According to PurpleSec (2021), 98% of cyberattacks rely on social engineering. The same report indicates that new employees are the most susceptible: 60% of IT professionals cited recent hires as at high risk of falling for social engineering tactics.
Social engineering attacks use deception, coercion, or other interpersonal methods to achieve an illegitimate or fraudulent outcome. As Jenny Radcliffe, founder and director of social engineering cybersecurity firm Human-Centered Security, says: “Criminals use the fear, the uncertainty, and the doubt—or FUD, as we call it in the business—to create this atmosphere of uncertainty in people’s heads” (Tanium, 2020, para. 11).
In this article, we’ll cover the top social engineering attack methods and explain how to defend against them.
Social Engineering Attack Patterns
Social engineering attacks all follow a broadly similar pattern. First, the hacker identifies a target and determines their approach. They then engage the target and build trust. Next, they launch the attack. Finally, once the hacker has what they want, they remove the traces of their attack.
CNN ran an experiment to prove how easy it is to pull off these types of attacks (O’Sullivan, 2019). In the experiment, a hacker successfully obtained a CNN tech reporter’s home address and cell phone number by calling a furniture store where the reporter had recently purchased an item. She got the name of the store from a tweet where the reporter had shared information about his latest purchase.
Between March 1 and March 23, 2020, Barracuda Sentinel researchers identified 467,825 spear-phishing email attacks (“Coronavirus-related spear phishing,” 2020). Spear phishing targets specific individuals with malicious attacks that exploit the target’s trust to get them to divulge sensitive information.
A spear-phishing attack starts with investigation. The goal is to gather enough information about the target to fool them into believing the attacker is a trusted person or entity. Attackers often pose as a friend, coworker, or supervisor.
In spear-phishing attacks, hackers send emails that appear to come from a trustworthy source, such as a bank or favorite retailer. The email encourages the recipient to follow a link that enables the hacker to obtain sensitive information, like usernames, passwords, and credit card numbers.
Why Spear Phishing Works
Spear phishing uses the element of trust. People let their guard down when they trust someone. Cybercriminals use this technique because it is an easy way to convince a target to carry out a desired action.
How To Avoid This Type of Social Engineering Attack
One of the easiest ways to stop phishing attacks, including spear phishing, is to carefully check the sender’s email address. Phishing emails that might at first appear to come from a well-known business often have slight spelling variations that are difficult to detect without paying close attention.
It’s also a good idea to check the subject line of the email. Phishing emails often attempt to create a sense of fear or urgency to get the recipient’s attention. Words such as “Important,” “Urgent,” or “Account Past Due” are all red flags.
Baiting is a type of social engineering attack in which the cybercriminal lures the target by using a reward as bait. The goal is to gain confidential information or access to a company’s internal network by offering the target something they can’t refuse—for example, a free download or participation in a contest to win money.
Why Baiting Works
Humans are curious by nature. Cybercriminals know this and construct offers that seem too good to be true. If the offer is compelling enough, the target is more likely to divulge sensitive information.
How To Avoid This Type of Social Engineering Attack
Be wary of emails, links, posts, and advertisements. If something looks suspicious, don’t click on it. Likewise, don’t respond to emails that request sensitive information to be provided via email, and before sending personal information online, check the URL. Cybercriminals are good at making sites appear legitimate, so look for slight misspellings or a different domain, such as .net instead of .com.
Quid Pro Quo
In a quid pro quo attack, also known as “gift exchange,” the attacker tries to get a favor from the target in return for something desirable. Similar to baiting, a quid pro quo attack involves a cybercriminal offering to do something that benefits the target but requires the target to perform an action in exchange.
For example, the attacker may call several extensions at a company and pretend to be calling back about a technical support issue. When they identify someone with an existing support issue, they pretend to help the target. However, they instruct the target to perform actions that (unbeknownst to them) will compromise their machine.
Why Quid Pro Quo Attacks Work
People fall for quid pro quo attacks because they believe the task they’re being asked to perform is small and insignificant. These tasks could range from giving out their email address to accepting software upgrades. Attackers are more successful in getting the information or access they want if they make requests that don’t require a significant commitment from the target.
Quid Pro Quo Attack Prevention
As a rule, don’t provide sensitive information unless you initiated the exchange. Verify the company by calling back on a publicly posted phone number. If something seems suspicious, hang up the phone.
Learn How to Prevent Social Engineering Attacks with EC-Council
If you’re interested in detecting and preventing social engineering attacks, consider becoming an ethical hacker by enrolling in EC-Council’s Certified Ethical Hacker (C|EH) certification program. In the C|EH course, you’ll learn how to lawfully hack an organization’s systems using the latest hacking tools, techniques, and methodologies. Get certified with EC-Council today!
Coronavirus-related spear phishing attacks see 667% increase in March 2020. (2020, April 16). Security Magazine. https://www.securitymagazine.com/articles/92157-coronavirus-related-spear-phishing-attacks-see-667-increase-in-march-2020
O’Sullivan, D. (2019, October 18). We asked a hacker to try and steal a CNN tech reporter’s data. Here’s what happened. CNN. https://www.cnn.com/2019/10/18/tech/reporter-hack/index.html
PurpleSec. (2021). 2021 cyber security statistics: The ultimate list of stats, data & trends. https://purplesec.us/resources/cyber-security-statistics/
Tanium. (2020, October 19). Your people are being hacked: How to defend against social engineering during WFH. CIO. https://www.cio.com/article/190874/your-people-are-being-hacked-how-to-defend-against-social-engineering-during-wfh.html