Social Engineering Attacks

What Is Social Engineering?

Social engineering is a type of cyberattack that uses psychological manipulation techniques to gain a target's trust to get the target to divulge personal information, click on web links, or open malicious email attachments. Cybercriminals leverage social engineering techniques to present themselves as legitimate individuals with access to trusted information sources.

Today's threat actors track the digital footprints of their targets to gather necessary background information and gain trust. Access to one compromised account allows a threat actor to infiltrate an organization's entire network and carry out a full-fledged cyberattack. 

Types of Social Engineering Attacks

Social engineering is one of the most common and successful cyberattacks in today's cyber threat landscape. It is a popular tactic because it is easier to exploit or manipulate people than to find a network or software vulnerability. 
Phishing attacks create a sense of curiosity, urgency, or fear in victims. The attackers persuade others to expose sensitive information, click malicious URLs, or open poisoned attachments. Spearphishing, smishing, vishing, and whaling are some phishing variants. 

Pretexting

Cybercriminals carry out pretexting attacks by fabricating a scenario they use to steal someone's personal information. Threat actors impersonate a trusted person or entity and scam the target into revealing sensitive data or taking actions that circumvent their organization's security policies.

Baiting and Quid Pro Quo

Threat actors bait targets into downloading free or seemingly enticing items (usually gift cards) laced with malware. Similarly, the quid pro quo is a social engineering attack in which the threat actor makes a false promise to convince the target to perform actions that compromise an otherwise secure system.  

Watering Hole

Watering hole attacks exploit zero-day vulnerabilities and other site weaknesses to infect popular web pages with malware, affecting multiple users simultaneously. The threat actor then swipes users' login credentials or infects targets' computers to access the network within their places of employment.

Examples of Social Engineering Attacks

Social engineering attacks continue to rise and plague organizations in every sector. Worse, cyberattack techniques continue to evolve, and criminals are finding creative ways to earn trust and trick people— thus compromising their employing enterprise's security. 

The 2019 Google and Facebook spearphishing scam resulted in a loss of $100 million, making it one of the most significant social engineering attacks of all time. A fake company was set up, pretending to work with Google and Facebook. The scammers then sent phishing emails to employees, invoicing them for goods or services and directing them to deposit money into fraudulent accounts.

In 2015, a Silicon Valley computer networking company lost $46.7 million to a social engineering scam. The incident involved the impersonation of employees, which allowed the threat actors to make fraudulent money transfer requests.

Social engineering attacks target people's emotions, but they have specific identifying characteristics regardless of the threat actor's objectives. For example, social engineering attackers use language that creates a false feeling of urgency. Detecting such attacks requires intelligent analysis of the situation by slowing down and double-checking the legitimacy of an "urgent" request. 

Another way to detect social engineering attacks is by analyzing phrases being used in communication. Unfortunately, most social engineering assaults are so focused and misleading that they are challenging to catch as fraudulent—even security-conscious people can be tricked by social engineering. 

To detect, prevent, and mitigate social engineering attacks, organizations should adopt a security solution such as Zero Trust Network Access (ZTNA) that can block new and advanced threats in real time and stop all malicious attacks from getting through.