7 Common Types of Social Engineering and How to Combat Them
With social engineering, hackers deceive your employees into giving up their credentials or other sensitive information, often through fake login pages. Experts say that social engineering accounts for an estimated 98% of cyberattacks today.
But what exactly do these attacks look like?
Let’s take a look at the most common types of social engineering and how to prevent them from wreaking havoc at your organization.
Yes, spam email is a form of social engineering – particularly if the emails use deception to convince the recipient to take action, whether it’s visiting a website, downloading a file or making a purchase. These messages are sent with the goal of deceiving employees at the organization.
- Spam emails often contain links to sites that will harm a user’s computer, and yet those links look perfectly harmless.
- Furthermore, spam email messages sometimes contain malware in the form of attachments. These attachments often look like legitimate documents, such as a receipt or invoice. In reality, the attachment is used to deliver malware to the user’s device or network.
Phishing is the more precise category of deception that uses deception to gain login information. Phishing can rely on deceptive websites, email and other media – or a combination of all of them. Phishing tools are designed to convince the user into thinking he or she must provide user login credentials, including passwords. However, the truth is this information is entered onto a fake website, presenting hackers with the opportunity to capture the login credentials and use that individual’s login information to access valuable company data, cause harm to the organization or lay the groundwork for a more extensive cyberattack in the future.
- Phishing emails are often disguised as messages from a user’s bank or other familiar services, such as Google or Microsoft.
- Targeted phishing attacks are more likely to be disguised as specific systems used by an organization.
A form of phishing, vishing relies on calls and voice messages to fool victims. This method attempts to convince the target that he or she should provide sensitive data on the phone or directs those users to a website that is created with the sole purpose of deceiving targets.
- In some scenarios, hackers have fooled victims at large companies by pretending to be IT personnel.
- Vishing was the type of social engineering attack that recently compromised the Twitter accounts of 45 high-profile figures.
4) Spear Phishing
Spear phishing is similar to conventional phishing with the difference that it is more targeted – like a fisherman who zeroes in on his target with a spear, rather than using bait on a line to catch whatever fish happens to swim by.
- Hackers zero in on specific targets with a scraping of information from the business’s website, directory, LinkedIn account or other social network.
- This targeted approach empowers the hacker to personalize the deceptive action, greatly enhancing the chances of success.
This form of social engineering, also referred to as tailgating, occurs in-person. The culprit follows the targeted employee to a secure space or deceives him or her into allowing entry into the secure space, where a device is used.
- While piggybacking is not the most common example of social engineering, it is particularly dangerous for companies that handle valuable/sensitive data that can cause considerable and costly problems when it ends up in the wrong hands.
- A successful piggybacking attack can be as simple as an employee politely holding open the office door for an unauthorized guest.
6) Quid Pro Quo
Similar to spear phishing, this social engineering method dangles the benefits of a no-cost service such as a security audit of a company network. However, the freebie is only provided after something of value, such as login credentials, are served up to the malicious party. This seemingly mutually beneficial arrangement is actually a scam in that it serves up the company’s valuable login credentials or other important information for the hacker to use for nefarious purposes.
Baiting is another form of social engineering that tempts the targeted individual with a free item or service. Baiting provides something free, either in the form of a digital download or a physical item after the target completes an action. Something as seemingly innocent and harmless as filling out a form can be an example of baiting.
- Even logging into a service can be a concealed form of baiting. For example, a user may be tempted by a free gift by logging into their email through a third-party service.
- Unfortunately, the freebie is often loaded with malware and/or the user’s login credentials are captured, setting the stage for data theft or additional cyberattacks.
Consider the Damage from a Successful Social Engineering Attack
Phishing scams and other social engineering attacks can cause considerable harm to businesses of all types and sizes.
As an example, consider a social engineering attack that successfully obtains an employee’s system login credentials. The unauthorized use of the employee’s login and password can spur a considerable security breach. When hackers are within the company system, they will be empowered to do anything the employee can do. For example, a hacker with network access could delete files, alter files, copy files to sell to others on the black market, export data and wreak additional havoc.
It is also possible the hacker will be able to access the company’s bank accounts and transfer money to their own accounts. In the case of ransomware, the hacker holds the network, computers or data hostage, requiring the target pay a considerable ransom for control to be returned. This ransom is typically paid in Bitcoin, which often cannot be tracked by the government and other security professionals. The computers, network and/or information will be locked until the ransom is paid in full (though even paying the ransom doesn’t guarantee you’ll get your files back).
What You Can Do to Prevent Social Engineering Attacks
Being proactive about the risk of social engineering can greatly reduce the chances of a successful attack.
Provide your employees with ongoing training to ensure they can pinpoint social engineering threats and sidestep the deception. More precisely, educate your teams on safe practices for web and email, so they know how to avoid being deceived altogether.
Retrain Employees and Provide Ongoing Reminders Regarding Social Engineering Attacks
Keep in mind, as with all forms of training, employee awareness of social engineering methods will diminish as time progresses – and these methods will continue to evolve in the future. It is up to employers and IT personnel to remind users of the dangers of these attacks and the common signs to look for.
- As an example, emails sent pertaining to supposed refunds, unclaimed funds and free money are red flags for social engineering attempts.
- Odd-looking bills, statements and invoices are also cause for concern.
Any request to confirm an employee’s personal information should be viewed as a covert social engineering attempt. Make sure your team reports all alerts and signs of suspicious account log-in attempts or other red flags.
Employees should get into the habit of closely analyzing emails, especially when sent from unknown parties. Email evaluations should center on whether they are transmitted from a trusted party. If the message is from an external account that the company or user does not ordinarily communicate with, it should be flagged for IT to review. Furthermore, email messages lacking personal information, such as the employee’s name and/or title, should be viewed with suspicion.
Above all, employees should be trained to view each email with a discerning eye. They should feel empowered to flag messages that seem suspicious without hesitation. If the language, tone, look or other subtleties of the message in question are even slightly off, it could be a clue the sender is not who they say they are.
Invest in Cybersecurity and protect your business from the common types of social engineering
Cybersecurity solutions can proactively block a large number of email and web-based threats, so that they never reach users in the first place. This is the essential first line of defense your organization needs to thwart threats from moving into your network and causing potentially costly problems.
However, even the strongest email filters and firewalls will still let some social engineering methods slip through from time to time. This is precisely why employee training is so vital.
Back up Your Data
Data backup is the most important failsafe against cyberattacks and social engineering. Proactively implement robust data backups, and you will rest easy knowing that any destroyed or compromised data can be rapidly restored. The bottom line is that employee mistakes will still occur, regardless of how much you spend for digital security training and cybersecurity solutions. If a social engineering attack results in a massive ransomware infection or other disaster, you will need a reliable data backup system to function as a failsafe.
Datto’s advanced BC/DR solutions help to ensure your company maintains continuity with ongoing data backups, performed as often as every 5 minutes. Instant recovery options, hybrid cloud backups, virtualization and built-in ransomware protection all help to ensure that your business can quickly recover from an attack.
Get a Free Demo
Reach out to Invenio IT today to learn more about Datto’s robust disaster recovery solutions. Request a free demo or contact our IT specialists by dialing (646) 395-1170 or by emailing success@invenioIT.com.