Five Types of Social Engineering Attacks

by Wally Moore

on October 2, 2018

in blog, Social Engineering

Five Types of Social Engineering Attacks addresses social engineering scams that have been going on for years, yet we continue to fall for them every single day. This is due to the overwhelming lack of basic cybersecurity training available to the employees of today’s organizations, big and small. In an effort to spread awareness of this tactic and fight back, here is a quick and dirty overview of five types of social engineering attacks. After all, if everyone learns to identify these attacks, avoiding them will be MUCH easier!

1. Phishing

Phishing is the leading form of social engineering attacks that are typically delivered in the form of an email, chat, web ad or website that has been designed to impersonate a real system and organization. Phishing messages are crafted to deliver a sense of urgency or fear with the end goal of capturing an end user’s sensitive data. A phishing message might come from a bank, the government or a major corporation. The call to actions vary. Some ask the end user to “verify” their login information of an account, and include a mocked-up login page complete with logos and branding to look legitimate. Some claim the end user is the “winner” of a grand prize or lottery and request access to a bank account in which to deliver the winnings. Some ask for charitable donations (and wiring instructions) after a natural disaster or tragedy.

2. Baiting

Baiting, similar to phishing, involves offering something enticing to an end user, in exchange for login information or private data. The “bait” comes in many forms, both digital, such as a music or movie download on a peer-to-peer site, and physical, such as a corporate branded flash drive labeled “Executive Salary Summary Q3 2018” that is left out on a desk for an end user to find. Once the bait is downloaded or used, malicious software is delivered directly into the end users system and the hacker is able to get to work.

3. Quid Pro Quo

Similar to baiting, pro quo involves a hacker requesting the exchange of critical data or login credentials in exchange for a service. For example, an end user might receive a phone call from the hacker who, posed as a technology expert, offers free IT assistance or technology improvements in exchange for login credentials. Another common example is a hacker, posed as a researcher, asks for access to the company’s network as part of an experiment in exchange for $200.00. If an offer sounds too good to be true, it probably is quid pro quo.

4. Pretexting

Pretexting, the human equivalent of phishing, is when a hacker creates a false sense of trust between themselves and the end user by impersonating a co-worker or a figure of authority well known to an end user in order to gain access to login information. An example of this type of scam is an email to an employee from what appears to be the head of IT Support or a chat message from an investigator who claims to be performing a corporate audit.

5. Piggybacking

Piggybacking, also called tailgating, is an unauthorized person physically following an authorized person into a restricted corporate area or system. One tried-and-true method of piggybacking is when a hacker calls out to an employee to hold a door open for them as they’ve forgotten their RFID card. Another method involves a person asking an employee to “borrow” his or her laptop for a few minutes, during which the criminal is able to quickly install malicious software.

All employees to be aware of the various forms of social engineering to ensure corporate cybersecurity. If end users know the main characteristics of these attacks, it’s much more likely they can avoid falling for them.

Aside from education and awareness, there are other ways to reduce the risk of being hacked. Employees should be instructed not to open emails or click links from unknown sources. Computers should never be shared with anyone, even for a moment. By default, all company desktops, laptops and mobile devices should automatically lock when left idle for longer than 5 minutes (or less). Lastly, ensure your business is prepared to recover quickly from this kind of attack in case an employee does fall victim to one of these schemes. Humans are humans after all. By leveraging a solid business continuity and disaster recovery (BCDR) solution, everyone can rest easy.

DTS InfoTech Can Help

DTS InfoTech is very good at training your employees on how to prevent social engineering attacks. We would like to thank our partner Datto for the information contained in this blog post and their technology that we use and recommend. Even when employees make mistakes DTS InfoTech has your back; you will not lose data and you will not have to pay for a Ransomware attack. Let us show you how!

Most small businesses do not have the technical resources to understand all this geek stuff. If this describes you, we can help.

Return to Cybersecurity Definition

If you would like more information please give us a call, we’re always happy to chat and the call is free!

Dedicated to your success,
Wally Moore
General Manager
dts|infotech . . . secure computer networks that work