Social engineering is an attack that uses human interaction to collect information about an organization or its computer systems. Social engineering takes advantage of our natural desire to help others and act abruptly when there is a sense of urgency. An attacker may seem unassuming and respectable, possibly claiming to be a new employee, repair person, or researcher and even offering credentials to support that identity. However, by asking questions, he or she may be able to piece together enough information to infiltrate an organization’s network. If an attacker is not able to gather enough information from one source, he or she may contact another source within the same organization and rely on the information from the first source to add to his or her credibility. Little by little, the cybercriminal could get more information, leading an employee to think they are “in the know” and can be trusted with information.
1. Baiting
Baiting is a type of social engineering that relies on the victim taking the bait and unknowingly aiding in carrying out the cyberattack. For example, a hacker could place a USB drive containing malware in the parking lot of the organization they wish to gain information. They do this in the hope that someone heading into work will pick it up. Typically, if you find a USB drive in a parking lot, you may wish to find the rightful owner of it. So you may walk into work and plug it into your computer to find what is on it and see if you can figure out who lost it. Sometimes you could be lucky and it could actually end up that someone really lost their USB drive, other times, you might not be so lucky and allow malware to enter the organization. The cybercriminal takes advantage of typical human nature to help carry out their plan of a cyberattack.
2. Phishing
Phishing is perhaps one of the most known and most common forms of social engineering. It’s a way to collect information from an unwitting victim. The victim may receive an email from a source that they are familiar with. It might look legitimate, but it’s not. It could have malicious links that take you to a fake website, or installs a virus.
I need you to purchase gift cards for me: See a real-life example one of our customer’s sent to the ITS helpdesk of a phishing attempt.
Your iCloud has been used for a purchase: See a real-life example from a scammer with instructions to open a PDF.
Spear phishing is the more targeted version of phishing. The attacker chooses specific individuals or enterprises. The messages are tailored to fit the individual based on characteristics, job positions, and contacts belonging to their victims to make their attack less conspicuous. Spear phishing requires much more effort on behalf of the perpetrator and may take weeks and months to pull off. They’re much harder to detect and have better success rates (for the criminal) if done skillfully.
Vishing is like phishing with your voice. This takes place over the phone most of the time. In this method of phishing, the cybercriminal takes advantage of the human desire to help in order to “phish” out information from the victim. The criminal may come up with a fake story that explains why they need the information.
SMiShing or SMS phishing, is a form of social engineering that exploits SMS, or text messages. Text messages can contain links to such things as webpages, email addresses or phone numbers that when clicked may automatically open a browser window or email message or dial a number.
3. Email hacking and contact spamming
You may not think twice about clicking on a link sent by a friend. Fraudsters could hack emails in order to impersonate that person and have the potential to gain information from that person’s contacts.
4. Pretexting
A ploy captures someone’s attention then the fraudster uses this hook to trick the potential victim into thinking that they will be getting something of value. For example, get banking information by saying you are the beneficiary of a will.
5. Quid Pro Quo
“I give you this, you give me that.” In an attack of this source, the fraudster may impersonate someone that should be trusted. The victim may give away sensitive information without realizing they did anything wrong.
Tips to avoid a social engineering attack:
- Consider the Source. If you find a USB on the ground, it could be loaded with malware. Similarly, an email could also contain malicious links. Consider where it came from before taking action.
- Slow Down. Fraudsters count on their victims moving quickly, so that there is no time to consider the possibility of a scammer being behind the email. There is almost always a sense of urgency instilled in an email from a fraudster.
- If it sounds too good to be true, it probably is. Don’t fall victim to the temptation!
- Install an antivirus software or a security suite. Keep security software up to date. Also make sure your computer and devices are operating on the latest version of the operating systems.
- Generic greetings and signatures. Emails from legitimate sources are usually personally addressed, and contain contact information from the sender at the end of the email. If the email doesn’t contain either of these, take caution.
- Spoofed hyperlinks. Before you click on a link that comes through an email, hover over the link to make sure it takes you to the same address as the text in the email. If they do not match, the link may be spoofed. Malicious websites could look surprisingly similar to the legitimate website it copies, but the URL could use a different spelling or variation.
- Look for poor spelling and layout. If you receive an email that contains many spelling and grammar errors, this could be a sign that it is phishing. Reputable companies have personnel dedicated to the task of producing, verifying, and proofreading customer correspondence.
- Be wary of attachments that come through emails from people you don’t know or aren’t expecting anything from. A common delivery method for malware is through email attachments.
- You should never reveal sensitive financial information in an email. This includes revealing sensitive information in links sent in an email. Cybercriminals will often imitate an email from a financial institution, with a threat that makes you want to act quickly. If you receive an email like this, it is a good idea to make sure the threat they are sharing is legitimate. You should do this by calling the number that you have on file for the financial and not the one that is included in the email.
- Don’t send sensitive information over the internet until you have checked that the site is encrypted. You can check to make sure the site is encrypted by looking for a lock icon in the bottom right corner of the window.
ITS can help you administer phishing assessments that will aid in locating weak areas in your team’s cybersecurity. Following these assessments, you can offer training in the specific areas that were weak. Visit our Phishing Assessments page to learn more about this service.