Understanding Social Engineering Attack Methods 

Uploaded on 2024-08-30 in TECHNOLOGY--Resilience, FREE TO VIEW

Social engineering is a term used for a broad range of criminal activity and it is a dangerous weapon that is used by many cyber criminals to achieve their odious goals. It leverages psychological manipulation to deceive individuals into divulging confidential or personal information. 

As technological defences become more robust, cyber criminals are increasingly using social engineering techniques to exploit the weakest link in the security chain: people.

Social engineers use a variety of means, both online and offline, to deceive unsuspecting users into compromising their security, transferring money or giving away sensitive information and it is different from traditional hacking, which relies on exploiting software vulnerabilities, social engineering targets human vulnerabilities.

Here are the most common  types of social engineering attacks currently in use with real-world examples.

Phishing: Hook, Line & Sinker

Phishing is one of the most common social engineering attacks. It involves sending fraudulent communications, usually emails, that appear to come from a legitimate source. The goal is to trick recipients into providing sensitive information, such as login credentials or financial details.

In 2022, a sophisticated phishing attack aimed at stealing Office 365 credentials, where attackers impersonated the US Department of Labor (DoL). This scam demonstrates the increasing sophistication and convincing nature of modern phishing attempts.

Spear Phishing: Precision Social Engineering

Spear phishing is a more targeted version of phishing. While phishing attacks are often sent to many recipients with a “mud-against-the-wall” approach, spear phishing targets specific individuals or firms. The malicious actor customises the message based on information about the target, making it more convincing.

As world leaders deliberated on the best response to the escalating tensions between Russia and Ukraine, Microsoft issued a warning in February 2022 about a new spear phishing campaign by a Russian hacking group targeting Ukrainian public sector entities and NGOs. The group, known as Gamaredon and tracked by Microsoft as ACTINIUM, had reportedly targeted “organisations critical to emergency response and ensuring the security of Ukrainian territory” since 2021.

Pretexting

Pretexting is another form of social engineering involving creating a fabricated scenario to steal information. These scams use the same social engineering techniques that con artists have used for centuries to manipulate their victims, such as deception, validation, flattery, and intimidation. The attacker pretends to need the information to confirm the victim’s identity or to help with a supposed emergency.

At the organisational level, a pretexting actor may take extensive measures to impersonate trusted figures such as managers, coworkers, or customers. This could involve fabricating identities through fraudulent email addresses, websites, or social media profiles. In more elaborate scenarios, the attacker might arrange face-to-face meetings with targets. For instance, a hacker masquerading as a vendor representative might schedule a meeting to gain access to confidential customer data. The attacker aims to appear credible during these encounters and build rapport with the target.

By establishing trust, the attacker increases the likelihood that the target will comply with requests for sensitive information, believing them to be legitimate.

Deepfakes

Deepfakes, which use artificial intelligence (AI) to create realistic but fake audio, video, or images that impersonate real people, are increasingly used in various social engineering attacks to create compelling but fraudulent scenarios. They leverage manipulated audio and video to deceive targets into disclosing sensitive information or performing actions they otherwise would not.

In 2022 a deepfake purported to show President Zelensky declaring that Ukraine has “decided to return Donbas” to Russia. and instructing Ukrainian soldiers to lay down their arms. 

Quid Pro Quo

Another type of social engineering is quid pro quo attacks, which involve offering a service or benefit in exchange for information. Attackers may promise tech support, free software, or other services to persuade victims to reveal confidential information. 

One of the most prevalent quid pro quo attacks involves fraudsters posing as representatives of the US Social Security Administration (SSA). These fraudsters contact individuals randomly, requesting confirmation of their Social Security Numbers under false pretences, enabling identity theft. 

Attackers don’t even need to be very convincing, as previous incidents have demonstrated that office employees are willing to divulge their passwords in exchange for inexpensive items like pens or chocolate bars.

Honeytraps

Honeytraps involve creating fake online personas to establish romantic relationships with victims. The goal is to gain and exploit the victim’s trust for financial gain or access to sensitive information.According to police reports, a man from Vancouver Island lost $150,000 in a romance scam. Over several months, the scammer requested money for plane tickets, medical bills, and various other expenses.

In 2023 the FBI Seizes $112m From 'CryptoRom' Criminals. Their schemes involve fraudsters cultivating long-term relationships with victims online to coax them to make crypto-currency investments. The catch is that the transferred funds end up in the swindler’s pockets while the victim is abandoned

Piggybacking

Two other widespread threats are tailgating and piggybacking. Tailgating, in essence, is unauthorised access to secured spaces, which malefactors gain by exploiting the trust of real users. It involves gaining physical access to a restricted area by following someone with legitimate access and exploiting the courtesy of others to gain entry without proper authorisation. 

It can also involve badge cloning, using unattended devices, or impersonation. Piggybacking happens when someone attempts to piggyback onto a hacker's attempted extortion.

In 2018, an individual admitted guilt in England's Reading Crown Court for unauthorised computer access and blackmail, while he was working at Oxford Biomedica, a gene therapy company. There was an incident where the company faced a ransom demand of $370,000 in Bitcoin after an attack. One untrustworthy employee even altered ransom notes to redirect payments to his cryptocurrency wallet, effectively launching a separate attack against his employer.

Business Email Compromise

Business email compromise (BEC) is a sophisticated cyberattack where criminals meticulously gather information about an organisation's structure and key executives. Using this knowledge, they exploit the trust associated with high-ranking positions, like the CFO, to trick employees into transferring funds or divulging sensitive information.

By gaining access to an executive's email account, attackers impersonate them and request urgent financial transactions, such as paying fraudulent invoices. They exploit the time-sensitive nature of these transactions to minimise the chances of detection.

BEC is one of the most common attacks and one of the most costly types of cybercrime. Between 2013 and 2022, the FBI says BEC attacks caused roughly $50.8 billion in losses worldwide.

Awareness & Education

Social engineering attacks are a growing scourge in today's digital landscape. They exploit human psychology rather than technological weaknesses, making them particularly challenging to defend against. Awareness and education are crucial in combating these attacks and employees should know how to recognise and report potential incidents promptly.

Key points to emphasise in security awareness training:

  • If you receive a suspicious email, verify its legitimacy by contacting the sender directly via phone or in person.
  • Be sceptical of unsolicited offers. If something appears too good to be true, it likely is.
  • Always lock your laptop when stepping away from your workstation to prevent unauthorised access.
  • Invest in antivirus software. While no antivirus solution offers foolproof protection, it can significantly bolster defences against social engineering tactics.
  • Familiarise yourself with your company’s privacy policy to understand protocols regarding access permissions for external individuals.
  • Validate urgent requests from internal contacts before taking action, primarily involving financial transactions or sensitive information.
  • Foster a culture of risk awareness to keep employees vigilant.

Social engineering thrives on human error, so embedding security awareness into the organisational mindset is crucial.

By understanding the common types of social engineering attacks and recognising their real-world implications, individuals and organisations can better protect themselves from these pervasive threats.

Splunk   |   Imperva   |   Tripwire   |   Fortra   |     Vancouver Sun   |    BankInfoSecurity   |   ITGovernance 

Image:

You Might Also Read: 

Every Employee Should Be Considered A Target:

If you like this website and use the comprehensive 7,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« For Many Businesses Experiencing MultiCloud Data Breach, Multi-Cloud Security Could Be The Answer
PDF Merging Guide: Simplify Document Management »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

ZenGRC

ZenGRC

ZenGRC (formerly Reciprocity) is a leader in the GRC SaaS landscape, offering robust and intuitive products designed to make compliance straightforward and efficient.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

Infosecurity Europe, 3-5 June 2025, ExCel London

Infosecurity Europe, 3-5 June 2025, ExCel London

This year, Infosecurity Europe marks 30 years of bringing the global cybersecurity community together to further our joint mission of Building a Safer Cyber World.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

DataSunrise

DataSunrise

DataSunrise Data-Centric high-performance security software protects the sensitive data in real-time in cloud or on premises, and helps organizations to stay compliant.

Redjack

Redjack

Redjack is a cutting-edge network analytics company focused on enterprise and ISP security and intelligence solutions.

Zettaset

Zettaset

Zettaset’s XCrypt Data Encryption Platform delivers proven protection for Object, Relational/SQL, NoSQL, and Hadoop data stores…in the cloud and on-premises.

Lirex

Lirex

Lirex offer consulting and outsourcing services, complete design, construction and maintenance of ICT solutions and systems including cybersecurity.

Data443 Risk Mitigation

Data443 Risk Mitigation

Data443 Risk Mitigation provides next-generation cybersecurity products and services in the area of data security and compliance.

CyberClan

CyberClan

CyberClan’s carefully selected team of experts is capable of solving complex cyber security challenges – keeping your data secure and your businesses running as usual.

Unit21

Unit21

Unit21 helps protect businesses against adversaries through a simple API and dashboard for detecting and managing money laundering, fraud, and other sophisticated risks across multiple industries.

Clear Skye

Clear Skye

Clear Skye, an Identity Access and Management (IAM) software company, reimagines enterprise identity access and risk management software to make a complicated problem easier to manage.

HiddenLayer

HiddenLayer

HiddenLayer is a provider of security solutions for machine learning algorithms, models and the data that power them.

Maintel

Maintel

Maintel provides cloud and managed communications services. We help our customers to deliver exceptional customer experiences, and to securely access their applications and their data.

Solcon Capital

Solcon Capital

Solcon Capital is a forward-looking, technology-focused investment firm that is committed to identifying and investing in the most promising areas of innovation and development in the tech industry.

ImagineX Consulting

ImagineX Consulting

ImagineX Consulting is a cybersecurity-focused boutique technology consultancy whose mission is to help our clients #BeBetter by reducing their corporate risk.

Custom Computer Specialist (CCS)

Custom Computer Specialist (CCS)

CCS offers an extensive range of services including cybersecurity solutions, consulting, implementation, and support to help our clients maximize the value derived from IT investments.

Barrier Networks

Barrier Networks

Barrier Networks are a Cyber Security Managed Service Provider that specialises in Network and Application security.

M7 Services

M7 Services

M7 Services are a comprehensive Managed Services Provider (MSP) with a focus on delivering cutting-edge information technology solutions and unparalleled customer service.

Black Duck Software

Black Duck Software

Black Duck (formerly the Synopsys Software Integrity Group) is the market leader in application security testing (AST).