Recognising Social Engineering Attacks

March 31, 2022

“You can fool some of the people all of the time, and all of the people some of the time, but you cannot fool all of the people all of the time.” –Abraham Lincoln

Social engineering is a form of manipulation where attackers imitate a trusted source in order to convince people to perform certain tasks, such as grant access to a computer or account, or disclose confidential information, such as passwords.

Unlike traditional cyberattacks that rely on security vulnerabilities to gain access to unauthorized devices or networks, social engineering techniques target human vulnerabilities. For this reason, it’s also considered human hacking.

Social Engineering

The most common form of social engineering is phishing. Attackers launch phishing scams that use cleverly crafted emails to capture personal information using malicious URLs or attachments and by creating a sense of urgency for victims to respond.

In January 2022, a new phishing campaign impersonates the US Department of Labor (DoL) and asks recipients to submit job bids in an attempt to steal Office 365 credentials.

The scam is a noteworthy example of how convincing phishing attempts are becoming because the campaign has been around since 2021 . It uses over 10 phishing sites to trick victims into providing personal information.

Phishing

Always remember that legit companies know how to spell. Possibly the easiest way to recognize a scammy email is bad grammar. An email from a legitimate organization should be well written. Little known fact – there’s actually a purpose behind bad syntax. Hackers generally aren’t stupid. They prey on the uneducated believing them to be less observant and thus, easier targets.

Vishing is another type of phishing attack in which stealing is done using voice communication to steal important information from users.

Vishing

Smishing is a form of phishing in which an attacker uses a compelling text message to trick targeted recipients into clicking a link and sending the attacker private information or downloading malicious programs to a smartphone.

Smishing

Most smishing attacks work like email phishing. The attacker sends a message enticing the user to click a link or asks for a reply that contains the targeted user’s private data.

Many attackers use automation to send several users their text messages using an email address to avoid detection. The phone number listed in caller ID is usually a number that points to an online VoIP service such as Google Voice, where you can’t look up the number’s location.

Another cybersecurity attack to watch out for is the watering hole attack – a targeted attack designed to compromise users within a specific industry or group of users by infecting websites they typically visit and luring them to a malicious site. This watering hole definition takes its name from animal predators that lurk by watering holes waiting for an opportunity to attack prey when their guard is down.

Watering Hole

Pretexting is a form of social engineering used to manipulate victims into divulging sensitive information. Hackers often research their victims in advance of their first conversation. This gives the hacker a sense of the victim’s personal and professional life and assists with establishing the right pretext with which to approach the victim.

Pretexting

Whaling attacks is a form of spear-phishing attack directed at high-level executives where attackers masquerade as legitimate, known and trusted entities and encourage a victim to share highly sensitive information or to send a wire transfer to a fraudulent account.

Lastly, we have tailgating attacks which involve a malicious party gaining physical access to a restricted area by taking advantage of an authorised person’s access. Tailgating attacks rely on social engineering because they use an understanding of psychology to manipulate people into taking specific actions. Typically, attackers exploit kindness or complacency to follow authorised users into restricted areas.

Tailgating

Recognizing a social engineering scam:

Sings of Social Engineering

Asking for an urgent request

Cybercriminals will use language that instills a sense of urgency in their victims to try to pressure the victim to rush into action without thinking about it. If someone asks you to make an urgent wire transfer, it’s a major red flag that someone is trying to trick you.

Your friend sends you a strange request

Social engineers can pose as trusted individuals in your life, including a friend, boss, coworker, even a banking institution, and send you conspicuous messages containing malicious links or downloads. Just remember, you know your friends best — and if they send you something unusual, ask them about it.

Your emotions are heightened

They use fear as a motivator. They send threatening or intimidating emails, phone calls and texts that appear to come from an authority figure such as a police officer, the tax department or a bank are other techniques social engineers will use to scare you into acting on their demands for personal information or money.

The offer feels too good to be true

If an online contact offers you free access to an app, game or program in exchange for login credentials, beware – you should never shared your login credentials with anyone. If an offer sounds too enticing, think twice before accepting it as fact. Googling the topic can help you quickly determine whether you’re dealing with a legitimate offer or a trap.
Other common scams include offering to split a lottery win or information about a lucrative job opportunity.

You are receiving help you never asked for

Social engineers will pose as s customer service agent from a company you do business with and send you a message “responding” to a request for help. Though you never sent a request for help, you might decide that since you already have a rep contacting you, this would be an opportune time to receive support for an issue you’ve been experiencing.
Inevitably the attacker will request specific information from you to “authenticate your identity.” In reality, they’re just stealing your information.

Sender cant prove identity

If you raise any suspicions with a potential social engineer and they’re unable to prove their identity — perhaps they won’t do a video call with you, for instance — chances are they’re not to be trusted.

Did you know that human error is the cause of the majority of successful social engineering attacks?

The reason social engineering is such a universal component of cyberattacks is that, when done successfully, it provides direct access to a core network or user account. Human error is a fact of life and you still need an underlying layer of cybersecurity to stay safe. That’s why, in addition to having the right tools for prevention, detection, and response, the best way to prevent social engineering is to try and avoid falling victim in the first place by being aware of possible scams and attacks and always double-checking.

Everyone in our organization should understand these specific social engineering examples and all of the telltale signs of a scam attempt. Make your organisation a hard target, download and share our Social Engineering Infographic today!


Share article

Sign up to our newsletter