add multiple layers of protection to your accounts and devices. In addition to antivirus software, firewalls and encryption technology use multi-factor authentication or two-factor authentication.
- Zero Standing privileges: Providing privileged access to users carries heavy risk. What if someone hacks into your environment? Gartner recommends incorporating ‘zero standing privileges’ in your organization. This way the user has access to a file or document only as long as their task is completed. The rights are removed as soon as their work is finished, making it harder for cybercriminals to access sensitive assets.
- Ensure up to date software: Hackers often initiate attacks via old, out of date software. Keeping your business up to date on the latest software patches can reduce risk.
- Create an escalation policy: What should your employees do if they are the targets of a phishing attempt? Detailing a policy and reiterating it often helps your employees understand what to do in the case of a security incident.
To find out more about how your business can protect against social engineering attacks, click here.