Five Unique Tactics of Social Engineering Attacks
By: Krystal Rennie, Director of Corporate Communications, and Brittany Demendi, Corporate Communications Manager
Five Unique Tactics of Social Engineering Attacks is a part of Adlumin’s Cyber Blog content series. For more information about how your organization can protect itself from cybercriminals, browse more from our knowledge-rich series here.
As cybercriminal organizations and state-sponsored actors grow in sophistication and capability, they remain loyal to the simple tactics and techniques that deliver results. “Social Engineering” might not carry the glamor of a technical zero-day malware attack, but it works. Social engineering works so well that 90% of cyberattacks on organizations involve some form of the tactic, according to KnowBe4. Employees are then vulnerable to influence and often become unwitting accomplices in a cybercrime.
Social Engineering is when “an attacker uses human interaction (social skills) to obtain or compromise information about an organization or its computer systems. An attacker may seem unassuming and respectable, possibly claiming to be a new employee, repair person, or researcher and even offering credentials to support that identity.”
Cybersecurity & Infrastructure Security Agency (CISA).
Social engineering tactics can take multiple forms, from collecting publicly available information on social media to conducting search engine analysis. Fundamentally, these tactics identify valuable tools and information that potential victims might seek and be more likely to interact with. Social Engineering is about gaining a user’s trust.
Social engineering strategies can involve fake emails and websites that look authentic and can fool the entire spectrum of employees. Everyone can be a target, from engineers to sales and marketers, finance admins, and senior executives. Social engineering aims to manipulate a target user into revealing sensitive data about their business or personal information. This stolen information can create a phishing campaign that looks authentic. These attacks seek to gain information and can take many different forms, making it harder to pinpoint the cybercriminal’s entry point.
Five Common Tactics of Social Engineering
- Scareware: An attack that bombards victims with false alarms and fictitious threats about their devices. Victims are misled to think that their systems are infected with malware, prompting them to install malicious software or malware itself. In one of the most extreme cases, following a massive credit theft from a major retailer, cardholders were contacted through phone calls and asked to update their security measures. Of course, the calls came from cybercriminals collecting victims’ PINs and passwords.
- Baiting: A form of social engineering that incentivizes users to take action the attacker wants. These attacks often include offers of gifts, exclusive offers, courier packages, and other well-known “lures.” Engaged users give up their personal information or sign up for fictitious accounts, exposing their passwords. Since passwords are often recycled across multiple accounts, this can create a severe breach and risk to the organization. Rarely can baiting even use physical media like flash drives. Dropped in the employee parking lot, an unassuming individual may accidentally release malware once installed on a company computer.
- Pretexting: In this form of social engineering, attackers approach victims requesting sensitive information necessary to complete a critical task or service. Appearing as friendly actors, these criminals solicit data about the victim using various motivators like tax refunds, payments, deliveries, or business-related projects.
- Spear Phishing: These attacks target individuals with roles within the company, seniority, rank, authority, and access to critical systems. They often target professionals such as lawyers, doctors, or engineers presented with fake license complaints and lawsuits. In other cases, executives were targeted with emails and branded file shares containing lawsuit filings, the basis of which was stolen from publicly available court filings and stolen litigation material. Spear Phishing is perhaps one of the most challenging forms of engineering because it is extremely difficult to distinguish from legitimate traffic and communications.
- Quid Pro Quo: This type of attack centers around an exchange of service or information convincing the victim to act. Typically, the cybercriminal will promise rewards or leverage implicit work motivations to the victim for information that can be used to steal money or take control of a company account or data. One of the most common examples is when the cybercriminal poses as an IT employee asking for or offering technical support.
Many social engineering schemes happen daily. Like all strategies, some techniques are more well-known than others. However, unlike other cyberattacks, human interaction is a critical component of social engineering, which should make you think more carefully about your daily interactions on the internet. These attacks underline the importance of understanding that attacks are much harder to identify and often dupe employees in the early stages of a much larger cyber campaign.
Training is Key to Proactive Defense Against Social Engineering
Employees are your organization’s first line of defense regarding protection from social engineering methods. If employees are not appropriately trained against these tactics, your security software can only defend you until someone clicks on a malicious link.
Yes, there are ways to hunt these threats before they take over your IT network, but it’s best to think proactively and put the fire out at the source. Finding and implementing the right Proactive Defense Program will empower employees with skills to find and report suspicious activity. These are not just one-off sessions that overwhelm employees with the information they soon will forget. It’s consistent training that creates a positive cybersecurity culture within the organization.
Training needs to be persistent and delivered in small doses throughout the year for information retention. Proactive Defense Programs use real-life de-weaponized attack campaigns to test employees. In addition, implementing training ensures your organization complies with set industry regulations and set policies and tracks and trains high-risk users.
What’s Next?
Now that you have this new information, you might wonder, what’s next? The best advice when attempting to combat social engineering threats is to know the signs and prioritize implementing a Proactive Defense Program throughout your company. Social engineers manipulate feelings and human logic to lure victims into their traps. As a result, we must be wary of what we open, click, and interact with while navigating our online experiences. Always remain alert and trust your gut instinct; if something doesn’t feel right, nine times out of ten, it isn’t right.