There’s one weakness that can be found in every business network: people. Over the years, cybercriminals have invented many social engineering techniques to exploit this weakness to gain access to sensitive information and protected systems. Knowing what the most common types of social engineering attacks are in 2023 is essential for avoiding them.
What Are Social Engineering Attacks?
Social engineering attacks are methods that cybercriminals use to get their victims to do something that’s against their best interest, like sharing a password. These methods rely heavily on human interaction, and they typically use psychological techniques to manipulate behavior.
Generally, social engineering attacks happen in four distinct phases:
- Information gathering: Attackers start by gathering information on potential victims. Of particular interest are high-profile individuals with privileged access to sensitive information and protected systems.
- Planning: Once locked on to a target, attackers begin planning their next steps, which will depend on the chosen social engineering attack.
- Exploitation: Next, it’s time for the execution of the social engineering attack. Sometimes, it can take attackers weeks or even months to reach this step.
- Retreat: Finally, attackers vanish into thin air. It may take the victim a long time to realize that they have been attacked.
6 Critical Cybersecurity Policies Every Organization Must Have
9 Social Engineering Attacks to Watch Out For
Now that we’ve explained what social engineering attacks are and how they work, let’s take a look 9 specific types that are most likely to cause cybersecurity incidents in 2023.
If there’s one social engineering attack that has entered mainstream awareness, it has to be phishing. This attack involves fraudulent email messages that are designed to trick the recipient into revealing sensitive information, clicking on a link leading to a malicious website, or downloading an infected file, among other things.
In 2020, phishing attacks were responsible for more than 80 percent of reported cybersecurity incidents, which goes to show that awareness doesn’t always correlate with proper response.
Part of the reason why phishing attacks are still so effective is that cybercriminals keep evolving their tactics and coming up with new phishing sub-types. These include:
- Smishing: Phishing attacks can be carried out over a text messaging service. Such attacks are called smishing, and they are commonly used to distribute links to mobile malware or malicious websites.
- Vishing: It’s easy to pause for a moment and take extra time to carefully read an email or text message to decide if it’s legitimate. Doing the same when talking with someone on the phone is much more difficult, which is why more daring cybercriminals perform phone-based sub-type phishing attacks, commonly referred to as vishing.
- Angler phishing: When phishers pretend to be customer support agents on social media websites to extract passwords and other information from unsuspecting users, they use a phishing technique called angler phishing. Such phishers often wait for users to make public complains about access issues. They then create fake customer support accounts and offer assistance to their targets, who happily provide their personal information.
- Consent phishing: The cloud is where most personal and business data resides these days. To gain access to it, attackers may attempt to trick users into granting permissions to malicious cloud applications.
- Whaling: Carefully planned phishing attacks on high-profile individuals, such as C-level executives, have been dubbed whaling attacks. They are often prefaced by attacks on lower-ranking employees, whose credentials may be used to send phishing emails that are extremely difficult to spot.
- Deepfake-enhanced phishing: In recent years, AI has gotten really good at creating convincing images, videos, and audio files based on existing content. Phishers are now using readily available AI tools to make their attacks more convincing.
There’s also the fact that phishing is now more accessible than ever before, with Phishing-as-a-Service offerings capable of building convincing phishing websites in no time being available to anyone at an affordable monthly subscription fee, complete with professional customer support.
2. Brand Impersonation
Social engineering attacks in which attackers impersonate well-known brands are grouped under the brand impersonation umbrella. These attacks are conducted via email, text, and voice messages, and they take advantage of the fact that most people receive messages from major brands on a regular basis, so it doesn’t seem suspicious when one extra message arrives.
The most commonly impersonated brands, according to the Q2 2022 Brand Phishing Report released by Check Point Research, are:
- LinkedIn (45%)
- Microsoft (13%)
- DHL (12%)
- Amazon (9%)
- Apple (3%)
- Adidas (2%)
- Google (1%)
- Netflix (1%)
- Adobe (1%)
- HSBC (1%)
3. Business Email Compromise (BEC)
The vast majority of social engineering attacks are not particularly financially damaging (although their cost does add up). However, there is one particular social engineering attack that has cost businesses around the globe more than $43 billion between June 2016 to December 2021, according to public service announcement published by the FBI.
We’re talking about Business Email Compromise, or BEC for short. This social engineering attack involves the impersonalization of a trusted business contact to convince the target to pay a fake invoice, transfer funds, or disclose sensitive company information. BEC scams usually target executives and leaders, finance employees, and HR managers. But they may also target newly hired employees, whose lack of experience makes it difficult for them to verify the sender’s legitimacy.
4. Tailgating (Piggybacking)
Have you ever seen someone who had lost their parking ticket leave the garage by tailgating another car as it passed through the gate? Well, that’s basically how tailgating social engineering attacks (also called piggybacking attacks) work but in the opposite direction: an unauthorized person closely follows someone who is authorized to physically enter a restricted area, slipping undetected past security when the authorized employee badges in.
Once inside the restricted area, tailgaters can steal documents, data storage devices, and laptops. They can also install key loggers to monitor and record each keystroke an employee makes, access unlocked computers and infect them with malware, or leave behind malicious USB flash drives for employees to pick up and connect to their machines, which leads us to the next social engineering attack we want to discuss.
5. Baiting Attacks
These attacks involve storage devices being sent to employees or left somewhere for them to find. To nudge employees into connecting them to their machines to see what’s stored on them, attackers like to provide written descriptions of their content, such as “Sales and Revenue Report” or “Safety Presentation.”
Once an employee takes the bait and opens the fake content, which is typically designed to appear completely legitimate to avoid triggering suspicion, their machine becomes infected with malware. What happens then depends on the type of malware used. For example, the attacker can gain complete remote control over the infected machine, or the data stored on the machine can be encrypted with ransomware.
6. Pretexting Attacks
Some social engineering attacks seem to come from unknown senders or callers, while other attacks have known names attached to them. The latter type is called pretexting, and it abuses the trust between the victim and someone the victim knows.
Pretexting attacks tend have a much higher chance of success than attacks coming from unknown senders or callers because they are considerably harder for anti-spam filters to detect, especially when a hacked account or a stolen phone number is used.
7. Shoulder-Surfing Attacks
The explosion of hybrid work since early 2020 has made shoulder-surfing attacks more relevant and dangerous. An attacker performing this technique waits in a public place, ready to position themselves behind an individual who is working remotely on their laptop or some other electronic device.
The goal is to catch a password being entered or some sensitive information being displayed on the screen. Shoulder-surfing attacks are also used to steal PIN numbers of ATM users.
8. Quid Pro Quo
Not all employees are completely loyal to their employers. Sometimes, a promise of even a relatively small financial reward is enough to convince an employee to switch sides and perform a malicious action requested by the attacker.
The scary thing about quid pro quo social engineering attacks is that they can target not only current employees but also former ones. That’s because many organizations don’t immediately delete or disable former employees’ accounts when they terminate their employment. Employees who have left on bad terms may actually welcome the idea of being able to take revenge and be willing to go the extra mile to do so.
9. Watering Hole Attacks
Just like animals gather at watering holes to fulfill their basic need, employees regularly visit certain websites to perform essential work-related tasks. A watering hole attack happens when an attacker infects such a website to steal sensitive information or distribute malware.
A particularly infamous watering hole attack happened in 2017, when a Ukrainian government website was compromised to distribute the NotPetya malware, which resulted in more than $10 billion in total damages. Attacks like these are difficult to defend against because their victims can’t directly influence the security of the infected website.
How to Defend Against Social Engineering Attacks?
If social engineering attacks target the weakest link in the cybersecurity chain—the human factor—then your goal should be to strengthen it. Here are a few ways that can be done:
- Social engineering awareness training: Employees should be made aware of the social engineering threats they may encounter in the wild and be taught how to protect themselves against them. Even something as simple as explaining the importance of following best practices like double-checking email addresses and paying attention to URLs can make a huge difference.
- Social engineering simulations: To evaluate the effectiveness of social engineering awareness training, it’s critical to conduct periodic social engineering simulations. Employees who score poorly should be provided with additional training until their detection rates improve.
- Security-first culture: Ultimately, organizations should strive to create a security-first culture where everyone is aware of their role in preventing social engineering attacks from resulting in costly breaches. Employees should always feel that cybersecurity is a top priority, and they must never be pressured to ignore best practices when working with tight deadlines or chasing ambitious performance targets.
When implemented alongside other cybersecurity strategies and controls, such as multi-factor authentication, Privileged Access Management (PAM), and endpoint security, the three above-described methods should reliably stop most social engineering attacks dead in their tracks.
Defeat Social Engineering Attacks With OSIbeyond
OSIbeyond can help you defeat social engineering attacks by providing security awareness training, randomized simulated phishing tests, advanced email filtering, and other cybersecurity services.
Our services are tailored to meet the needs of small and medium-sized organizations in Washington D.C., Maryland, and Virginia. Schedule a free consultation with us to address today’s and tomorrow’s social engineering threats.