Common Social Engineering Techniques

Phishing and Related Social Engineering Attacks

During a phishing attack, a malicious actor impersonates a credible authority figure or organization in an attempt to trick a victim into disclosing sensitive information or parting with funds. While the target of a phishing attack may be an individual, in most cases the attacker’s broader goal is to compromise one or more systems the victim has access to. If a phishing attack on an individual is successful, the consequences can reverberate far and wide, affecting other users and adjacent networks with alarming speed.

Variants of phishing attacks include spear phishing, vishing, and smishing. Spear phishing attacks are highly targeted towards specific individuals, organizations, or businesses. For example, attackers may customize their emails or communications with knowledge of an individual’s position within an organization. So-called “vishing attacks” use voice communications, especially Voice-over-Internet-Protocol (VoIP) solutions, to trick victims into calling and revealing personal information such as their credit card number or billing address. “Smishing attacks” use SMS or text messages to redirect victims to malicious sites or trick them into divulging sensitive personal information.

Baiting: A Common Social Engineering Technique

Baiting attacks often exploit a victim’s greed with the promise of a quick payout. For example, an attacker might leave an infected USB stick in a public place, hoping a victim might insert the stick out of curiosity, and thereby install malware onto their system. An online ad might trick a victim by promising a quick cash payout in exchange for creating an account with their sensitive personal information.

Peer-to-peer (P2P) websites are also targeted by baiting attacks. The promise of free movie or music downloads may entice some users to drop their guard and give up their banking information. Victims who give up banking information for the promise of deals, quick returns on investments, or free cash prizes might find their accounts depleted once that information is shared.

Quid Pro Quo Social Engineering Attack

Similar to baiting schemes, quid pro quo attacks generally involve a promise for a fraudulent exchange. For example, an attacker may promise a reward or offer to participate in a research study in exchange for company data. Scammers may also pose as internal IT staff, ready to assist with a problem or offer software security protection in exchange for personal information or other sensitive data.

Pretexting: A Familiar Social Engineering Example

Pretexting often takes the form of an attacker posing as a trusted figure, such as a bank official or a law enforcement officer. The attacker then elicits personal information from the victim, such as a social security number, under the pretext of verifying their identity.

One familiar pretexting scenario might entail a message from a friend’s social media account claiming they are stranded and in need of immediate emergency funds. A scammer might also claim to be a representative of a political campaign or charity and ask for support for a cause.

Each of these scenarios relies on some form of psychological manipulation, where a victim is made to believe they are fulfilling their duties or helping out a friend in need.  

Tailgating or Piggybacking: In-Person Social Engineering Attacks

Tailgating or piggybacking attacks generally involve physical access to a building or restricted area that contains secure information. Criminals can simply follow someone holding the door open for them into a secure building, bypassing the building’s security protocols. For this reason, security-focused companies may train their employees about tailgating attacks, in addition to other social engineering techniques.

Whether you work at a bank or crypto exchange, or merely have a bank or crypto exchange account, be wary of these social engineering attacks that could compromise your personal accounts.