Common Social Engineering Attacks to Be Aware Of
30
Sep

Common Social Engineering Attacks to Be Aware Of

The increase in cyberattacks has made us all aware of the type of attack where cybercriminals use their technical skills to penetrate a secured network/system. The recent IBM report suggests that over the last five years, the cost of a data breach has increased by 12%. [1] Even the frequent news of data breaches is enough to remind us of the terror of cyber attackers. In contrary to technically sound perpetrators, there is another breed of cyber attackers the ones who use social engineering techniques to get to your personal data. Social engineering methods involve psychologically manipulating people to fool them into revealing their confidential data. These cybercriminals use various channels to get to your psychology: social media platforms, emails, and phone calls.

Social engineering is a broad term that includes several malicious activities that a cybercriminal uses to trick you. In here, you will learn about five types of social engineering attacks that are common and can get you anytime.

Most Common Social Engineering Attacks

Usually, social engineering methods prey upon the fear of urgency or similar emotions – the ones in which a person will be the most vulnerable to make mistakes. These mistakes include clicking on a malicious link, downloading an infected file, or sharing OTPs, and many others. Take a look at the below listed social engineering attacks which occurs frequently.

1. Phishing

Phishing is the most common form of social engineering attacks. Cybercriminals use emails and social media platforms to lure victims into sharing their personal information or clicking a malicious URL to compromise their systems. There are a few common characteristics of these attacks –

  • Messages are personalized as to make it look genuine query-solver. Cyber attackers sometimes use the information from the recently visited websites of the victim to gain further knowledge, such as addresses, social security numbers, phone numbers, etc.
  • Phishing messages are drafted in a way that they showcase a sense of urgency. For example, receiving an email indicating a service about to get deactivated if the enquired data is not provided to the perpetrator.
  • URL shorteners and embedded links are used to redirect users to suspicious domains. These websites could also be a clone of the original website. These messages might seem to be from a legit bank, government department, or major corporation.
  • These messages have enticing subject lines while the deceptive source appears to be a trusted one. To give it a genuine impression, perpetrators use logos and images from the legitimate source.

Recently, after the launch of Apple’s latest products, cybercriminals made several attempts to trick people into visiting a malicious URL imitating the original Apple website. [2]

2. Pretexting

Under pretexting, cybercriminals impersonate as a figure of authority, or maybe as someone familiar, such as your co-worker. These attackers are the most common form of scammers. They pretend to need information, claiming to confirm your identity for a legit activity. They generally intend to exploit the weaknesses of an organization by targeting its employees. For instance, an attacker who imitates to be a professional from the admin department of your workplace. The criminals who use pretexting, use credible stories to build a false sense of trust with their victim so that it gets easy to retrieve private data. This type of attack focuses on gaining both types of data- sensitive and non-sensitive.

3. Baiting

Baiting exploits the curiosity of the victim. It is similar to phishing attacks with a slight difference that the baiters use enticing offers to lure the victim. For instance, attackers can offer free music or movie downloads in return of victim’s authorized login credentials to a website. These attacks are not limited to online activities because cybercriminals also use physical channels as bait. Under physical media, baiters can leave an infected USB flash drive at an employee’s desk, labeling it as “Executive Salary Summary.” Once the victim runs the malicious file at a computer, the attacker will get access to end user’s system.

4. Quid Pro Quo

As the name suggests, this type of attack promises a benefit in exchange for confidential data. These benefits usually include some services, unlike luring with a good, as what happens in baiting. One of the most common examples of quid pro quo attacks is when fraudsters offer IT assistance over calls. These attackers promise a quick fix as soon as the victim disable the installed AV program. Once the victim falls for the trap, the attacker uses the window to install the malware in the form of software updates. In the past few years, it has been noticed that attackers use less sophisticated quid pro quo offers. A study has revealed that employees can reveal their credentials even in exchange for a bar of chocolate. [3]

5. Tailgating

Tailgating or piggybacking is when someone with no proper authentication follows an authorized employee to get into a restricted area. Commonly, fraudster impersonates to be a delivery person. They wait outside the office building until a legit employee walks in. They ask to hold the door and gains access off of an authorized employee. This type of attack does not work in large corporations, but it is possible in medium- to small-size organizations.

Colin Greenless, a security consultant at Siemens Enterprise Communications, used his social skills to gain free access to the data room of an FTSE-listed financial firm. He also managed to base himself in the same building where he worked for several days. [4]

Don’t Fall for Social Engineering Attacks

Social engineers try to take advantage of human psychology and curiosity, follow these tips to avoid these type of attacks –

  • Do not open emails sent from an untrusted source.
  • Lock your laptop whenever you are away from your workplace.
  • Do not share your credentials with anyone.
  • Install a powerful AV program.

Social engineering attacks are an evident cyber threat. To learn trustworthy practices to avoid such cyberattacks, go through our Certified Secure Computer User (C|SCU). This program covers all the basic information on how to keep your data safe from everyday cyberattacks. Apart from covering social engineering attacks, C|SCU imparts knowledge on malware, antivirus, internet security, cloud security, and many other ways to protect your information assets. And, to pursue it professionally, check out our Certified Ethical Hacker (C|EH) program.

Sources:

[1] https://newsroom.ibm.com/2019-07-23-IBM-Study-Shows-Data-Breach-Costs-on-the-Rise-Financial-Impact-Felt-for-Years

[2] https://securelist.com/spam-and-phishing-in-q1-2019/90795/

[3] https://www.sciencedaily.com/releases/2016/05/160512085123.htm

[4] https://www.cio.com/article/2428266/consultant-uses-social-skills-to-trick-corporate-security.html

get certified from ec-council
Write for Us