Social engineering is a type of cyber-attack that deliberately targets the victim’s emotions. It uses psychological manipulation to trick users into making security mistakes or giving away sensitive information.
These attacks often take place over several weeks or months, with cyber criminals willing to play the long game for potentially incredibly valuable results. Firstly, they will investigate the victim online, using their social media profiles to gather necessary background information that will be used in the attack. Once they have this detail, they will then make a move to gain the victim’s trust, pretending to be someone they would interact with online to gradually get them to reveal sensitive or private information.
The top 5 methods cyber criminals use
Due to the nature of targeting someone’s emotions, there are many different types of social engineering attacks which can take place. Let’s have a look at a few and how to best protect yourself from them.
- Phishing – this is by far the most common type of social engineering attack, with phishing attacks using targeted emails to get the recipient to click on a malicious link or download an attachment. There are also several variations of phishing attacks, such as vishing (voicemail phishing), smishing (SMS phishing) and blagging (specific scenario phishing) that cybercriminals will use. With all these attacks, you should be careful about how you respond, watching out for anything suspicious and acting with caution.
- Baiting – this is where a cybercriminal coaxes private information out of their victim by promising them something for free. A common example of this would be an email offering a free gift if they fill in a form or click on a link to take a survey. You need to be particularly careful of these attacks as often victim’s react without thinking – remember, if something sounds too good to be true, it often is – and people rarely get something for nothing!
- Honey trapping – in this method of social engineering attack, the cybercriminal will attempt to engage in a romantic relationship with the victim. They will then try to use this new position in the victim’s life to get them to reveal confidential information and often, attempt to get them to transfer large sums of money. In today’s world, online relationships are something to be extremely cautious of, and you should never commit to sharing financial information or any private data with anyone unless you can accurately and confidently confirm their identity.
- Tailgating – this is an attack where the criminal will attempt to gain access into a building or secure location, by following someone else inside. Often, they will claim they have forgotten their key card or access fob and try to engage in casual conversation so the person they are tailgating doesn’t think to question their presence. In situations like this where you don’t recognise someone trying to gain access to somewhere secure, you should always challenge them and report the incident to a security team as quickly as possible.
- Diversion theft – this attack originated offline, but has developed over recent years as online shopping has increased. It involves the attacker finding out information about where a delivery has been sent, then altering this information in order to receive the packages themselves.
Key tips for staying safe
Unfortunately, due to their nature, social engineering attacks are some of the hardest to identify. However, the best thing to do is remain cautious about any communications you receive from a new or unknown source. If you come across something that looks suspicious, or even just seems out of character, consider where the message is coming from and if they’re asking for something that could create problems.
Never share your private information with anyone you don’t know or entirely trust and if you do suspect you have been a victim of a social engineering attack, report it to your IT security team immediately.
Find out more
If you want to find out more about how Boxphish can help you prevent social engineering attacks in your organisation, get in touch with us. We have a number of courses specifically built around social engineering, as well as other key topics within cyber security. We also offer phishing simulations to train your users on what to watch out for.
For more information, book a demo with us today.