Before diving into the types of social engineering attacks that victims fall prey to on a daily basis, along with upcoming attacks that have taken the internet by a storm, let’s first briefly get into what social engineering is all about.
To explain it in layman’s terms, social engineering refers to a cyberattack deployment tactic where threat actors use psychological manipulation to exploit their victims and defraud them.
Social Engineering: Definition and Examples
What is a social engineering attack?
As opposed to cybercriminals hacking into your computer or email system, social engineering attacks are orchestrated by trying to influence a victim’s opinions into manoeuvering them to expose sensitive information. Security analysts have confirmed that more than 70% of cyberattacks that take place on the internet on an annual basis are social engineering attacks.
Social Engineering Examples
Take a look at the example shown below:
Here we can observe an online advertisement luring the victim in with a promise to earn $1000 per hour. This ad contains a malicious link that can initiate a malware installation on their system.
This type of attack is commonly known as Online Baiting or simply Baiting, and is a form of social engineering attack.
Given below is another example:
As shown above, social engineering attacks can also be perpetrated using email as a potent medium. A common example of this is a Phishing attack. We would be getting into these attacks in more detail, in the next section.
Types of Social Engineering Attacks
1. Vishing & Smishing
Suppose today you get an SMS from your bank (supposedly) asking you to verify your identity by clicking on a link, or else your account will be deactivated. This is a very common message that is often circulated by cybercriminals to fool unsuspecting people. Once you click on the link you are redirected to a spoofing page that demands your banking information. Rest assured that if you end up providing your bank details to attackers they will drain your account.
Similarly, Vishing or Voice phishing is initiated through phone calls instead of SMS.
2. Online Baiting / Baiting
We come across a range of online advertisements every single day while browsing websites. While most of them are harmless and authentic, there might be a few bad apples hiding in the lot. This can be identified easily by spotting advertisements that seem too good to be true. They usually have ridiculous claims and lures such as hitting the jackpot or offering a huge discount.
Remember that this may be a trap (aka a bait). If something appears too good to be true, it probably is. Hence it is better to steer clear of suspicious ads on the internet, and resist clicking on them.
Social engineering attacks are more often than not carried out via emails, and are termed Phishing. Phishing attacks have been wreaking havoc on a global scale for almost as long as email itself has existed. Since 2020, due to a spike in email communications, the rate of phishing has also shot up, defrauding organizations, large and small, and making headlines every day.
Phishing attacks can be categorized into Spear phishing, whaling, and CEO fraud, referring to the act of impersonating specific employees within an organization, decision-makers of the company, and the CEO, respectively.
4. Romance scams
The Federal Bureau of Investigation (FBI) defines internet romance scams as “ scams that occur when a criminal adopts a fake online identity to gain a victim’s affection and trust. The scammer then uses the illusion of a romantic or close relationship to manipulate and/or steal from the victim.”
Romance scams fall under the types of social engineering attacks since attackers use manipulative tactics to form a close romantic relationship with their victims before acting on their main agenda: i.e. scamming them. In 2021, Romance scams took the #1 position as the most financially damaging cyberattack of the year, closely followed by ransomware.
Domain spoofing is a highly evolved form of social engineering attack. This is when an attacker forges a legitimate company domain to send emails to customers on behalf of the sending organization. The attacker manipulates victims into believing that the said email comes from an authentic source, i.e. a company whose services they rely on.
Spoofing attacks are hard to track since emails are sent from a company’s own domain. However, there are ways to troubleshoot it. One of the popular methods used and recommended by industry experts is to minimize spoofing with the help of a DMARC setup.
Pretexting can be referred to as a predecessor of a social engineering attack. It is when an attacker weaves a hypothetical story to back his claim of sensitive company information. In most cases pretexting is carried out via phone calls, wherein an attacker impersonates a customer or employee, demanding sensitive information from the company.
What is a common method used in social engineering?
The most common method used in social engineering is Phishing. Let’s take a look at some statistics to better understand how Phishing is a rising global threat:
- The 2021 Cybersecurity Threat Trends report by CISCO highlighted that a whopping 90% of data breaches take place as a result of phishing
- IBM in their Cost of a Data Breach Report of 2021 delegated the title of most financially costing attack vector to phishing
- With each year, the rate of phishing attacks has been found to increase by 400%, as reported by the FBI
How to protect yourself from Social Engineering attacks?
Protocols and tools you can configure:
- Deploy email authentication protocols at your organization like SPF, DKIM, and DMARC. Start by creating a free DMARC record today with our DMARC record generator.
- Enforce your DMARC policy to p=reject to minimize direct domain spoofing and email phishing attacks
- Make sure your computer system is protected with the help of an antivirus software
Personal measures you can take:
- Raise awareness in your organization against common types of social engineering attacks, attack vectors, and warning signs
- Educate yourself regarding attack vectors and types. Visit our knowledge base, enter “phishing” in the search bar, hit enter, and start learning today!
- Never submit confidential information on external websites
- Enable caller ID identification applications on your mobile device
- Always remember that your bank will never ask you to submit your account information and password via email, SMS, or call
- Always recheck the mail From address and Return-path address of your emails to ensure that they are a match
- Never click on suspicious email attachments or links before being 100% sure about the authenticity of their source
- Think twice before trusting people you interact with online and do not know in real life
- Do not browse websites that are not secured over an HTTPS connection (e.g. http://domain.com)