Types of Social Engineering Attacks and How to Defend Against Them

Introduction to Social Engineering

When you are talking about social engineering, you are referring to the act of someone deceiving another. Tricking the victim into divulging information or opening themselves up to a security threat, without them even realizing. This attack is carried out through a person to person interaction and psychological manipulation. The term “social engineering”, is exceptionally broad and refers to much information. The attacker gains the trust of his or her victim, and then will probe them or mislead them into disclosing sensitive information, whether it be about themselves or about a security protocol that the attacker wanted to know about. No matter the reason for a social engineering attack, they all are potentially dangerous, and everyone needs to know the potential dangers and the warning signs to watch for.

Types of Social Engineering Attacks

There are loads of different social engineering attacks, the primary ones, and the ones we will be looking over in this paper are baiting, phishing, pretexting, and vishing. Although all social engineering attacks bear major similarities in how they take advantage of people and how they work, some are more complicated and time consuming than others, some are easier to deter and defend against than others.

Baiting

A social engineering attacked used commonly is known as “baiting.” Baiting can be done through contact with someone online, or in person, handling a physical item like a USB or a CD. Online forms of baiting could consist of ads that lead to websites offering malicious downloads. Physical forms of baiting would be an attacker leaving an infected flash drive lying in an area where it could be discovered easily but privately, like a bathroom or elevator. These flash drives are usually labeled with something enticing such as, “Pay raises”, or “Private.” The victim would be intrigued and would then plug the flash drive into their system and the malware would infect the system instantly without the victim even knowing. These attacks are devastating for companies and can be very bad depending on what system the flash drive is plugged into and what network the now infected system is connected to.

Phishing

One of the most frequent forms of social engineering attacks is “Phishing.” Despite it being so known, the success rate of these attacks remains high. Phishing attacks are done through email or text messages. A general form of this would be an attacker composing emails impersonating someone, that informs the recipient of changes to a policy of a service they use, or changes made to their account. The email would state something along the lines of, “Urgent! Newly updated rules and changes of policy require verification!”. The victim would subsequently enter their login information on this fake, but almost identical website, and their information would be sent to the attacker. For the most part, these emails are sent directly to your spam section. You can tell most of the time if the email is fake or real by looking for grammar and spelling mistakes. The email that you receive could look odd, or the link that is in the email could have off-putting characters in it. If you don’t recognize who is sending you an email, don’t click on it. When you have these emails going around a workplace, it can be detrimental. It is recognized now that people re-use one of their passwords on almost everything they have. If they get their password compromised, the attacker could potentially get into everything else they have or even their work-related programs and documents.

Pretexting

Pretexting is a malicious but efficient way of tricking victims. Here, an attacker usually impersonates someone such as a co-worker, law enforcement, or even the IRS. Through well thought out lies and some previous knowledge on the victim, an attacker can acquire important information, money, or whatever else they are after. Once the victim thinks they are talking to someone that is on a “need-to-know” basis, they will fork up any information that the attacker wants to hear. Usually done through email or phone, the attacker will ask questions to verify the victim’s identity. These questions are ordinarily way to personal and not needed at all, like asking for the persons address or social security number. In some cases, the attackers will even persuade the victims to send them money for a fee or charge that doesn’t even exist.

Vishing

Vishing is the phone or voice version of phishing. A criminal would call the victim, posing as a co-worker or someone of importance to extract valuable information. The information could then be utilized to target the business or other personnel. The prime goal of attackers, when they do this, is to steal someone’s money, identity, or both. Attackers advanced in this technique will most likely use a fake phone number, making caller ID unsafe. If you choose not to answer, they can leave messages aimed at provoking responses. A conventional form of this would be someone impersonating a bank or credit/debit company. The message will say you have been compromised and need to change your password.

Keeping Yourself and Others Safe

Social engineering attacks are not uncommon and need to be handled carefully. Always consider the source. Spoofing a source is not terribly hard these days. An email from someone you trust isn’t always from that person. Don’t plug in random hardware you find into your system, this could compromise you and the people you work for if you do this at your place of employment. Don’t ever click on links from untrusted sources or if you express any doubts at all. Always make sure you know who you’re talking to and ask questions if you don’t believe who is on the other line. If something sounds too enjoyable to be true, it probably is! If any money or private information is being requested from you through the internet, please investigate first. Most of the time, official documents and papers will be sent to you through mail. And lastly, always make sure you have anti-virus of some sort. It is always a good thing to have even if you don’t think you need it.