Social Engineering Tactics

Friday, September 27, 2019

We are all targets to cyber criminals who try their best to trick people into sharing confidential, personal information. Their most common way to attack us is via
social engineering, which can occur through email, phone, face-to-face, or the internet. One security services provider states that 85% of organizations now experience some degree of phishing and social engineering attacks, which has increased 16% from just one year ago. The following are some of the kinds of social engineering attacks that are out there:

  • Phishing – Using e-mail to trick you into providing sensitive information, to include a reply to the original malicious e-mail, clicking on bogus links or opening attachments, and entering data.
  • Spear Phishing – Phishing attempts aimed at specific targets, such as HR or finance personnel.
  • Pretexting – A technique where a fake situation is created using publicly available details on the target where the information is used for manipulation or impersonation.
  • Scareware – As the name implies, a frightful pop-up attempting you to type in confidential, personal, and private information in order to fix an infected computer issue.
  • Vishing – Utilizing the telephone in attempt to trick you into providing valuable, most likely confidential, information.
  • Baiting – An attempt to hook you in by offering goods, such as a free device or gift card.

According to the Verizon 2018 Data Breach Investigations Report, phishing and pretexting represent 98% of social incidents, and 93% of breaches. However, e-mail continues to be the most common vector of attack. Countless phishing email messages are sent to unsuspecting targets every day. So, how can you guard against these attacks? There are several things you can look for that may be an indicator of a social engineering attempt.

  • Look for mismatched URLs – hover your mouse over the URL and compare the address.
  • Poor grammar and spelling could be an indicator that it is a phish.
  • A request for personal information, such as SSN, user IDs, passwords, banking information, or a request for money.
  • Correspondence that comes with a sense of urgency, such as your account may be disabled, or you may lose some funds.
  • An offer that appears too good to be true.
  • Unrealistic or unlikely threats.
  • Content just doesn’t look right.
  • Open communication from a perceived authority, such as the Internal Revenue Service (IRS), or a financial institution.

Phishing emails also take advantage of current events and specific times of the year:

  • Natural disasters or significant weather issues
  • Global health scares, even flu season
  • Financial or monetary concerns, like IRS scams
  • Major political elections
  • Holidays and celebrating events, such as international athletic events

For more information about social engineering, review the SANS article “Navigating the Phishy Social Engineering Ocean” by Cheryl Conley.