Social engineering tactics used by scammers involve exploiting human characteristics such as curiosity, impatience, gullibility, addiction to technology, and burnout. Perry Carpenter, Chief Evangelist and Head of Security for KnowBe4, shares common social engineering hacking tactics and ways to limit the risks they pose.
Social engineering is one of the most widespread attack vectors used by scammers to manipulate people into performing a dangerous action, such as downloading an attachment, clicking a URL, or disclosing personal or sensitive information. The growth of social engineering has been remarkable: in 2021 alone, social engineering threats increased by 270% while we estimate $6.9 billion were stolen using social engineering scams.
Popular social engineering techniques
Threat actors are keen observers of human behavior. They know that people are quite predictable and have inherent weaknesses (such as blind trust, gullibility, curiosity, and prejudice) that can be exploited for scams and hacks. Let’s look at some popular social engineering techniques used by scammers and cybercriminals:
- Phishing and Phishing: Phishing is one of the most well-known tricks in the social engineering book. This usually takes the form of a legitimate-looking email, social media message, or text message received on your phone (aka smishing). The message usually contains a request for the target to perform an action such as replying to the email, downloading an attachment, or visiting a website. Phishing tactics include many variations that attackers modify based on trending issues and the personal profile of the target. In 2021, approximately 83% of organizations have experienced a successful phishing attack in which victims clicked on the wrong link, downloaded malware, provided credentials, or executed a bank transfer.
- Vishing: Vishing is a type of voice-based phishing where scammers contact people using the phone. Attackers often use a compelling narrative to contact people, claiming they are from tech support or the bank, informing the user of a suspicious transaction. The main purpose of vishing is to obtain sensitive information from the target. You should also be on the lookout for “vishing hybridwhere attackers combine vishing with other social engineering tactics to make impersonation more compelling.
- Business Email Compromise (aka CEO Fraud): BEC is a kind of highly targeted phishing attack which is usually executed by impersonating a senior executive. Attackers hack or spoof C-suite staff email accounts and instruct employees to make wire transfers to fraudulent accounts. Apart from the money, the attackers even ask for employee salary and tax declaration forms. BEC is one of the costliest forms of cybercrime, $43 billion to cybercriminals last year.
- Romance scams (aka honey trap): Romance scams are a type of fraud in which a criminal fakes their identity online (on popular dating and social media sites) to gain the victim’s affection and trust. Scammers create the illusion of building a romantic or close relationship to manipulate or extract information from the victim. Once the victim begins to trust the abuser, they will offer investment advice or say that they need emergency funds to wire urgently. According to the FBI, the Americans lost $1 billion to romance scams last year.
- Attacks at the watering hole: Cybercriminals sometimes target well-known websites and mobile apps commonly visited by the victim or people associated with the target. They will infect these websites and apps with malicious code with the sole purpose of compromising the user. When Covid-19 was at its peak, hackers launched a watering hole attack using a “Coronavirus live data app.” Once users downloaded and installed the app, attackers could watch through a smartphone camera, listen through a microphone, and access text messages. Waterhole attacks are also common in cyber espionage and other operations. state sponsored campaigns.
- Wrong wrong: Today, anyone can download a cell phone app, swap faces with a celebrity, age themselves, or insert themselves into a photo or video. Deepfakes use advanced forms of the same technology, but for malicious purposes. Using deepfakes, attackers can easily manipulate videos, swap faces, change expressions, or synthesize speech to slander individuals and companies, spread misinformation, or commit scams. In 2020, fraudsters used deep voice technology to scam a bank employee and execute wire transfers worth $35 million.
Learn more: Undeclared War: How Accurate Are the Threats?
How to reduce the risks of social engineering
Improving employees’ cybersecurity instincts and strengthening the organization’s overall cybersecurity culture is key to mitigating social engineering risks. Here are some best practices that can help:
- Conduct security awareness training sessions to ensure employees understand their cybersecurity responsibility and accountability.
- Run phishing simulations to give workers “hands-on” experience and make them understand the nature of these attacks from real-world examples.
- Teach employees to be vigilant and not to believe anything at face value. Ask them to adhere to company policies and best practices for cybersecurity (good password managers, safe browsing, use of social media, etc.).
- Make sure your senior management is actively involved in building the culture of safety, as culture permeates from the top down.
When it comes to social engineering, users are not only the main attack vector, they are also the main solution. Train people well to recognize, fend off, and report social engineering scams, as this can go a long way in protecting the organization from cyberattacks, fraud, and data breaches.
How do you manage the risks of social engineering? Share with us on Let us know on Facebook, Twitterand LinkedIn.
Image source: Shutterstock