Information security is usually perceived as a technical and administrative problem rather than a people problem. However, almost all cyberattacks begin with a social engineering scam in which human weakness is the target, rather than vulnerabilities in technology. While hackers tend to get the lion’s share of attention, much more common are attackers who might not even have any specialized technical knowledge, instead relying on methods of manipulation.
Although social engineering attacks may be carried out over any channel, such as email, social media, or telephone, they all have something in common: they’re meant to dupe unsuspecting victims into taking a desired action. This might be to surrender confidential information such as login credentials or payment card information, download a malicious attachment, or click on a malicious link.
Here are five ways you can fall victim to a social engineering attack:
#1. Phishing
Phishing scams have been around for over 30 years, and they continue to evolve, becoming more sophisticated as attackers take advantage of a wider range of communications channels. Regular phishing attacks are usually carried out en masse by cybercriminals masquerading as representatives of legitimate businesses. Due to the lack of personalization of such attacks, most are fairly easy to identify and usually get picked up by spam filters. However, social media is rapidly catching up as a favorite tool for criminals.
#2. Spear phishing
Today, most successful cyberattacks start with a spear phishing attack. Unlike regular phishing scams, these are directed at specific individuals or companies. To increase their chances of success, scammers will often gather and use personal information about the target to instill trust. Some even go so far as to masquerade as a friend or colleague of the victim and may do this using a spoofed email address or even stolen account credentials. Spear phishing attacks are some of the most dangerous, since they’re highly effective and carried out by experienced criminals, masters of subterfuge who know exactly what they’re doing.
#3. Whaling
CEOs and other high-profile individuals are perfect targets insofar as experienced scammers are concerned, since they usually have access to a wealth of high-value information. Whaling attacks are highly personalized social engineering scams that target individuals based on their authority within a company. Since they’re so highly targeted, they’re much harder to detect in most cases. The content of these scams often focuses on executive management issues like subpoenas or high-profile customer complaints. To boost their chances of success, scammers may use a wide range of channels and demonstrate extensive knowledge about the target.
#4. Baiting
As the name suggests, baiting relies on false promises to pique a victim’s curiosity or greed. They reel in unsuspecting victims with things like sensationalist headlines in much the same way that less scrupulous advertisers rely on clickbait. However, baiting attacks take things a step further by luring victims into a trap designed to exfiltrate sensitive information or infect the computer with malware. Unlike most other social engineering scams, baiting usually takes the form of a malicious website, often one that masquerades as an official website belonging to a legitimate company.
#5. Watering hole
One of the more obscure forms of social engineering is the watering hole attack, an exploit in which an attacker targets a group of end users by infecting websites and platforms they frequently visit. The name is derived from the phenomenon in which predators lurk around watering holes in search of prey. Attacks often focus on popular and legitimate websites and online communities, such as forums or private social networking groups. While these attacks aren’t particularly common, they’re still highly dangerous due to the fact they’re notoriously difficult to detect.
Tech Squared provides cybersecurity tools and expertise that protect your network from threats both inside and outside your organization. Call us today to schedule a consultation.