5 Types of Social Engineering Attacks and how to combat them

Apr 12

Apr 12 5 Types of Social Engineering Attacks and how to combat them

“Social Engineering” is when attackers use techniques like phone calls, email and more to exploit human psychology and trick people into handing over sensitive information. The term encompasses a broad spectrum of malicious activities. Here are five of the most common attacks to be aware of.

Phishing

Phishing is the most common type of social engineering attack. Most phishing attacks aim to accomplish the following:

Obtain personal information such as names, addresses and social security numbers
Use shortened or misleading links that redirect users to suspicious websites that host phishing landing pages
Leverage fear and a sense of urgency to trick victims into responding fast

There are many different types of phishing attacks, and cybercriminals use varying amounts of time crafting them. Hence why there often times are spelling or grammatical errors in phishing emails – a tell that the email is not legitimate.

Pretexting

Pretexting is a form of social engineering in which a cybercriminal creates a fabricated scenario that they can use to steal someone’s information. In this type of attack, criminals usually try to impersonate a trusted entity/individual and ask for certain details from a victim to “confirm their identity.” If the victim complies, the attackers commit identity theft or use their data to conduct other malicious activity.

A more advanced example of pretexting involves tricking victims into doing something that circumvents an organization’s security policy. For example, an attacker might say they’re an external IT service auditor so that the organization’s physical security team will let them into the building.

Whereas phishing uses fear and urgency to take advantage of their victims, pretexting relies more or a false sense of trust that requires a credible story that leaves little doubt.

Baiting

Baiting is very similar to phishing. The difference is that baiting uses the promise of an item or good to entice victims. A baiting attempt might offer free music or movie downloads to trick victims for the user credentials. Another technique is to exploit human curiosity via the use of physical media.

Quid Pro Quo

Similar to baiting, Quid Pro Quo attacks promise something in exchange for information. This benefit usually assumes the form of a service, whereas baiting usually takes the form of a good.

One of the most common types of quid pro quo attacks is when attackers impersonate the U.S. Social Security Administration (SSA). In this attack, fake SSA personnel contact victims and ask them to confirm their Social Security Number, allowing them to steal their identity.

It is important to note that these attacks have because less and less sophisticated. Documented Quid Pro Quo attacks have shown that information was given up by victims for something as small as a candy bar.

Tailgating

In a tailgating attack, someone without proper authentication follows an authenticated employee into a restricted area. The attacker might be impersonating a delivery driver or something similar.

Tailgating does not work in situations where physical security systems are in place, such as a key card system. However, in organizations where these measures are not in place, an imposter who casually strikes up a conversation with an employee might be able to use this to their advantage to gain access to a building they would normally not have access to.

Ways to Combat Social Engineering

As you can see, social engineering involves preying on human psychology and curiosity to compromise victims’ information. It is important for organizations to prepare their employees to spot these types of attacks and be prepared to fight against them. They can do so by following this advice: