Updated on November 1, 2023.
Social engineering is a psychological manipulation technique used by threat actors to get others to do things or reveal private information. Social engineering can take place online or in person. Between 70% and 90% of data breaches involve social engineering, making it one of the largest cybersecurity threats facing both organizations and individuals.
Continue reading to learn how social engineering attacks occur, different types of social engineering attacks and how to stay safe from them.
How Do Social Engineering Attacks Occur?
To prepare for a social engineering attack, threat actors first look into their target to learn background details like probable points of exploitation such as poor cybersecurity practices. The threat actor will then pretend to be someone they’re not to win over the victim’s trust so the victim is more likely to disclose confidential information or allow the threat actor access to internal systems.
It’s important to understand that social engineering can also take place in person. In-person social engineering attacks often occur by threat actors pretending to be someone like a maintenance or a delivery person so they can get into a building they’re not otherwise allowed access to. Once a threat actor has gained access to the building they’ll attempt to breach systems so they can steal confidential information and use it for malicious purposes.
Types of Social Engineering Attacks
Here are seven types of social engineering attacks.
Phishing is the most common type of social engineering attack. In a phishing attack, cybercriminals lure their victims into voluntarily disclosing sensitive information by pretending to be someone the victim knows or a company the victim has an account or service with. Most of the time phishing attacks are sent through emails.
These emails may contain malicious links and attachments and urge the victim to click on them. Clicking on a malicious link or attachment can immediately infect a victim’s device with malware or take the victim to a spoofed website that looks legitimate. Spoofed websites are designed to steal sensitive information like login credentials and credit card numbers.
Smishing and vishing
Smishing, also known as SMS phishing, is a type of phishing attack that occurs through SMS text messages rather than email. These messages frequently contain offers for free goods or time-critical alerts involving banking or other sensitive information. The main goal of a smishing attack is to get victims to click on a malicious link to steal their sensitive information.
Vishing is another type of phishing attack but it occurs through a phone call, not through text messages or emails. This type of phishing attack tends to be more convincing since there’s usually another person speaking on the other end. The main goal of vishing is to get the victim to disclose sensitive information that the threat actor can use for malicious purposes. Vishing has become harder to spot since threat actors are now leveraging Artificial Intelligence (AI) to mimic the voices of people that victims know.
Piggybacking and tailgating
Piggybacking is when threat actors attempt to gain access to a network, system or physical building so they can compromise sensitive information. Using piggybacking, threat actors can gain access to a network or system by using WiFi that has been left unsecured. To gain access to a physical building using piggybacking, threat actors rely on the kindness of employees to open the door for them or leave them ajar.
Piggybacking and tailgating are quite similar, except that tailgating is when threat actors gain access to a physical building without other people knowing or noticing. Threat actors may slip past a door just as it’s closing. Because no one knows how they made it inside the building, they look as though they’re authorized to be there.
Pretexting is when a threat actor attempts to persuade a victim to reveal sensitive information or send them money by making up a convincing story. The threat actor typically pretends to be someone like a friend, family member, coworker or boss, so the victim is more enticed to provide them with sensitive information. Pretexting attacks can happen through phone calls, text messages, emails or in person.
CEO fraud is when a threat actor pretends to be the CEO of a company in an attempt to get employees to provide them with sensitive information or send money, often in the form of gift cards. To carry out a CEO fraud attack, threat actors will typically message or email their victim multiple times before making their request. This helps them seem more credible and gives them time to gain the victim’s trust.
Scareware is when threat actors use psychological manipulation to trick victims into downloading what they think is antivirus software but is actually malware. Malware is a malicious type of software that is used by threat actors to steal sensitive information by spying on users or tracking their keystrokes.
This type of social engineering attack is most commonly carried out by displaying random pop-ups on the victim’s device that say their device is infected with a virus. The message will also state that to get rid of the virus, the victim needs to download antivirus software immediately. If the victim clicks on the pop-up, it’ll start automatically downloading an actual virus or malware onto their device. Once the download is complete, the malware can send sensitive information to the threat actor so they can use it to steal the victim’s identity and compromise their online accounts.
Romance scams are when threat actors pretend to be a victim’s potential love interest. Threat actors will often use someone else’s identity when carrying out a romance scam, which is also known as catfishing their victim. When a threat actor gets a victim to fall for a romance scam, they manipulate them into sending money or providing them with personal information they can use to steal the victim’s identity or compromise their accounts.
If a victim does send the threat actor money, they may continue asking for more money or stop contacting the victim completely once they’ve gotten what they want.
How To Protect Yourself From Social Engineering
To protect yourself from social engineering you need to clean up your digital footprint, be cautious of your security, both online and in-person, protect your accounts with strong passwords and Multi-Factor Authentication (MFA) and avoid oversharing personal information.
Your digital footprint is comprised of the traces of data you leave behind on the internet. There are two main types of digital footprints, passive and active. Your passive footprint consists of the data that websites collect about you in the background, such as browsing history, shopping history and cookies. Your active digital footprint is the data you knowingly post on the internet such as social media posts and public reviews.
It’s important to clean up your digital footprint because the more data that exists about you online, the easier it is for threat actors to target you with social engineering attacks. Here are four ways to clean up your digital footprint.
Be cautious of your security online and in person
Because social engineering attacks can take place in-person or online, it’s important to be cautious about who you give out personal information to and who you let into a building. If you’re someone who works from your company’s office, don’t let just anyone in and be wary of someone tailgating you because they could easily sneak into the building.
Protect your online accounts
In the chance that you do fall for a social engineering attack, it’s important that you already have security measures in place to protect your online accounts. This includes having strong passwords and multi-factor authentication enabled on accounts where it’s an option.
Rather than relying on yourself to create your passwords, use a password generator or sign up for a password manager account. Password managers aid users in creating, managing and securely storing passwords so they don’t have to remember them all on their own. In addition to strong passwords, it’s just as important to have MFA enabled.
MFA is a security measure that requires one or more layers of authentication besides your username and password to successfully log in to an account. Even if a threat actor was able to get your username and password through a social engineering attack, they wouldn’t be able to compromise your account without the additional authentication factor.
Avoid oversharing personal information
As mentioned above, to keep your digital footprint clean you need to avoid oversharing personal information online. But, it’s also important that you’re careful about the information you share with people in-person as well. You never know what a person’s intentions might be, so it’s better to be safe and keep your personal information to yourself and only share with people you know you can trust.
How To Protect Your Organization From Social Engineering
To protect your organization from social engineering attacks, send employees simulated phishing emails, regularly train employees on cybersecurity best practices, invest in a business password manager and implement the Principle of Least Privilege (PoLP).
Send simulated phishing emails
Simulated phishing emails are emails that are sent by organizations to their employees to test their skills in spotting phishing attacks. Sending these simulated phishing tests is a great way to determine how good or bad employees are at spotting them. If an employee falls for one of these phishing tests by clicking on the contents of the email, they’ve failed it and will have to take additional training to learn to spot them.
There are many phishing tools available to send these phishing tests, including free open-source ones like Gophish. There are also many commercial products like KnowBe4 and Infosec IQ.
Train your employees on cybersecurity
Phishing tests shouldn’t be the only thing you do to protect your organization, you also need to regularly train your employees on cybersecurity best practices like the following.
- Use strong, unique passwords for each account
- Enable MFA on accounts whenever it’s an option
- Avoid using public WiFi networks when traveling or working remotely
- Keep software and hardware up to date
- Regularly back up data
The more employees know about cybersecurity, the better they’ll be at practicing it to mitigate the risks of cyber attacks like social engineering.
Invest in a business password manager
A business or corporate password manager is a tool that aids organizations in ensuring employees always use strong passwords for each of their employee accounts. With a business password manager, IT administrators have full visibility into employee password habits and are able to enforce the use of MFA to make accounts more secure.
When it comes to phishing, which is the most prevalent type of social engineering attack, the biggest risk is having passwords compromised. Password managers save website addresses along with login credentials, which means they protect users from entering their credentials onto a spoofed website since password managers won’t autofill on a website it doesn’t recognize.
Implement the principle of least privilege
The principle of least privilege is a cybersecurity concept that states users should only be given just enough network access to the information and systems they need to do their jobs, and no more. Implementing the principle of least privilege reduces an organization’s attack surface and in the case a threat actor does gain access to an employee’s account, it prevents them from moving laterally throughout the organization’s network.
Stay Protected From Social Engineering Attacks
Social engineering attacks can target anyone – it doesn’t matter who you are. It’s important that both individuals and organizations take steps to protect themselves from social engineering attacks to mitigate the risks.
Start a free 30-day personal trial or 14-day business trial of Keeper Password Manager today to start protecting your online accounts from social engineering attacks.