Technology often gets the blame when a data breach occurs, but the truth is almost all incidents begin with human error. That’s exactly what social engineering relies on. Instead of trying to hack their way through complex security controls, cybercriminals find it easier to dupe victims into taking a desired action. This might include unwittingly surrendering login details or other confidential information.
Social engineering scammers use a variety of techniques to catch people off guard. But you are less likely to become a victim by being aware of the following social engineering tactics:
1. Content injection
Among the most dangerous social engineering scams of all are those that exploit the website of a legitimate brand. Content injection is a disturbing combination of hacking and phishing. It works by exploiting certain elements in the code of a legitimate site and inserting malicious content, such as links to a dangerous website.
It’s much more technical than sending a fraudulent email, but it’s highly effective since most people won’t think twice about trusting the website of a company they usually do business with.
2. Link manipulation
Many social engineering scams involve malicious links to websites and online services that look like those belonging to legitimate organizations but are really designed to steal user data. Malicious links may be posted in online forums, distributed through code injection, or added to malicious emails.
While email and web filters can block malicious links, some links manage to evade filters. This happens when cybercriminals mix legitimate and malicious links in emails and web pages. For example, if an email spam filter finds a large number of legitimate links and only a single unknown one, it’s less likely to flag the email as potentially malicious.
3. Spear phishing
Spear phishing attacks are dangerous because they’re personalized for each victim. Spear phishers customize their attacks based on the characteristics of the target, similar to how legitimate businesses tailor their communications and marketing materials to each customer. For example, a spear phishing email includes at least the name of the victim.
More sophisticated attacks build trust by exhibiting deeper knowledge of the victim, such as their place of work, job, and even colleagues. Many scammers also masquerade as an entity or individual the victim knows personally or through work. Some even send emails from a compromised but otherwise legitimate business or personal account.
This is easy for social engineers to do because social media gives just about anyone a detailed profile on potential targets.
4. Session hijacking
Session hijacking is a sophisticated phishing method that intercepts data in transit so that it can be used for remotely accessing a web server. A web session refers to the connection between the user’s computer and the remote web server (i.e., the website itself), which is managed by an access token.
If the access token is vulnerable, as is the case with unencrypted connections, hackers may intercept it to steal a valid login for the remote server. While this isn’t a social engineering attack in itself, these methods are often used to reveal information about a target for conducting highly targeted spear phishing attacks.
5. Voice phishing
Most phishing attacks use email as their delivery vector, simply because it’s by far the easiest and cheapest method for carrying out attacks en masse or deploying spear phishing scams. But any form of communication can be exploited for such attacks, and criminals are always looking for new ways to trick their victims.
Voice phishing (or vishing), for example, is a common method whereby attackers actually phone potential victims while masquerading as representatives of legitimate organizations to acquire information like login or bank account details. Similar attacks may be carried out over social media, instant messaging, or SMS.
Better safeguard your company from phishing and other cyberthreats by reading our FREE eBook.