Social engineering tactics used by scammers involve exploiting human characteristics like curiosity, impatience, gullibility, tech addiction, and burnout. Perry Carpenter, chief evangelist and security officer for KnowBe4, shares common social engineering hacking tactics and ways to limit the risk they pose.
Social engineering is one of the most prevalent attack vectors used by scammers to manipulate people to make them perform an unsafe action — such as downloading an attachment, clicking on a URL or divulging personal or sensitive information. The growth in social engineering has been remarkable: in 2021 alone, social engineering threats grew by 270% while an estimated $6.9 billion were stolen using social engineering scams.
Popular Social Engineering Techniques
Threat actors are keen observers of human behavior. They know that people are fairly predictable and possess inherent weaknesses (such as blind trust, gullibility, curiosity and biases) that can be exploited for scams and hacks. Let’s look at some popular social engineering techniques used by scammers and cybercriminals:
- Phishing & smishing: Phishing is one of the most well-known tricks in the book of social engineering. It typically takes the form of a legitimate-looking email, social media message or text received on your phone (a.k.a. smishing). The message usually contains a request, prompting the target to perform an action such as replying to the email, downloading an attachment or visiting a website. Phishing tactics include numerous variations that attackers tweak based on trending issues and the target’s personal profile. In 2021, around 83% of organizations experienced a successful phishing attack in which victims either clicked on a bad link, downloaded malware, provided credentials or executed a wire transfer.
- Vishing: Vishing is a type of voice-based phishing where scammers contact people using the phone. Attackers often use a compelling narrative to contact people, pretending they are from tech support or from the bank, informing the user of a suspicious transaction. The primary goal of vishing is to obtain sensitive information from the target. You should also be on the lookout for “hybrid vishing,” where attackers combine vishing with other social engineering tactics to make the impersonation more convincing.
- Business email compromise (a.k.a. CEO fraud): BEC is a kind of highly-targeted phishing attack that is usually executed through the impersonation of a senior executive. Attackers hack or spoof email accounts of C-suite personnel and request employees to make wire transfers to fraudulent accounts. Aside from money, attackers even request employee wage and tax statement forms. BEC is one of the costliest forms of cybercrime, netting $43 billion to cyber criminals last year.
- Romance scams (a.k.a. honey trap): Romance scams are a type of fraud in which a criminal fakes their online identity (on popular dating and social media sites) to win the victim’s affection and confidence. Scammers create the illusion of building a romantic or close relationship to manipulate or extract information from the victim. Once the victim starts trusting the attacker, they will either offer investment advice or say they are in need of emergency funds to be wired urgently. According to the FBI, Americans lost $1 billion to romance scams last year.
- Watering-hole attacks: Cybercriminals will sometimes target well-known websites and mobile applications commonly visited by the victim or people associated with the target. They will infect these websites and applications with malicious code with the sole purpose of compromising the user. When Covid-19 was at its peak, hackers launched a watering hole attack using a popular “Live Coronavirus Data App.” Once users downloaded and installed the app, attackers could watch through a smartphone camera, listen via a microphone, and access text messages. Watering-hole attacks are also common in cyber espionage operations and other state-sponsored campaigns.
- Deepfakes: Today, anyone can download a mobile phone app, swap their faces with a celebrity, de-age themselves or insert themselves in a photo or video. Deepfakes use advanced forms of the same technology, albeit for malicious intentions. Using deepfakes, attackers can easily manipulate videos, swap faces, change expressions or synthesize speech to malign individuals and businesses, spread disinformation or carry out scams. In 2020, fraudsters used deep voice technology to scam a bank employee and execute wire transfers worth $35 million.
See More: The Undeclared War: How Accurate Are the Threats?
How to Reduce the Risks of Social Engineering
Improving employees’ cybersecurity instincts and strengthening the organization’s overall cybersecurity culture is the key to mitigating social engineering risks. Here are some best practices that can help:
- Conduct security awareness training sessions to ensure employees understand their responsibility and accountability with cybersecurity.
- Run phishing simulations to give workers a “hands-on” experience and make them understand the nature of these attacks from real-world examples.
- Teach employees to be vigilant and not trust anything at face value. Ask them to stick to company cybersecurity policies and best practices (good password managers, safe browsing, use of social media etc.).
- Ensure your senior management is actively involved in building the security culture because culture infiltrates from the top down.
When it comes to social engineering, users are not only the primary attack vector, they are also the core solution. Train people well to recognize, repel, and report social engineering scams because this can go a long way in protecting the organization from cyberattacks, fraud, and data breaches.
How are you dealing with the risks of social engineering? Share with us on Let us know on Facebook, Twitter, and LinkedIn.
Image Source: Shutterstock