Social engineering attacks prey on human error, waiting for authorized insiders to provide an opening into a computer system. As opposed to other attack methods that rely solely on technological tools to crack the security perimeter, social engineering seeks to anticipate and influence human behavior.
In this article, we’ll provide insight into the concept of social engineering and outline four attack stages. We’ll also provide examples of different types of social engineering attacks. Read on to learn about social engineering and advanced threat protection measures.
In this article:
Social engineering is a method used by attackers to mislead and trick users into providing confidential information or acting in a way that compromises security.
Most social engineering attacks occur in four stages:
Social engineering is broadly defined and there may be many forms of interactions of attackers with attack targets. Here are the most common social engineering attacks:
Phishing attacks are based on email and text messages, which get the attention of their targets by creating a sense of danger, urgency, curiosity or potential personal gain. The message tells a story and encourages users to click a link, download an attachment or perform another action that will compromise security. Commonly, the email appears to originate from an entity the user recognizes, such as a friend, colleague or service provider.
A variation on this attack is spear phishing, which is an attack targeted against specific individuals who have access to critical systems or significant influence, such as CEOs, system administrators or finance staff. Attackers launch sophisticated, targeted campaigns that exploit specific traits of their targets and use carefully collected personal information to trick them into complying.
Attack example: A user receives an email from their bank asking them to change their password. The email appears to be sent by the bank and looks similar to messages sent by the real institution, but is faked by the attackers. It contains a link sending the user to a fake version of the bank website, where the user supposedly changes password, delivering their real password to the attackers.
Baiting manipulates the target emotionally by offering a large reward or appealing to their curiosity. Attackers draw the target into a trap, and steal their personal information or install malware on their device. Baiting can take the form of a physical object, such as a USB disk with a label indicating it contains very valuable or interesting information. It can also happen online, for example via an advertisement that encourages users to visit a malicious website.
Attack example: An attacker leaves a USB drive with the label “Confidential Corporate Information” in a toilet or public place. A bystander picks up the device and connects it to their computer to see the supposed confidential information, and the USB drive installs malware on their machine.
Scareware involves alerting the user to false threats or problems on their computer system. The attacker uses software installed on the user’s device, or a website they visit, to bombard the user with pop up windows or other forms of alerts. The alerts warn the user of malware infection or other serious problems on the computer, and prompt them to take action, such as installing a malware-infected tool or performing a fictitious “scan” of their computer.
Attack example: A user visits a malicious website and sees a popup warning that their computer is infected with spyware. They are encouraged to download a free tool to clean their system. The user clicks and installs the software, which in reality is itself malware.
In a pretexting attack, also known as vishing, an attacker pretends to be an authority or a trusted party such as the police, a government authority, the target’s bank, etc. They ask the target a series of questions that are supposedly needed to identify the target or provide them with service, but in fact cause the target to surrender their confidential information.
Attack example: An attacker pretends to be a tax authority and asks their target for social security and bank account information. Some users may believe the scam, comply and surrender their personal and financial information.
Social engineering is becoming more sophisticated and manipulates human weaknesses, so there is no way to completely prevent it. However, there are several ways your organization can reduce the chances of a successful attack:
The key to preventing social engineering is a “defense in depth” approach that combines human alertness, measures to prevent the transmission and execution of harmful content, robust antivirus technology, and strong authentication as a last line of defense, in case an attack succeeds.
Cynet NGAV combines multiple prevention technologies to maximize protection against advanced threats, including zero day attacks like advanced persistent threats and social engineering. It is part of the Cynet 360 suite of cybersecurity solutions, which together provide a holistic security strategy than can keep up with any threat.
Cynet’s features include:
Learn more about the Cynet 360 security platform.