What is Social Engineering?

Types of Social Engineering Attacks

There are many types of social engineering attacks that adversaries leverage. Here are the five most common exploits used by bad actors:

1. Phishing (or Spear Phishing): Phishing is the act of using communication media, such as email, to trick targets into clicking a malicious link or downloading malware. Smishing leverages text messaging (SMS messages) in place of email. Spear phishing is a more targeted form of phishing, targeting specific individuals for various reasons, including access levels, titles, or demographics. Phishing should be reported to your organization using approved procedures when it is noticed to avoid others falling victim.
2. Pretexting: Pretexting is the act of using a false story to gain the trust of the target. Often pretexting is used to break down barriers and convince the target to share personal information, download malware, or even send money or gift cards to criminals.
3. Baiting: Baiting is the act of presenting a false promise to the victim to convince them to provide a form of payment or information. It is often used to steal financial information or install malware on a system.
4. Quid Pro Quo: Quid Pro Quo (QPQ) is when a service or benefit is offered in exchange for access or information. This could be as simple as a bad actor masquerading as an IT support agent promising to improve computer performance in exchange for access to the system, giving them a route into the network.
5. Tailgating and Piggybacking: Tailgating, or piggybacking, is an in-person social engineering technique. It involves gaining physical access to restricted areas, whether by following someone else closely or having them let you in, thinking you are authorized to access that area. The goal is often to gain access to a connected device to install malware or steal sensitive information.

How to Spot Social Engineering Attacks

While social engineering attacks are getting more and more sophisticated, there are some telltale signs that you are being targeted. Let's start with a phishing email. First, if there is a strong sense of urgency to take an action (do this now or else), then you may be getting targeted by a phish. Another sign is the email being filled with grammatical or spelling errors. Some bad actors intentionally include these errors to gauge your attention to detail. Exhibiting a lack of attention to detail gives the threat actor the impression that they may be able to trick you further, getting you deeper into the scam and offering them more rewards for their efforts instead of wasting their time on those who are paying more attention to the nuances of the messages.

If something perks your ears, check the from address and make sure it is legitimate. While this is a dead giveaway, attacks often are able to spoof the from address to appear legitimate, but they often make small changes like moving the period slightly, misspelling the domain, using .net instead of .com, and other tweaks.

Pretexting can present itself as being overly flattering or friendly. Often, pretexting attackers pose as high-ranking officials in the company, so if the conversation becomes uncharacteristic of that individual, you may want to confirm it is truly them you are communicating with. The best way to defend against pretexting attacks is to only provide credentials or sensitive information directly to officials in a secure, company-approved format.

The best way to spot social engineering is to stay alert. If something seems too good to be true or too urgent, it likely is. Individuals are the strongest and weakest line of defense against social engineering.