Phishing attacks are one of the most common forms of social engineering attacks. The following image shows you an example of a phishing email.
Phishing attacks sometimes utilize a technique called pretexting in which the criminal sending the phishing email fabricates a situation that both gains trust from targets as well as underscores the supposed need for the intended victims to act quickly.
In the phishing email shown, note that the sender, impersonating Wells Fargo bank, included a link to the real Wells Fargo within the email, but failed to properly disguise the sending address.
Common forms of social engineering attacks include spear phishing emails, smishing, spear smishing, vishing, spear vishing, and CEO fraud.
PhishingPhishing refers to an attempt to convince a person to take some action by impersonating a trustworthy party that reasonably may legitimately ask the user to take such action.
For example, a criminal may send an email that appears to have been sent by a major bank and that asks the recipient to click on a link in order to reset his or her password due to a possible data breach. When the user clicks the link, they are directed to a website that appears to belong to the bank, but is actually a replica run by the criminal.
As such, the criminal uses the fraudulent website to collect usernames and passwords to the banking site.
Spear phishingSpear phishing refers to phishing attacks that are designed and sent to target a specific person, business, or organization. If a criminal seeks to obtain credentials into a specific company’s email system, for example, they may send emails crafted specifically for particular targeted individuals within the organization.
Often, criminals who spear phish research their targets online and leverage overshared information on social media in order to craft especially legitimate-sounding emails.
For example, the following type of email is typically a lot more convincing than “Please login to the mail server and reset your password.”:
“Hi, I am going to be getting on my flight in ten minutes. Can you please login to the Exchange server and check when my meeting is? For some reason, I cannot get in. You can try to call me by phone first for security reasons, but, if you miss me, just go ahead, check the information, and email it to me — as you know that I am getting on a flight that is about to take off.”
CEO fraudCEO fraud is a social engineering attack that is similar to spear phishing in that it involves a criminal impersonating the CEO or other senior executive of a particular business, but the instructions provided by “the CEO” may be to take an action directly, not to log in to a system, and the goal may not be to capture usernames and passwords or the like.
The crook, for example, may send an email to the firm’s CFO instructing them to issue a wire payment to a particular new vendor or to send all the organizations’ W2 forms for the year to a particular email address belonging to the firm’s accountant.
CEO fraud often nets significant returns for criminals and makes employees who fall for the scams appear incompetent. As a result, people who fall prey to such scams are often fired from their jobs.
SmishingSmishing refers to cases of phishing in which the attackers deliver their messages via text messages (SMS) rather than email. The goal may be to capture usernames and passwords or to trick the user into installing malware.
VishingVishing, or voice-based phishing, is phishing via POTS — that stands for “plain old telephone service.” Yes, criminals use old, time-tested methods for scamming people. Today, most such calls are transmitted by voice over IP systems, but, in the end, the scammers are calling people on regular telephones much the same way that scammers have been doing for decades.
WhalingWhaling refers to spear phishing that targets high-profile business executives or government officials.
TamperingSometimes attackers don’t want to disrupt an organization’s normal activities, but instead seek to socially engineer by exploiting those activities for financial gain. Often, crooks achieve such objectives by manipulating data in transit or as it resides on systems of their targets in a process known as tampering.
In a basic case of tampering with data in transit, for example, imagine that a user of online banking has instructed their bank to wire money to a particular account, but somehow a criminal intercepted the request and changed the relevant routing and account number to their own.
A criminal may also hack into a system and manipulate information for similar purposes. Using the previous example, imagine if a criminal changed the payment address associated with a particular payee so that when the Accounts Payable department makes an online payment. The funds are sent to the wrong destination (well, at least it is wrong in the eyes of the payer.)
Other social engineering attacksAdditional types of social engineering attacks are popular as well:
- Baiting: An attacker sends an email or chat message — or even makes a social media post promises someone a reward in exchange for taking some action — for example, telling a target that if she completes a survey, they will receive a free item. Sometimes such promises are real, but, often they’re not and are simply ways of incentivizing someone to take a specific action that they would not take otherwise.
Sometimes such scammers seek payment of a small shipping fee for the prize, sometimes they distribute malware, and sometimes they collect sensitive information. There is even malware that baits.
Don’t confuse baiting with scambaiting. The latter refers to a form of vigilantism in which people pretend to be gullible, would-be victims, and waste scammers’ time and resources through repeated interactions, as well as (sometimes) collect intelligence about the scammer that can be turned over to law enforcement or published on the Internet to warn others of the scammer.
- Quid pro quo: The attacker states that they need the person to take an action in order to render a service for the intended victim. For example, an attacker may pretend to be an IT support manager offering assistance to an employee in installing a new security software update. If the employee cooperates, the criminal walks him through the process of installing malware.
- Social media impersonation: Some attackers impersonate people on social media in order to establish social media connections with their victims. The parties being impersonated may be real people or nonexistent entities. The scammers behind the impersonation below and many other such accounts frequently contact the people who follow the accounts, pretending to be the author, and request that the followers make various “investments.”An example of an Instagram account impersonating an author, using his name, bio, and primarily photos lifted from his real Instagram account.
- Tantalizing emails: These emails attempt to trick people into running malware or clicking on poisoned links by exploiting their curiosity, sexual desires, and other characteristics.
- Tailgating: Tailgating is a physical form of social engineering attack in which the attacker accompanies authorized personnel as they approach a doorway that they, but not the attacker, is authorized to pass and tricks them into letting him pass with the authorized personnel. The attacker may pretend to be searching through a purse for an access card, claim to have forgotten his card, or may simply act social and follow the authorized party in.
- False alarms: Raising false alarms can also social engineer people into allowing unauthorized people to do things that they should not be allowed to. Consider the case in which an attacker pulls the fire alarm inside a building and manages to enter normally secured areas through an emergency door that someone else used to quickly exit due to the so-called emergency.
- Water holing: Water holing combines hacking and social engineering by exploiting the fact that people trust certain parties, so, for example, they may click on links when viewing that party’s website even if they’d never click on links in an email or text message. Criminals may launch a watering hole attack by breaching the relevant site and inserting the poisoned links on it (or even depositing malware directly onto it).
- Virus hoaxes: Criminals exploit the fact that people are concerned about cybersecurity, and likely pay undeserved attention to messages that they receive warning about a cyberdanger. Virus hoax emails may contain poisoned links, direct a user to download software, or instruct a user to contact IT support via some email address or web page. These attacks come in many flavors — some attacks distribute them as mass emails, while others send them in a highly targeted fashion. Some people consider scareware that scares users into believing that they need to purchase some particular security software to be a form of virus hoax. Others do not because scareware’s “scaring” is done by malware that is already installed, not by a hoax message that pretends that malware is already installed.
- Technical failures: Criminals can easily exploit humans’ annoyance with technology problems to undermine various security technologies.
6 principles social engineers exploitSocial psychologist, Robert Beno Cialdini, in his 1984 work published by HarperCollins, Influence: The Psychology of Persuasion, explains six important, basic concepts that people seeking to influence others often leverage. Social engineers seeking to trick people often exploit these same six principles, so here’s a quick overview of them in the context of information security.
The following list helps you understand and internalize the methods social engineers are likely to use to try to gain your trust:
- Social proof: People tend to do things that they see other people doing.
- Reciprocity: People, in general, often believe that if someone did something nice for them, they owe it to that person to do something nice back.
- Authority: People tend to obey authority figures, even when they disagree with the authority figures and even when they think what they’re being asked to do is objectionable.
- Likeability: People are, generally speaking, more easily persuaded by people who they like than by others.
- Consistency and commitment: If people make a commitment to accomplish some goal and internalize that commitment, it becomes part of their self-image, and they’re likely to attempt.
- Scarcity: If people think that a particular resource is scarce, regardless of whether it actually is scarce, they will want it, even if they don’t need it.