Social engineering attacks: Types and protection tips

The nature of cyber threats has evolved significantly over the past few years. Cybercriminals continue to find innovative ways of making money by tricking email recipients into believing them. Cybercriminals usually achieve this by finding vulnerabilities in a system or software to find an entry point and carry out the attack. Even though loopholes in devices and software pave lucrative ways for hackers to spew attacks, one of the most common forms through which hackers attain their goals is by psychological manipulation.

Humans are the weakest link in a cybersecurity system, and hackers make use of this weakness for their attacks. In fact, humans are responsible for 82% of breaches against businesses. Hackers rely on the human element because it's one of the easiest ways to formulate an attack. Fraudsters create emails or other forms of attacks that can easily deceive the target, making them fall prey to their attacks. 

Social engineering is one technique that commonly uses psychological manipulation to trick people into revealing information or performing a specific action. In social engineering, hackers impersonate other trusted entities and bait the users into performing actions that give them monetary benefits or furthers their attack in some form. In this article, we'll take a look at what social engineering is, the types of social engineering attacks, and the ways in which you can protect your organization from these attacks. 

What are social engineering attacks?

Social engineering is a technique used in cybercrimes where the threat actors use deception and manipulation to gain the trust of their victims and use this trust to extract sensitive information from them. The threat actors will use this information later to propagate the attack or demand a monetary ransom. These attacks are always designed with the probability for human error in mind because the hackers aim to use humans as the entry point. 

By manipulating people, hackers aim to extract sensitive information such as bank account numbers, credit card numbers, account credentials, and other personally identifiable information (PII). Hackers rely on social engineering attacks for 98% of data breaches, making them one of the most dangerous techniques used to propagate threats. This is because hackers can get access to sensitive information without having to work around network or device security controls; they can easily create a believable brand or identity. 

How does social engineering work?

Social engineering attacks can be successful only if the hacker has done sufficient research about their target, making this the first step in the attack. After doing their research, hackers create a believable attack, perform the attack, and finally disappear without leaving a trace. Let's take a look at these four stages in detail. 

Research: In the first stage, hackers perform extensive research to identify which people to target, their communication patterns, and the people they interact with regularly. Gathering information about their target gives them an idea of what might be anomalous or normal to the target. 

Ideation: Equipped with sufficient knowledge about their targets, hackers design an attack that doesn't arouse any suspicion. This attack could be in the form of an email, a text message, or even a call. In this stage, hackers either create a brand that seems trustworthy or impersonate an existing brand that the target interacts with regularly.

Attack propagation: Having created an attack that they're confident will escape detection by their targets, the hackers start propagating their attack. Because cyber criminals create their attacks with care, they escape detection so their targets fall prey to them. They carry out the intended action, which is usually sharing sensitive information or performing a financial transaction.  

Retreat: Once the hacker gets their intended result, they use the information they've gathered as part of a larger attack, wipe out any traces that might lead back to them, and disappear with the money or intel. This is an important stage for the hackers, because it's critical that none of the means used in the attack lead back to them.

Common targets of social engineering attacks

There are certain targets that provide the most benefit for hackers. These are the types of people who are most likely to believe the attack, or they could be the people who commonly transact with large amounts of money. Some common targets include:

Large businesses: Businesses that transact large amounts of money are less likely to find a monetary request suspicious. Hackers will target members who have the authority to approve transactions, such as people belonging to the finance team, and request payments by impersonating legitimate entities. On an average, companies have lost $130,000 due to social engineering attacks.

High-profile employees: High-profile employees often make payment requests for their vendors, contractors, or business partners. Hackers will assume the identity of members such as CEOs, CFOs, or other C-suite executives and request that their finance team process a pending payment. Because this seems like a harmless request, people perform the action that's requested.

Elderly people: Elderly people who aren't aware of possible indicators of cybercrimes are a common target for hackers. Hackers make use of methods such as scaremongering to make them perform a certain action. For example, they'll pretend to be a bank official to scare people into updating their bank details with a warning that their bank account will be closed. 

New employees: These days, hackers closely follow the people they aim to target. When people post updates about shifting to new jobs on their LinkedIn profiles, hackers count on the fact that they may not yet know all of the security practices their new company follows. So when they receive a request from someone who seems legitimate, the employee shares the details without much thought. 

Types of social engineering attacks

Social engineering attacks can come in many forms. They may target an individual or a company through email, text message, or voice calls. Let's delve into the different types of these attacks to understand how they can occur. 
 

Phishing

Phishing is a type of cyberattack in which hackers send an email or text message with the intent to extract specific kinds of information. Phishing is one of the most commonly used tactics in cyberattacks because they don't involve getting around firewalls or network security systems. In fact, phishing attacks account for 22% of all data breaches. 

Hackers use phishing attacks to manipulate their targets into sharing information that will help them propagate an attack or extract sensitive information that they can sell on the dark web or hold ransom for a payment. In other forms of the attack, the attacker directs their target to download a software that contains malware, locking users out of their systems or silently monitoring the activities they perform. Extracting money from targets for monetary benefits is also a common result of these attacks. 

Phishing attacks rely on tricking the email recipients into believing that they're a trusted identity, making them one of the common social engineering attacks deployed by hackers.
Other forms of phishing attacks are also becoming increasingly prevalent in recent times. They include smishing, which is phishing for data over SMS; vishing, where targets are phished for information through voice calls; and whaling attacks, where hackers target high-profile C-suite employees. 

Spear phishing

Spear phishing is a type of phishing attack where hackers target specific people with the intention of extracting sensitive information or money from them. Because these attacks are created with specific people in mind, hackers perform extensive research to achieve their motive. They stalk people or companies online and do the necessary recon before they create the attack. Understanding their communication patterns, positions, and the people they regularly interact with gives them a better idea of how to create the attack. 

Spear phishing attacks are usually done with high-value compensation in mind. So they target C-suite members or finance team members of large organizations. They aim to get the account credentials of high-profile employees or extract money from the company. The emails sent are usually personal and realistic because of the research performed. 

Quid pro quo

In quid pro quo attacks, the threat actors promise to provide something in exchange for an action that's carried out by the target. Hackers usually conduct these attacks by assuming the identity of tech support members who are trying to help with a persistent issue. They may promise to rectify issues of a slow network, firewall issues, or anti-virus software issues in their system. They'll ask the target to share their account or device credentials, pretending to log in and identify the issue. Once the credentials are shared, the hackers steal them for their own benefit or sell them on the dark web. In other instances, they may promise a gift basket or loyalty points for a renowned brand in exchange for filling out a form that collects sensitive information. 

Baiting

Baiting is a form of social engineering in which bad actors lure the target with fake promises and curiosity-inducing advertisements or promotions. These usually involve performing seemingly innocuous actions that end up costing the target in many ways. Performing the intended action may lead to downloading an application or a file containing malware onto an operating system, or revealing credentials and other sensitive information related to the target individual or their organization. 
 

Pretexting

Pretexting refers to an attack in which the threat actor assumes the identity of someone and nudges the target to perform a certain action. All social engineering attacks use some form of pretexting to carry out their motives. In this attack, hackers take over the identity of someone the target commonly interacts with on an everyday basis. Some examples include common brands such as Microsoft, Amazon, Apple, and other major companies. In other cases, hackers may mimic charity organizations, banks, and IT support technicians, contact the target for a fabricated issue, and make their target perform the required action.
 

Protecting your organization from social engineering attacks

While social engineering attacks are becoming increasingly clever and sophisticated, there are measures that both organizations and individual employees can take to protect themselves. Let's take a look at some of the best practices that can help. 
 

Be vigilant about threat cues

Most emails with malicious intent exhibit certain cues that are common indicators of email threats. Some of the common indicators of such emails are:

Urgent subject lines: If threat actors aim to extract some information from the email recipient, they make them take the action without too much thought. In those cases, a subject line that sounds urgent and panic-provoking works best for them. Therefore, be wary of such subject lines. 

Inconsistent sender information: Verify if the sender information is consistent throughout the email. Check if the display name, from address, reply-to address, and the signature or the domain disclaimer match. If there are any discrepancies, proceed with caution.  

Overly persuasive content: In case the email content is trying too hard to convince you or sounds too good to be true, be cautious. The sender could be trying to deceive you with offers or promises that they may not keep while stealing valuable information or money from you.

Immediate demands: While certain emails can be time-sensitive, not all of them are. Threat actors exploit these scenarios for their benefit. Even if an urgent email lands in your mailbox, give every demand due consideration and take action only after following your company's security processes.

Identify unsolicited requests

Threat actors look for every opportunity to fool their victims into believing them. Creating a sense of panic and urging them to take immediate action is one of them. Sometimes, they get into users' mailboxes by making up a situation that's untrue but may seem plausible. Some common scenarios include a package being held by customs because it didn't get clearance, bank account password expiry notifications, network carrier suspension alerts, and an account being blocked if a specific step isn't immediately taken. 

If you receive such a notification, pause to think about whether there's something at your end that could trigger such a notification. In case you receive a message about a package being held, and you're not expecting any deliveries, you can notify your admins and dismiss the email without taking any action.

Exercise caution with sensitive data

Invading a single important account is all threat actors need to get your online and offline data. If an email asks you to share data that may expose you, verify the email source and reveal the data only after due consideration. If there's a link embedded in the content where you're asked to enter credentials, verify that the website is genuine before supplying your data. These could be phishing websites from which the threat actor steals your credentials. Because this data has the potential to bring down your entire online presence, be extra cautious about who and where you reveal your details. 

Configure multi-factor authentication

Even if your account credentials are compromised through a data breach or a social engineering attack, you can minimize the implications of these leaks by configuring multi-factor authentication. Multi-factor authentication ensures that even if an attacker has access to your password, they're allowed to log in only after performing an additional step that enhances your security. By making this an organization-wide policy, you can prevent attackers from gaining access to sensitive data about your company.

Because most email providers alert users about suspicious logins, if there's a login that you don't recognize, you can reset your password to prevent any potential damage.

Enforce strict access controls

Most social engineering attacks prey on individuals who aren't aware of secure data handling attacks. If an employee is recruited to the finance team of a reputable company, hackers can stalk them online and convince them to perform sensitive actions. Clearly separate roles and responsibilities within the company and ensure that sensitive actions, such as money transfers and data sharing, can be done only after several levels of approvals are completed. Every new employee should go through rigorous training processes to prevent any mishaps due to a lack of awareness.
 

Educate your employees

It's important that there are no weak links in any organization. Mandate security awareness trainings for all employees joining your company. This will be most effective if the training is done as part of the employees' orientation into the company. In addition to the training, simulate emails that can test your employees' understanding of the different threat types and see how many of them report it. If an employee has taken the bait, conduct additional training. 
 

Deploy email security solutions

While many preventive measures can be taken at the employee and individual level to identify these attacks, email security solutions can identify sender and content patterns with a high level of accuracy with their advanced algorithms. Deploy an email security solution that can identify and report such emails to guard your organization.

eProtect is a cloud-based email security and archiving solution that provides an additional layer of security for email accounts. The solution offers advanced threat detection mechanisms that can secure on-premise and cloud email accounts from evolving email threats. eProtect is the security solution powering Zoho Mail, a platform trusted by millions of users.