It’s Monday morning; you have a fresh cup of coffee in hand and are ready to check the emails from the weekend. A new email has arrived in just the last hour from the CFO requesting the immediate payment of an attached overdue invoice missed by the finance team. A massive restocking fee will be incurred if the invoice isn’t paid for the products pending shipment.
Being the person usually responsible for tracking invoices of this nature, you feel a sinking feeling in your stomach that you have made a massive mistake, and to top it off, it’s only Monday!
Wanting to resolve this matter as quickly as possible and not let the team down, you reply to the email from the CFO to clarify some details. They respond promptly with praise that you have picked this task up so quickly and are grateful the matter will be resolved.
With the confidence gained from confirming the details with the CFO, you quickly authorize the invoice payment and enter the remittance into the system. Taking a deep breath and a long sip of your coffee, you feel much better, avoiding what could have been a morning disaster.
This feeling was short-lived, as you received a call from the CFO questioning the payment of a rogue invoice. After inspection of the email with the IT team, it was discovered that you were the target of a Spear Phishing social engineering attack where the attacker used an email domain, so like that of the company, it was difficult for you to notice in the initial panic.
Although this is only a hypothetical story, this scenario is all too common in the modern workplace. One of the more prolific social engineering attacks was that of Ubiquiti (UBNT) back in 2015.
The attacker targeted the finance department by sending a company email from what looked like a C-level executive. Ubiquiti never revealed the exact specifics of the email, but it has been speculated that the domain name of the email address was made to look like the company domain.
The fraudsters convinced the internal team to share usernames and passwords to finance systems, allowing the attackers to extract approximately $46.7 million into overseas accounts.
These types of social engineering attacks have been on the rise, with more complex and sophisticated methods being deployed by attackers each year. We will cover some of the types of social engineering attacks and how these can be identified and prevented.
How Do Social Engineering Attacks Work?
Social Engineering is a form of hacking relating directly to the human component. The goal is to extract information, money, or steal an identity. The intent of the hacker is to use psychological manipulation to invoke a sense of urgency, fear, curiosity, or embarrassment to overload you with emotions.
These types of strong emotions can enact our fight or flight response and fire up the amygdala part of the brain, which uses instincts for decision-making, rather than the prefrontal cortex. By essentially exploiting the human loophole and bypassing the conscious decision-making of the prefrontal cortex, our better judgment is clouded, and we make illogical decisions.
In the modern workforce, most of us experience a perpetuity of small stressful situations that cause the amygdala to fire multiple times throughout the day. With just a tiny amount of additional or surprise stress, this can be enough for people to react entirely irrationally in ways that, in hindsight, they struggle to explain.
This highlights how effective social engineering can be on most organizations and the need to invest resources in employee mindfulness and awareness to deal with malicious intent from external sources.
With the increasing types of social engineering attacks, it can be a daunting task for organizations to stay on top of the countermeasures.
Social Engineering Attack Techniques
There are many social engineering types of attacks and techniques, all of which prey upon our human phycological loophole. It’s often said that no matter how much time, money, or resources you spend on IT security, the number one weakness is the human employee.
This is why it is essential to understand and keep updated on attack techniques and recent attacks. To help understand how these attacks may impact your organization, it is best to understand the methods used by the attackers.
Although this list is forever growing, the following outline the different types of social engineering attacks we see today.
Phishing
Probably the most prevalent method of social engineering, phishing scams are usually deployed via email or text message campaigns to create a sense of urgency, fear, curiosity, or embarrassment within the target.
A task or action will usually be requested to avoid fear or embarrassment by coercing the target to provide sensitive information, clicking on malicious links, or opening attachments with embedded malware.
Spear Phishing
Similar to the phishing attack, the spear phishing attack is the more targeted version. This is usually explicitly deployed to a designated target within an organization based on their role or job.
Spear phishing requires much more effort from the attacker as these messages are usually crafted based on information gathered over time to improve the chances of hooking the target. Usually, this can evolve to the point where the attacker might hop between marks to reach their final victim for higher gain.
These are usually more difficult to detect than other types of social engineering attacks and typically contain wording or mannerisms used by internal staff.
Whaling
Whaling is used when targeting the “big fish” within a company, usually executive level or high-profile government officials. The attacker’s goal in a Whaling scenario is to dupe the Whale into a large financial payout or the extraction of sensitive information. Whaling usually involves a combination of other types of social engineering attacks like Baiting to maximize success rates.
Smishing & Vishing
Smishing is the method of phishing via SMS text messages. Attackers will rotate phone numbers to send large smishing campaigns, usually containing links to malicious websites.
Vishing is the voice version of phishing done via the phone. These types of social engineering attacks usually target a company’s HR or IT department to extract information or gain unauthorized access to systems.
Baiting
Baiting usually involves the method of false reward to intrigue a target via greed or curiosity. The goal is to extract personal information or deploy malicious software onto the victim’s device.
The most common method of baiting is that of the humble car park or bathroom flash drive. The attacker will load malware onto flash drives and label them in a way that sparks the target’s curiosity to investigate the content—once inserted into a computer, the malware can be injected, and the mark can be owned.
Other forms of baiting are enticing advertisements or even QR codes on bathroom stalls and public places. All of which have the same outcome: infect the target device with malware.
Piggybacking & Tailgating
Another method of physical and social engineering is Piggybacking or Tailgating. As the name suggests, this usually involves the attacker following someone into a building behind an authorized employee. Attackers sometimes dress up as maintenance workers, delivery drivers, or service workers to reduce the chances of being detected.
Pretexting
Pretexting involves the creation of a fake persona or fabricated scenario to coerce the target into providing unauthorized access to systems or to provide sensitive information. This is sometimes used with Piggybacking/Tailgating to improve the feasibility of physical access requirements or the persona ruse.
Business Email Compromise (BEC) & Email Account Compromise (EAC)
Both Business Email Compromise and Email Account Compromise involve some methods of compromised or spoofed email accounts.
BEC usually is the latter; the attacker spoofs a legitimate vendor or outside contact to coerce the target into an action. EAC is where the attacker has already gained access to an external vendor or contact and can manipulate existing email threads to gain information or funds.
This type of attack is usually very sophisticated, with planning required to compromise the email accounts of vendors or contacts. All of which allows a more undetectable and legitimate method to deploy other social engineering techniques and extract content. Depending on the source of the data, BEC actually generates more money for the criminals worldwide than ransomware attacks.
Quid Pro Quo
Quid Pro Quo, from Latin, meaning “something for something,” is most used where the attacker promises the target a favor in exchange for information.
Some scenarios include the promise of gift cards for completing a survey, testing software, or even speeding up their internet by allowing a technician to test some things on their computer.
Honeytraps
The Honeytrap, more so synonymous with fake celebrity romantic relationships, involves exploiting the target’s romantic or physical interest to extract money, gifts, or compromising information/media for further exploitation.
Although this doesn’t usually have too much impact on corporations, the effect can bleed into the target’s professional life and, in some cases, involve extracting company money or sensitive information.
Scareware
Scareware is mostly seen as fake antivirus programs or advertisements. These ads will usually pop up with warnings about viruses detected on your system to coerce the victim to download the phony antivirus software onto their device.
In most circumstances, the downloaded software may also trick the victim into purchasing the antivirus to remove the detected viruses. This usually results in stolen credit card information and fraudulent charges being processed onto the account.
Watering Hole
The phrase “Poisoning the Water Hole” is the inspired version of this type of attack. The attacker will infect or even spoof a legitimate website frequently accessed by the target to capture credentials or infect the victim’s machine with malware.
How to Identify and Prevent Most Types of Social Engineering Attacks
As we have covered, attackers’ main loophole with social engineering is the exploitation of our amygdala, our survivalist irrational instincts. The best way to identify whether a social engineering attack has targeted you is if the content has the following characteristics:
- Check the sender’s email address by hovering over the sender’s name. Is the email domain incorrect, misspelled, or slightly off?
- Does the email’s subject line have urgency or emotionally charged wording?
- Are there spelling or grammar mistakes in the body of the email?
- Is there relevance to the message or content with your role or situation?
- Are there suspicious links or attachments?
- Have you seen/met/interacted with this person before?
- Does it sound too good to be true?
Although most of these are general and primarily targeted toward phishing, it is best to ask yourself these questions and try not to engage with the emotional payload the attacker has deployed. It pays to be suspicious of unknown contacts or unsolicited communication.
Request identification in physical scenarios and always contact colleagues face-to-face or via a call if something doesn’t add up. Slow down any actions and take a moment to observe the scenario so that your prefrontal cortex can do the heavy lifting.
It is this mentality that will reduce these types of social engineering cyber-attacks.
Here’s Why Hackers Don’t Need Your Passwords
A primary goal for most social engineering hackers is how they can move laterally through an organization. If they can own one target, they will usually look for the next target with higher system privileges or access rights. This is where social engineering attacks work in conjunction with attacks such as Pass the Hash (PtH).
If a hacker can access a system with local administration or someone with enough privileges to scrape their system for other user hashes. This can allow the attacker to use these hashes in a Pass the Hash (PtH) attack and reuse these hashed credentials to authenticate via NTLM to other resources.
The attacker doesn’t need to decrypt or even know the password, as this hashed password can be used as is to exploit authentication protocols.
This can continue throughout the environment allowing the attacker potentially to gain higher privileges until they might get lucky and find the hashed credentials of a domain administrator.
Although the scope of social engineering and the tools utilized by attackers is broad, you can implement certain strategies to reduce the attack surface. The list of types of social engineering attacks continues to grow; therefore it’s education of users and administrators that will reduce your vulnerability.
User awareness training and regular testing campaigns are the best methods to prevent social engineering attacks. To adequately protect your cyber environment, use Hornetsecurity Advanced Threat Protection, Security Awareness Service, and VM Backup to secure your critical data.
We work hard perpetually to give our customers confidence in their Spam & Malware Protection, Email Encryption, and Email Archiving strategies.
To keep up with the latest articles and practices, visit our Hornetsecurity blog now.
FAQ
What is social engineering?
Social engineering is the term used to hack the human component of an organization. These involve many different types of phycological exploitation and manipulation of the victim.
What are the types of social engineering attacks?
The different kinds of social engineering attacks include:
- Phishing
- Spear Phishing
- Whaling
- Smishing
- Vishing
- Baiting
- Piggybacking/Tailgating
- Pretexting
- Business Email Compromise (BEC)
- Email Account Compromise (EAC)
- Quid Pro Quo
- Honeytraps
- Scareware
- Watering Hole
What is the most common type of social engineering?
Phishing is the most common type of social engineering, with approximately 3.4 billion emails sent daily.
