Think Like A Criminal: What You Need to Know About Social Engineering Attacks in 2023

We previously examined phishing attacks from the eyes of an attacker in Think Like A Criminal: How To Write A Phishing Email to help you understand and protect against this email scam that is to blame for over 90% of all cyberattacks against employees.

Ninety-eight percent of all cyberattacks rely on social engineering. Organizations of all sizes must have the proper information and advice to protect against social engineering attacks to safeguard their users and critical business assets. This article will discuss social engineering techniques that attackers employ to manipulate psychology.

What Is Social Engineering & How Is It a Threat to My Business?

Social engineering was ranked #1 as the top attack in 2022 and refers to the use of deception to manipulate individuals into sharing confidential or personal information that can be used for fraudulent or malicious purposes. Criminals have been leveraging social engineering techniques for centuries; however, in recent years, the magnitude of this threat has increased exponentially. Threat actors can now obtain extensive information on targets by searching the Internet - relying heavily on widely-used social media platforms for their research.

Attack campaigns often prey on people’s desire to help or leverage trust relationships built with a superior, colleague, partner, or organization.

Like other cyber threats, social engineering attacks generally follow a standard lifecycle methodology that can be broken down into four clearly defined steps:

1. Information Gathering: Threat actors identify a target, employ Open Source Intelligence Techniques (OSINT) to gather as much information on the target as possible, and select the attack method(s) they will use.

2. Establish Relationship: Cybercriminals engage with the victim through targeted communications such as social media or spear phishing emails.

3. Exploitation: Attackers use the information and the relationship they’ve built with the target to gain a ‘foothold’ (i.e., giving away sensitive information).

4. Attack Execution: Threat actors perform the attack - carefully erasing any digital footprints (such as malware) to remain undetected.

9 Social Engineering Attacks to Be on the Lookout For

Social engineering scams are highly successful because they exploit human nature; nine types of social engineering attacks most likely to wreak havoc on cybersecurity include:

Phishing: A Favorite Lure Among Social Engineers 

Phishing is the most common type of social engineering attack used to gain access to account credentials, sensitive data, confidential business information, and funds. Phishing has dominated the email threat landscape for decades; however, with the recent increase in remote workers and the proliferation of popular cloud platforms like Microsoft 365 and Google Workspace, there has been a resurgence in phishing attacks. Unlike past phishing campaigns, modern phishing attacks are sophisticated, evasive, and rely heavily on social engineering to appear legitimate. These malicious scams carry severe consequences for businesses, including data theft, financial loss, reputation damage, significant downtime, and, in many cases, permanent shutdown.

Brand Impersonation

Social engineering attacks may also impersonate well-known brands. These attacks are deployed via email, text, and voice messages and take advantage of the fact that most people receive messages from major brands regularly, eliminating suspicion when one extra message arrives.

Business Email Compromise (BEC)

Business Email Compromise (BEC) is a social engineering attack involving impersonating a trusted business contact to convince the target to pay a fake invoice, transfer funds, or disclose sensitive company information. BEC scams target executives and leaders, finance employees, HR managers, and newly hired employees who need more experience. This makes it difficult for them to verify the sender’s legitimacy.

Tailgating

Tailgating is a social engineering attack involving an unauthorized person gaining physical access to an off-limits location, such as a password-protected area, where they might steal sensitive information, damage property, compromise user credentials, or even install malware on computers.

Baiting Attacks

Baiting attacks involve storage devices being sent to employees or left somewhere for them to find to connect them to their machines to see what’s stored on them. Once an employee takes the bait and opens the fake content, typically designed to appear entirely legitimate to avoid triggering suspicion, their machine becomes infected with malware.

Pretexting Attacks

Pretexting abuses the trust between the victim and someone the victim knows. Pretexting attacks have a higher chance of success than attacks from unknown senders or callers because they are considerably harder for anti-spam filters to detect.

Shoulder-Surfing Attacks

Hybrid work environments have made shoulder-surfing attacks more relevant and dangerous. The goal is to catch a password being entered or some sensitive information being displayed on the screen. Shoulder-surfing attacks are also used to steal the PINs of ATM users. An attacker performing this technique waits in a public place, ready to position themselves behind an individual working remotely on their laptop or other electronic device.

Quid Pro Quo

Quid pro quo social engineering attacks promise a financial reward to convince an employee to switch sides and perform a malicious action requested by the attacker and can target not only current employees but also former ones because many organizations don’t immediately delete or deactivate former employees’ accounts when they terminate their employment. 

Watering Hole Attacks

As employees regularly visit certain websites to perform essential work-related tasks, a watering hole attack happens when an attacker infects a website to steal sensitive information or distribute malware. Attacks like these are difficult to defend against since their victims can’t directly influence the security of the infected website.

Download

How Can I Defend Against Social Engineering Attacks?

Most social engineering attacks are so targeted and deceptive that it has become difficult to blame a user for falling for a scam. After all, even the most security-conscious individuals can be tricked by social engineering. Thus, defending against social engineering attacks requires a comprehensive, fully managed email security solution capable of anticipating and blocking advanced and emerging threats in real time and preventing all malicious mail from being delivered, creating a safeguarded environment around the user.

Additionally, users and organizations should use strong passwords for all accounts and be aware of the information they make publicly available online. We suggest checking websites for personal information that may be publicly available (like addresses, phone numbers, etc.) and requesting that it be removed. Websites like Have I Been Pwned, which notify users when their information is discovered online, can help monitor the availability of your personal information on the Internet. 

Keep Learning About Social Engineering Protection

People are not computers - but they can still be hacked through social engineering tactics. Combating modern email threats that leverage social engineering techniques requires a fully managed, all-in-one email security solution that safeguards the inbox against all fraudulent mail that could potentially lead to compromise.

• Learn more about effectively protecting your business from ransomware.
• Improve your email security posture to protect against attacks by following best practices.
• Keeping the integrity of your email safe requires securing the cloud with spam filtering and enterprise-grade anti-spam services.
• Get the latest updates on how to stay safe online.