We all know about the attacker who leverages their technical expertise to infiltrate protected computer systems and compromise sensitive data. This type of malicious actor ends up in the news all the time. But they’re not the only ones making headlines. So too are “social engineers,” individuals who use phone calls and other media to exploit human psychology and trick people into handing over access to the organization’s sensitive information.
Social engineering is a term that encompasses a broad spectrum of malicious activity. For the purposes of this article, let’s focus on the five most common attack types that social engineers use to target their victims. These are phishing, pretexting, baiting, quid pro quo, and tailgating.
Phishing is the most common type of social engineering attack. At a high level, most phishing scams aim to accomplish three things:
- Obtain personal information such as names, addresses, and Social Security Numbers;
- Use shortened or misleading links that redirect users to suspicious websites that host phishing landing pages; and
- Leverage fear and a sense of urgency to manipulate the user into responding quickly.
No two phishing emails are the same. There are at least six different sub-categories of phishing attacks. Beyond that, we all know that phishers invest varying amounts of time into crafting their attacks. Hence why there are so many phishing messages with spelling and grammar errors.
A recent phishing campaign used LinkedIn branding to trick job hunters into thinking that people at well-known companies like American Express and CVS Carepoint had sent them a message or looked them up using the social network, wrote ThreatPost. If they clicked on the email links, recipients found themselves redirected to pages designed to steal their LinkedIn credentials.
Pretexting is another form of social engineering where attackers focus on creating a pretext, or a fabricated scenario, that they can use to steal someone’s personal information. In these types of attacks, the scammer usually impersonates a trusted entity/individual and says they need certain details from a user to confirm their identity. If the victim complies, the attackers commit identity theft or use the data to conduct other malicious activities.
More advanced pretexting involves tricking victims into doing something that circumvents organization’s security policies. For example, an attacker might say they’re an external IT services auditor so that the organization’s physical security team will let them into the building.
Whereas phishing uses fear and urgency to their advantage, pretexting relies on building a false sense of trust with the victim. This requires building a credible story that leaves little room for doubt in the mind of their target. It also involves choosing a suitable disguise.
As such, pretexting can and does take on various forms. Many threat actors who engage in pretexting masquerade as HR personnel or finance employees so that they can try to target C-Level executives. As reported by KrebsOnSecurity, others spoof banks and use SMS-based text messages about suspicious transfers to call up and scam anyone who responds.
Baiting is in many ways like phishing. The difference is that baiting uses the promise of an item or good to entice victims. Baiting attacks may leverage the offer of free music or movie downloads to trick users into handing their login credentials, for example. Alternatively, they can try to exploit human curiosity via the use of physical media.
Back in July 2018, for instance, KrebsOnSecurity reported on an attack targeting state and local government agencies in the United States. The operation sent out Chinese postmarked envelopes that included a confusing letter along with a CD. The point was to pique recipients’ curiosity so that they would load the CD and inadvertently infect their computers with malware.
4. Quid Pro Quo
Like baiting, quid pro quo attacks promise something in exchange for information. This benefit usually assumes the form of a service, whereas baiting usually takes the form of a good.
One of the most common types of quid pro quo attacks is when fraudsters impersonate the U.S. Social Security Administration (SSA). These fake SSA personnel contact random people and ask them to confirm their Social Security Number, allowing them to steal their victims’ identities. In other cases detected by the Federal Trade Commission (FTC), malicious actors set up fake SSA websites designed to steal those people’s personal information instead
It is important to note that attackers can use quid pro quo offers that are even less sophisticated, however. Earlier attacks have shown that office workers are more than willing to give away their passwords for a cheap pen or even a bar of chocolate.
Our final social engineering attack type is known as “tailgating.” In these types of attacks, someone without the proper authentication follows an authenticated employee into a restricted area. The attacker might impersonate a delivery driver and wait outside a building to get things started. When an employee gains security’s approval and opens the door, the attacker asks the employee to hold the door, thereby gaining access to the building.
Tailgating does not work in the presence of certain security measures such as a keycard system. However, in organizations that lack these features, attackers can strike up conversations with employees and use this show of familiarity to get past the front desk.
In fact, Colin Greenless, a security consultant at Siemens Enterprise Communications, used these tactics to gain access to multiple floors and the data room at an FTSE-listed financial firm. He was even able to set up shop in a third floor meeting room and work there for several days.
Social Engineering Recommendations
As the attacks discussed above illustrate, social engineering involves preying off human psychology and curiosity to compromise victims’ information. With this human-centric focus in mind, organizations must help their employees counter these types of attacks. They can do so by incorporating the following tips into their security awareness training programs.
- Do not open any emails from untrusted sources. Contact a friend or family member in person or by phone if you receive a suspicious email message from them.
- Do not give offers from strangers the benefit of the doubt. If they seem too good to be true, they probably are.
- Lock your laptop whenever you are away from your workstation.
- Purchase anti-virus software. No AV solution has a 100% detection rate, but they can help to defend against campaigns that use social engineering tactics.