Examples of social engineering range from phishing attacks where victims are tricked into providing confidential information, vishing attacks where an urgent and official sounding voice mail convinces victims to act quickly or suffer severe consequences, or physical tailgating attacks that rely on trust to gain physical access to a building.
The nine most common examples of social engineering are:
- Phishing: tactics include deceptive emails, websites, and text messages to steal information.
- Spear Phishing: email is used to carry out targeted attacks against individuals or businesses.
- Baiting: an online and physical social engineering attack that promises the victim a reward.
- Malware: victims are tricked into believing that malware is installed on their computer and that if they pay, the malware will be removed.
- Pretexting: uses false identity to trick victims into giving up information.
- Quid Pro Quo: relies on an exchange of information or service to convince the victim to act.
- Tailgating: relies on human trust to give the criminal physical access to a secure building or area.
- Vishing: urgent voice mails convince victims they need to act quickly to protect themselves from arrest or other risk.
- Water-Holing: an advanced social engineering attack that infects both a website and its visitors with malware.
The one common thread linking these social engineering techniques is the human element. Cybercriminals know that taking advantage of human emotions is the best way to steal.
Traditionally, companies have focused on the technical aspects of cybersecurity – but now it’s time to take a people-centric approach to cyber security awareness.
How Does Social Engineering Happen?
Social engineering happens because of the human instinct of trust. Cybercriminals have learned that a carefully worded email, voicemail, or text message can convince people to transfer money, provide confidential information, or download a file that installs malware on the company network.
Consider this example of spear phishing that convinced an employee to transfer $500,000 to a foreign investor:
- Thanks to careful spear phishing research, the cybercriminal knows the company CEO is traveling.
- An email is sent to a company employee that looks like it came from the CEO. There is a slight discrepancy in the email address – but the spelling of the CEO’s name is correct.
- In the email, the employee is asked to help the CEO out by transferring $500,000 to a new foreign investor. The email uses urgent yet friendly language, convincing the employee that he will be helping both the CEO and the company.
- The email stresses that the CEO would do this transfer herself but since she is travelling, she can’t make the fund transfer in time to secure the foreign investment partnership.
- Without verifying the details, the employee decides to act. He truly believes that he is helping the CEO, the company, and his colleagues by complying with the email request.
- A few days later, the victimized employee, CEO, and company colleagues realize they have been a victim of a social engineering attack and have lost $500,000.
Examples of Social Engineering Attacks
Savvy cybercriminals know that social engineering works best when focussing on human emotion and risk. Taking advantage of human emotion is much easier than hacking a network or looking for security vulnerabilities.
These examples of social engineering emphasize how emotion is used to commit cyber attacks:
You receive a voicemail that says you’re under investigation for tax fraud and that you must call immediately to prevent arrest and criminal investigation. This social engineering attack happens during tax season when people are already stressed about their taxes. Cybercriminals prey on the stress and anxiety that comes with filing taxes and use these fear emotions to trick people into complying with the voicemail.
Imagine if you could simply transfer $10 to an investor and see this grow into $10,000 without any effort on your behalf? Cybercriminals use the basic human emotions of trust and greed to convince victims that they really can get something for nothing. A carefully worded baiting email tells victims to provide their bank account information and the funds will be transferred the same day.
Cybercriminals pay attention to events capturing a lot of news coverage and then take advantage of human curiosity to trick social engineering victims into acting. For example, after the second Boeing MAX8 plane crash, cybercriminals sent emails with attachments that claimed to include leaked data about the crash. In reality, the attachment installed a version of the Hworm RAT on the victim’s computer.
Humans want to trust and help one another. After doing research into a company, cybercriminals target two or three employees in the company with an email that looks like it comes from the targeted individuals’ manager. The email asks them to send the manager the password for the accounting database – stressing that the manager needs it to make sure everyone gets paid on time. The email tone is urgent, tricking the victims into believing that they are helping out their manager by acting quickly.
You receive an email from customer support at an online shopping website that you frequently buy from telling you that they need to confirm your credit card information to protect your account. The email language urges you to respond quickly to ensure that your credit card information isn’t stolen by criminals. Without thinking twice and because you trust the online store, you send not only your credit card information but also your mailing address and phone number. A few days later, you receive a call from your credit card company telling you that your credit card has been stolen and used for thousands of dollars of fraudulent purchases.
Download the Definitive Guide to People-Centric Security Awareness to learn how focus on human emotion and risk can instill a security culture in your organization that protects against social engineering attacks.
How to Protect Against Social Engineering
“People affect security outcomes more than technology, policies or processes. The market for security awareness computer-based training (CBT) is driven by the recognition that, without perfect cybersecurity protection systems, people play a critical role in an organization’s overall security and risk posture. This role is defined by inherent strengths and weaknesses: people’s ability to learn and their vulnerability to error, exploitation and manipulation. End-user-focused security education and training is a rapidly growing market. Demand is fueled by the needs of security and risk management (SRM) leaders to help influence the behaviors that affect the security of employees, citizens and consumers.”
(Gartner Magic Quadrant for Security Awareness Computer-Based Training, Joanna Huisman, 18 July 2019)
To protect against social engineering attacks requires a focus on changing behavior. When company employees understand how easy it is to be tricked or scammed by a social engineering attack, they are more likely to be vigilant and suspicious of emails, voicemails, texts, or other cyber attack approaches.
Changing human behavior is not easy and does not happen overnight. We know from first-hand experience that the best way to instill a cyber security aware culture and to create internal cyber heroes is with a people-centric approach to security awareness training.
To effectively protect your company against social engineering requires a focus on five people-centric elements as the foundation for security awareness training:
- High Quality Content: engages users and provides a training program that resonates and changes behavior.
- Personalized Campaigns: provide content that employees can relate to and apply to their day-to-day.
- Collaborative Partner: work with a partner who uses a consultative approach to understand your unique needs to deliver a custom security awareness program designed specifically for your organization.
- Security Awareness 5-Step Framework: a training and awareness program built on a proven methodological approach to learning and changing behavior.
- Security Awareness As A Service: provides flexibility and support to effectively deploy, measure, and report results of phishing simulations, awareness training, and campaign visibility.
How to Stay Protected Against Social Engineering
To stay protected against social engineering attacks, it’s important to recognize the power of ego. Each of us wants to believe that we would never be tricked or scammed by a phishing email or other social engineering attack. However, as we know, cybercriminals rely on all aspects of human emotion and nature to subtly deceive and trick people into acting.
It’s only with first-hand experience of being phished or violated by another social engineering approach that people really appreciate how social engineering works. By using a people-centric approach to security awareness training that uses phishing simulations, engaging and relevant content, and an understanding of human nature – you can stay protected against social engineering.
Download the Definitive Guide to People-Centric Security Awareness and in just 30 minutes, you’ll have a deeper understanding of how you can protect your company and employees from all cyber threats including social engineering attacks.