10 Types of Social Engineering Attacks to Watch Out For

Michelle Wilson - February 23, 2022

Arguably the biggest weakness in any organization’s cybersecurity strategy is human error. You can have an entire system in place to protect your systems and organization, but one minor mistake could send you scrambling. Social engineering attacks do precisely that – they take advantage of human mistakes and con unsuspecting people into compromising their security or divulging sensitive information.

Social engineers harness psychological attacks to trick the victim into trusting the recipient or creating a sense of unneeded urgency and anxiety to lower natural defense. An attacker then breaches physical and technological security to gain confidential or financial information. Currently, protecting yourself against a social engineering attack starts with education. Understand the psychological triggers and how attackers use the technological tools to gain access.

To help get you started, here are ten types of social engineering attacks to watch out for:

Phishing attacks

Phishing attacks are the most common social engineering attacks, often using email addresses and fabricated websites to trick people into proving their personal information. These attempts have victims entering credit card numbers, account details, login credentials, and other personal information. The criminal uses your data for malicious intent or sells your details on the dark web once you’ve entered all the details.  

Spear Phishing: These attacks target a specific organization or individual to gain immediate access.

Angler Phishing: These attacks use spoofed customer service accounts on social media to gain access to personal information.

Whaling

This tactic is another variation of phishing, specifically targeting top-level executives or professionals. Attackers will often spoof an email address to other high-ranking people within the agency or company, addressing an urgent or time-sensitive opportunity. A successful whaling attack can expose a lot of confidential and sensitive information.

Baiting Attacks

Baiting is precisely what you’d expect, with malicious actors sending out promises of prizes or high-value items in exchange for a simple task. These tasks might include a small survey, shared post on social media, or something similar. The victim receives an email with the details of the prize, with a link sending them to their Office 365 login or social media account. When the victim enters their account details into the page, they are sent to the malicious actor.

Honey Trap

In this attack, the criminal works through the power of romance, luring the victim into an online relationship. As the relationship progresses, the attacker convinces the victim to disclose or perform confidential acts (sharing private secrets or undressing on a webcam). After receiving sensitive information, the attacker demands a ransom in exchange for large sums of money. These often occur on dating websites but have recently targeted social media accounts.

SMS Phishing

This social engineering attack is becoming an increasingly popular significant issue for organizations and businesses. In one version of SMS phishing, scammers will send text messages indicating multi-factor authentication requests. When a victim clicks on the link, the redirect will take them to a malicious webpage that collects credentials or installs malware on the device.

Scareware

This attack focuses on a fear-based approach, convincing users that their device is attacked. When a victim visits a website, a pop-up window appears with loud noises or flashing colors. The window indicates that your computer or device is infected with a virus, which is false. Attackers instruct users to purchase and download specific security software, which captures the victim’s financial details. From there, the malicious actor can use or sell the information and install real viruses or malware on the system.

Tailgating or Piggybacking

This social engineering tactic focuses on the kindness of others, especially in a business or corporate setting. An attacker will visit a company or corporation and follows someone into a secure or restricted area. Occasionally, the malicious actor will pretend they’ve forgotten their key pass, act as a delivery person, or will engage other victims in enthusiastic conversation, so their access goes unnoticed.

Watering Hole

A watering hole attack targets a legitimate website frequented by the targets. The attacker will hack the website and infect the platform, waiting for the targeted victim. When the victims log into the legitimate website, the hacker captures the credentials and uses them to breach the target’s network. Alternatively, the malicious actor installs a backdoor trojan to access the network.

Diversion Theft

In an old-school diversion theft, a thief will convince a courier or delivery driver to travel to a wrong location or give the package to someone other than the intended recipient. This diversion has been used for decades but has recently shifted to online. In the online realm, a thief steals personal or sensitive data by tricking the victim into sending or sharing it. The thief often uses spoofed email addresses from the victim’s company, like a financial institution or auditing firm.

Pretexting

This social engineering attempt is quite sophisticated, having the scammer create or fabricate a specific scenario. For example, a thief may pretend to be an IRS auditor, police officer, or border services. The attacker uses this story to convince victims to share personal or financial information. These details might include social security numbers, credit card details, or contact details like addresses and phone numbers.

Preventing a Social Engineering Attack

Unfortunately, social engineering attacks represent a significant threat to your company’s security. Prioritizing prevention and mitigating these attacks must be a vital component of your cybersecurity strategy. Prevention requires a holistic approach to security, bringing security tools with comprehensive training efforts.

Implement Comprehensive Training

The first line of defense should always be training staff on the potential risks of social engineering. Ensure everyone within the organization can spot the most common tactics and understand the fundamental psychological triggers that scammers use.

A comprehensive training course should include:

• Decoding a spoofed email address and recognizing common giveaways.
• Remaining suspicious of unsolicited communication.
• Avoid downloads and email attachments.
• Confirming website URL validity.
• Verifying someone’s identity before providing sensitive information.

Follow Up Education with Testing

Periodically test your security awareness with tests to ensure staff hasn’t become complacent. Many programs allow simulated phishing tests, where a fake phishing email is sent to staff to determine how many fall for the social engineering tactics. These individuals can complete retraining or further education to help close the vulnerabilities overall.

Having a positive security culture is critical for containing social engineering attacks if they’ve happened. Ensure all staff feels comfortable reporting any incidents without the threat of reprimand or humiliation. Fast reporting can mitigate further damage.

Conclusion

No one wants to believe that their company or organization will fall victim to social engineering attacks, but it’s the brutal reality for millions of people. Hackers use standard psychology to convince the victim to act, often pushing strict deadlines or dire consequences as the motivation. By educating all staff and remaining vigilant with training, you’ll lower the risk of becoming a victim of these attacks.