What are the most common forms of Social Engineering?
Hacking, data theft, and social engineering threats are a growing danger for millions of people. During the COVID-19 pandemic, threats and attacks rose sharply, affecting more and more people each month. But how do social engineering attacks work? What are the most prominent social engineering techniques, and how can they be prevented? Here are some facts about the most common form of social engineering used by hackers and the steps people can take to avoid getting scammed.
What is Social Engineering?
Social engineering is a broad term for the process by which thieves, hackers, and other cybercriminals exploit human weaknesses to gain money, information, and access. It takes advantage of the human element in security. Hackers and fraudsters use social engineering to try and fool humans into providing them with login credentials or information that will give them access to online systems and accounts. This is different from other types of thieves who simply attempt to break into places.
Social engineering, by definition, takes many different forms, including phishing (and its offshoots), sweet-talking or lying, tailgating, threats and intimidation, and other tactics. These are all used to trick, coerce, or get past humans and gain access to their confidential information, sensitive data or even personal belongings.
Out of all of these, phishing is the most commonly used tactic. Most people have almost certainly had phishing scams tried on them at some point! But what exactly is it, and how does it work?
Phishing: The Most Common Form of Social Engineering
Phishing is a form of email scam where someone sends an email claiming to be from a trustworthy business or person.
Maybe the phisher pretends to be the user's bank, grandmother, or a retail outlet. Pretending to be someone else is common with many scam tactics (like the infamous Nigerian Prince scams), but the key aspect of phishing is that the goal is to infect malware or gain personal information.
If someone gets a phishing email with a strange link, sometimes all it takes to infect their computer is to click the link. That's why these scams are so dangerous and so common. All it takes is a momentary lapse of judgment to click a link or send some information to fall victim to a social engineering attack.
Common phishing attacks are oftentimes not very sophisticated and gain their success because of the wide net they cast. Even if the scammers only have a 1% success rate, if they send emails to thousands of people, they're likely to fool enough people to make some decent money.
Variations of Phishing
Regular phishing is the most common, but there are similarly dangerous scams that hackers and scammers use to try to gain access and money.
"Smishing" (SMS or text phishing) and "Vishing" (voice phishing) attacks use the same tactics, but use text messages or phone calls to try tricking victims into giving money. It is not uncommon for many people to receive incoming phone calls about a car's warranty expiration date or even debts with the IRS. These are examples of vishing, and they do fool quite a few people each year.
But besides that, what else is a common method used in social engineering? Common variations of regular phishing include spear phishing, angler phishing, and whaling.
Spear phishing is more targeted than regular phishing, and usually involves research of the target. A scammer might pretend to be from the bank that the person uses, lending some credibility to their scam.
Angler phishing is very similar to spear phishing and often involves posing as a customer service representative or company on social media. When someone complains about a company, this scam account will contact them, pretending to be from the company, and try to get them to click a link or input their information. This is why it's so important for people to be careful when they post comments online!
Whaling is another targeted phishing attack, but typically involves going after high-end targets and bigger payoffs. Winning a "whale" would get the scammers to access much larger profits or perhaps even company secrets, funds, and access.
Other social engineering examples include pretexting social engineering, baiting, and tailgating. Many of these involve in-person attempts rather than the impersonal attacks involved in phishing.
How to Protect People and Businesses
As a business, the biggest factor in preventing scams is training and knowledge. You want to make sure your employees know about phishing and how to spot it, or else your company is going to be a target ripe for the picking.
It's a good idea to have in-depth computer safety training for all new hires and renew your training periodically for all employees, or at least employees who use computer systems. It is important to make sure employees know the types of social engineering attacks and scams, so they can spot scam attempts, and know how to respond to them properly.
In the same way, it's important to learn as much as possible about the way these scams work, and how to prevent falling for them. Also, avoid putting information online that could give hackers access to sensitive data, or set up for a scam. And if you do get targeted, make sure you know how to handle it and avoid giving them the information they can use.
For companies offering services, incorporating the use of dynamic data is a big step to stopping users from falling victim to account takeover resulting from social engineering attacks. Unlike static information and credentials that once stolen are compromised, systems that use dynamic data for authentication are much harder to break into with stolen credentials. These types of systems look for patterns of use that differentiate between regular legitimate use and potential fraud. Use of behavioral analytics is increasingly being used to protect user accounts from takeover.
To learn more about protecting users against social engineering and account takeover contact us! Incognia provides the leading location behavioral analytics solution for fraud detection, using location as the strongest trust signal on mobile.