Different Types of Social Engineering Attacks & How to Protect Yourself

What Are Social Engineering Attacks

Social engineering attacks are a common method used by cybercriminals to manipulate people into divulging sensitive or confidential information about themselves or taking actions that may cause harm to themselves or their organization. Social engineering attacks can be carried out through phone calls, emails, text messages, or in-person interactions. These attacks are often the preferred method to exploit users and organizations as it is far easier to trick a human rather than exploiting a vulnerability in technology. Understanding the different forms of social engineering can help individuals and organizations protect themselves from these tactics.

Most Common Forms of Social Engineering

• Phishing – the most common form of social engineering, in which malicious actors send fraudulent emails or other messages purporting to be from reputable sources to induce individuals to reveal personal information or conduct a specific action.
• Spear Phishing – a more targeted form of phishing in which malicious actors focus on specific individuals or organizations to steal sensitive information or infect their systems with malware. This tactic requires more prior research effort and planning for a higher success rate and is typically targeting a much smaller group when compared to standard phishing campaigns.
• Vishing – a social engineering tactic in which malicious actors use phone calls or voicemail messages to impersonate a trusted caller and trick individuals into divulging sensitive information or conducting a specific action.
• Smishing – a form of social engineering in which malicious actors use SMS text messages to impersonate a trusted sender and trick individuals into providing sensitive information or visiting a harmful website.
• Baiting – a social engineering exploit in which malicious actors use bait disguised as something inconspicuous to lure individuals into divulging sensitive information or infecting their systems with malware. This form of social engineering is commonly executed via USB drop attacks. In these attacks, a USB flash drive is loaded with some sort of malware or harmful files and strategically placed in the proximity of a victim so that the target can find it and plug it into a computer out of curiosity.
• Scareware – a social engineering tactic utilizing malware which plays on the emotions of shock, anxiety, or the perception of a threat to manipulate users into buying or downloading unwanted and potentially dangerous software. This is often carried out via pop up ads on unsecure websites alerting the user that they have a virus and must download or buy malicious antivirus software to resolve the fake problem.
• Watering Hole Attacks – a form of social engineering in which malicious actors compromise a trusted website frequented by a targeted group of individuals and lure them to a malicious site or trick them into downloading malware.
• Pretexting – this is the basis of nearly all social engineering attacks and involves malicious actors creating a fictional scenario to gain access to sensitive information or trick users into conducting specific actions, typically via a sense of urgency, sympathy, or a deal that is too good to be true. This may involve pretending to be a trustworthy authority figure or a vendor requesting sensitive information.

How Can You Protect Yourself

• Be suspicious of unsolicited emails, calls, or messages: Many social engineering attacks occur via these methods of communication.
  • Be wary of emails that ask for your personal information or request that you click on a link.
  • Check the sender's email address and make sure it is legitimate.
  • If you are unsure about an email, do not click on any links or download any attachments.
  • Check for grammatical errors, as phishing and smishing attacks often contain misspelled words and typos.
  • If you receive a message or call that is urgent or threatening, be skeptical and verify the information before taking any action.
  • Use spam filters to block suspicious messages and use caller ID to screen incoming calls. If a call is from an unknown number, let it go to voicemail and listen to the message before returning the call.
  • If you receive a notice claiming to be from your bank but they are addressing you as sir or madam, this should be an early indicator of fraudulent communication. Your bank would have your first and last name already and would not need to address you with general terms such as these.
  • Legitimate companies will almost never ask for sensitive information via text message.
• Do not share sensitive information without verifying the identity of the requestor: Always be cautious about sharing any personal information.
  • If you receive a call or message asking you to disclose sensitive information such as your social security number, bank account details, or credit card information, do not rush to immediately comply. Instead, check the website of the company who the requesting party claims to represent and reach out to them via their contact information listed on their website.
• Use strong passwords: Creating strong passwords can help reduce the odds of all your accounts falling victim if one of your passwords is compromised.
  • Passwords that use combinations of uppercase and lowercase letters, numbers, and symbols are harder to guess.
  • A good rule of thumb when creating passwords is to make them at least 12 to 15 characters in length.
  • Use different passwords for each account to prevent the attacker from accessing your other accounts as well.
  • Using very simple passwords will provide an extremely easy target for attackers to crack.
  • Passwords using information such as your birthdate, hometown, and child’s name can be an easy target for attackers to crack with some research across social media platforms.
  • Changing passwords regularly (biannually or annually) limits how long stolen credentials are useful to a stealthy attacker.
  • Treat your password like you would your social security number and share it with nobody.
  • Password managers are a wonderful place to securely store your passwords.
• Keep your software up to date: This can help prevent attackers from exploiting known vulnerabilities in your software or downloading malware, even if you accidentally click on a malicious link or file.
  • Make sure your software, including your operating system, web browser, applications, antivirus software, and mobile device software is up to date.
• Use two-factor authentication: Two-factor authentication (2FA) or multi-factor authentication (MFA) adds an extra layer of security to your accounts by requiring a second form of identification, such as a code sent to your phone, in addition to your password.
  • If you were to fall victim to a social engineering attack and accidentally share your password, 2FA would serve as an extra line of defense preventing the attacker from accessing your account without the authentication code or prompt approval, which will hopefully function as a red flag telling you something went wrong.
• Avoid over-sharing online: Social media sites are a social engineer’s goldmine, providing them with a treasure trove of personal details about your life that can be used to impersonate you.
  • Adjust your social media settings to provide little to no visibility of your account details and posts to users who you are not friends with.
  • Closely scrutinize all friend requests you receive.
• Stay informed on the latest social engineering threats: Social engineering tactics are constantly evolving to keep up with targets that continue to grow more aware of these various exploits.
  • Subscribing to cybersecurity publications (like this blog) can help you proactively learn about the latest threats so you can be prepared to properly respond to an attack attempt when the time comes.

Social engineering attacks come in various forms and can target both individuals and organizations. Being aware of the various types of social engineering attacks is essential in protecting oneself and safeguarding sensitive information. At Compass IT Compliance, we have spent the past decade offering robust security awareness training courses and social engineering assessments to put staff to the test in real-world scenarios. Contact us today to discuss your organization’s security culture and areas you wish to see improvement!