acm-header
Sign In

Communications of the ACM

BLOG@CACM

Duped No More: Navigating the Maze of Social Engineering Schemes


View as: Print Mobile App Share:

We all know there are many skilled cyber attackers out there, professionals with the technical know-how to manipulate and exploit data. Their goal is to breach computer systems and gain access to confidential information. These cyber crooks often manage to stay one step ahead, even when faced with the newest tech meant to spot fraud and boost company security.

However, hacking is not always about technical prowess. Indeed, there are non-technical methods hackers often use to compromise their victims. As you may know, one of the largest chinks in any organization's cybersecurity armor tends to be human error.

This vulnerability is precisely what social engineering attacks prey on. These kinds of attacks typically involve a degree of psychological manipulation, tricking otherwise unsuspecting users into disclosing sensitive information or performing certain actions for dishonest purposes.

Social engineers often employ different psychological tricks to lure users into a trap of trust or create an artificial sense of urgency and worry to lower one's natural defenses. Once these defenses are down, attackers can break through physical or digital security walls to pilfer sensitive information.

Social engineering attacks have significantly advanced over time. Emerging techniques like deepfakes are becoming a growing worry for both individuals and businesses. Indeed, in 2022, one out of every five data breaches was attributed to cybercriminals employing social engineering tactics.

The best way to guard against becoming a target of social engineering is to familiarize yourself with the strategies, psychological hooks, and technological means that attackers employ. Scammers utilize a wide array of social engineering tactics, yet there are common red flags that can help you recognize and sidestep these potential threats.

15 Social Engineering Attack Types and Their Subcategories

1) Phishing

Phishing is one of the most common types of social engineering attacks. There are many variations of phishing attacks. Here are the most popular ones:

  • Mass Phishing

Phishing is a cybercrime where fraudsters impersonate a trusted entity to trick individuals into providing sensitive data, like passwords or credit card numbers. Phishing typically involves the mass distribution of generic messages conducted through large-scale spam email campaigns. Rogue messages may contain malicious links or attachments, leading to fraudulent websites designed to capture the victim's information. The deceptive statements often urge immediate action, leveraging fear or urgency to prompt the victim to respond without thorough scrutiny.

  • Spear phishing

Spear phishing is a more targeted form of phishing. In spear phishing attacks, perpetrators gather information in advance, such as the victim's name, position, or other personal details. They then personalize their deceptive communications to trick the victim into believing they have a pre-existing relationship. (Spear phishing trends)

  • CEO Fraud\BEC

This is an attack where the cybercriminal impersonates a high-ranking executive (often the CEO), intending to trick an employee (typically in finance or HR) into transferring funds or revealing sensitive data via business email compromise (BEC). The communication often urges immediate action, citing some business urgency. (BEC statistics)

  • Whaling

In this scenario, the "whales" are the high-ranking executives who are being targeted. Whaling is a specialized form of phishing that targets only high-profile individuals like CEOs or politicians. The attackers attempt to trick these individuals into revealing sensitive personal or company information or into authorizing substantial transactions. (Whaling facts and statistics)

  • Clone Phishing

In this variation, a legitimate email with an attachment or link has its content and recipient address(es) taken and used to create an almost identical email. The attachment or link is replaced with a malicious version and then sent from an email address spoofed to appear to come from the original sender.

  • Pharming

Pharming is a type of phishing that seeks to redirect a website's traffic to another fake site in order to collect the personal information of users. It is usually carried out by changing the Hosts file on a victim's computer or by exploiting a vulnerability in DNS server software. It is a more sophisticated attack because it does not require the victim to click a link to be redirected to the fake site. Once on the fake site, the attackers can steal any information entered, such as passwords or credit card details. (Pharming facts & statistics)

  • Smishing

Smishing is a form of phishing where attackers use SMS messages to trick victims into revealing sensitive information. Typically, a smishing text appears to come from a trusted source, like a bank or reputable company and may contain a link or request personal data, exploiting the recipient's trust to commit fraud. (Smishing statistics)

  • Vishing

Vishing, short for "voice phishing," is a type of phishing attack where fraudsters use telephone calls to trick victims into revealing sensitive personal or financial information. Often pretending to be trusted organizations, these scammers aim to exploit the victim's trust over the phone. (Vishing statistics)

2) Pretexting

Pretexting involves creating a false narrative or situation (the pretext) to convince a victim to divulge information or perform an action that compromises their security. The attacker often impersonates someone with a right-to-know authority, such as a bank official or company employee, to build trust and manipulate the victim. The attacker's pretext or fabricated scenario is usually designed to appeal to the victim's natural desire to help or comply with authority. The attacker uses carefully crafted lies and manipulative tactics, often after doing some research about the victim, making the deceit more convincing.

3) Baiting

Baiting is an attack that exploits human curiosity to deceive victims. Baiting also exploits human greed and desire for free or exclusive content. Attackers leave physical or digital "baits" in strategic locations, enticing individuals to take the bait. Physical baits can be USB drives labeled as something intriguing, like "Confidential" or "Employee Salary Info." Digital baits might involve free downloads of popular movies, music, or software. Once victims take the bait and interact with the malicious item, malware is installed on their devices, granting attackers access to sensitive data or compromising the victim's security.

4) Tailgating\Piggybacking

Tailgating or piggybacking is a social engineering attack involving an unauthorized person gaining physical access to a restricted area by closely following an authorized individual. The attacker takes advantage of people's natural tendency to hold doors open for others or avoid confrontation. They might impersonate a delivery person, maintenance worker, or even act as if they forgot their access card. By blending in with authorized personnel, the attacker gains entry to secure areas without raising suspicion. Tailgating exploits the trust and politeness of individuals to bypass physical security measures and gain unauthorized access to sensitive locations.

5) Diversion Theft

Diversion theft attacks can occur both online and offline. Both types aim to redirect or steal goods during the delivery process for their illicit gain. Online diversion theft occurs when cybercriminals deceive customers into providing delivery addresses that differ from the intended recipient, ultimately rerouting the packages to themselves. They could also compromise online accounts or intercept shipping notifications to redirect packages to a different location. Offline diversion theft takes place in the physical world. Criminals pose as delivery personnel, intercepting packages en route or stealing them from doorsteps. They may use fake uniforms or badges to appear legitimate.

6) Honey Traps

A honey trap attack, commonly associated with romance scams, involves manipulating victims through romantic or emotional enticement to deceive and exploit them. The attacker pretends to have a romantic or sexual interest in the victim, establishing a relationship and gaining their trust. The intention is to manipulate the victim into providing money, personal information, or access to sensitive data. The attacker may create an elaborate backstory, use attractive profile pictures, use seduction, flattery, and engage in prolonged online communication. (Romance scams facts & statistics)  

7) Extortion

Criminals widely use extortion attempts to instill fear in their victims and extort money from them. This tactic is highly effective, as many individuals succumb to the fear of potential consequences. Criminals have devised various types of fake extortion schemes. Here are a few examples:

  • Scareware

Scareware refers to rogue software designed to frighten and deceive users by falsely indicating that their computer is infected with malware or facing security threats. Attackers employ alarming pop-up messages or fake system scans to create a sense of urgency and panic. Victims are coerced into purchasing bogus antivirus software or providing personal and financial information to resolve the perceived issues. Scareware preys on fear and lack of knowledge, exploiting users' concerns about their device's security.

  • Sextortion

Sextortion is a form of blackmail where the attacker coerces the victim into providing sexual images, videos, or engaging in explicit activities. The attacker threatens to distribute the compromising material or expose the victim's actions unless a ransom is paid. This psychological manipulation preys on the fear and shame of the victim, aiming to exploit their vulnerability. (Sextortion facts & statistics)

  • Doxing

Doxing or Doxxing, short for "document tracing," is the act of threatening to publicly reveal personal information about an individual without their consent. This information often includes details such as home addresses, phone numbers, email addresses, workplace information, and more. (Doxing statistics)

  • DDoS Threats

Cybercriminals threaten to launch Distributed Denial of Service (DDoS) attacks on a target's website or network, causing disruption and demanding payment to prevent the attack.

  • Reputation Damage Threats

Extortionists threaten to harm an individual or organization's reputation by spreading false or damaging information unless their demands are met, such as financial compensation.

  • Extortion With Threat to Kill

Extortion scams that involve threats to kill exploit the deepest fears of individuals. In these scams, fraudsters demand payment, menacingly asserting they will inflict serious harm on the victim or their family members if the target does not pay.

8) Watering Hole

A watering hole attack is a social engineering technique where attackers target specific websites or online platforms frequently visited by their intended victims. By compromising these trusted sites with malicious code or malware, the attackers aim to infect the visitors' devices. This approach exploits the trust users place in familiar websites, making them unwitting victims. The attackers carefully select websites that are likely to be visited by their desired targets, such as industry-specific forums or news sites.

9) Quid Pro Quo

Quid pro quo is a tactic used in social engineering where a cyber crook offers a benefit or favor in exchange for sensitive information or access. The attacker may pose as a helpful individual, such as an IT technician or service provider, offering assistance in exchange for some information. The attacker may promise quick fixes, discounts, or exclusive services to entice the victim. The ultimate goal is to exploit the victim's trust and willingness to reciprocate, using the exchange as a means to access confidential data or infiltrate systems.

10) Typosquatting

Typosquatting, also known as URL hijacking, is a technique cybercriminals use to exploit typographical errors users make when entering website URLs. Attackers register domain names that are similar to popular websites but with slight variations or common typos. The goal is to deceive users who mistype or misspell the intended website's URL and land on the malicious one instead. By mimicking the legitimate site's appearance and functionality, attackers aim to trick users into entering sensitive information or downloading malware. This technique capitalizes on users' mistakes and their familiarity with popular websites. (Typosquatting facts & statistics)

11) Email Prepending

Attackers may prepend email subjects with deceptive phrases like "RE:" (indicating a reply) or "EMAILSAFETY: PASSED" (suggesting safe content) to make their messages appear more trustworthy or important. This tactic aims to manipulate recipients into opening the email and engaging with its contents.

12) Social Media Mentions

Attackers may use the @username mention feature on social media platforms to make their posts or comments seem more authentic. By mentioning legitimate users or organizations, they attempt to give their content an air of credibility and trustworthiness, potentially deceiving others into interacting with them.

13) Hoaxes

A hoax is a social engineering technique where the attacker spreads false information to manipulate or deceive the target. This could involve sending alarmist messages to incite fear or warning about a non-existent threat.

  • Tech Support Scam

A classic example of a hoax is the tech support scam. In this scenario, the scammer pretends that there's an issue with the user's computer. They often impersonate a member of a reputable company's tech support team, convincing the unsuspecting individual to grant them remote access or to pay for services they do not need. (Tech Support scam facts & statistics)

  • Charity Scam

In the wake of a disaster, pandemic, or during holiday seasons, scammers send messages asking for donations to fake charities. By playing on human emotions like empathy and sympathy, charity scams manipulate people into bypassing rational thinking, leading to risky behaviors and potential security breaches.

  • Lottery Scam

A message claims the recipient has won a large sum of money and needs to provide personal details or pay a fee to claim the prize.

14) Dumpster Diving

Dumpster diving is a tactic where fraudsters sift through a target's trash to retrieve discarded information. This could include invoices, letters, memos, or other documents that may reveal sensitive data such as usernames, passwords, or business strategies. By collecting this info, scammers gain knowledge to impersonate an insider or bypass security protocols, facilitating further cyber-attacks. Dumpster diving relies on the negligence of individuals or organizations in properly disposing of sensitive information, making it a relatively low-tech yet effective method for gathering valuable data.

15) Shoulder Surfing

Shoulder surfing is a kind of trick where someone sneaks a peek at another person's keyboard or screen to steal sensitive details, like usernames, passwords, PIN codes, or even credit card numbers. They do not even have to be in the same room to do it - they can spy on you from afar using surveillance cameras or during video calls. Despite its simplicity, shoulder surfing is a powerful way to get hold of important data without having to hack into a system.

Protection

In the following sections of my article, I will delve into two crucial domains: protecting home users from social engineering, and securing businesses against these cunning cyber threats. Navigate through to gain insights tailored for both individuals and enterprises.

Tips for Home Users Against Social Engineering

  1. Minimize your digital presence. Be prudent with what you share on the Internet, especially on social media, to reduce hackers' chances of targeting you.
  2. Equip your devices with reliable antivirus software.
  3. Maintain a composed approach to online activities. Stay calm, take your time, and manage stress effectively.
  4. Be vigilant of email attachments or web links from unfamiliar sources. Be meticulous when checking URLs and email addresses to spot potential spoofing.
  5. Regularly review your financial statements and credit reports. Be aware that scammers often target your financial resources.
  6. Refrain from plugging unknown USBs or other devices into your computer.
  7. Never permit another user to access your devices or accounts.
  8. Utilize a Virtual Private Network (VPN) for safer browsing and online shopping experiences.
  9. Ensure to implement multi-factor authentication (MFA) for additional security.
  10. Keep an eye on the Dark Web for any exposed personal data.
  11. Think about enrolling in identity theft protection services.

Safeguarding Your Company From Social Engineering

  1. Regularly conduct staff training and awareness campaigns, utilizing methods such as posters, presentations, and informational notes.
  2. Test your team's vigilance by running simulated phishing email campaigns.
  3. Regularly update your website and applications, including any AI \ ML elements, and hardware to patch vulnerabilities.
  4. Implement layered technical controls, like network segmentation and Extended Detection and Response (XDR).
  5. Use Security Information and Event Management (SIEM) and Data Loss Prevention (DLP) tools to monitor employee activities.
  6. Apply the principle of least privilege, restricting access to sensitive information to those who really need it.
  7. Perform Dark Web monitoring to identify potential threats and compromised data.
  8. Integrate Threat Intelligence into your overarching security strategy.
  9. Conduct Penetration Testing to assess your organization's vulnerability to social engineering attacks.

Alex Vakulov is a cybersecurity researcher with over 20 years of experience in malware analysis and strong malware removal skills.


 

No entries found

Sign In for Full Access
» Forgot Password? » Create an ACM Web Account