What is it called when a hacker tricks an individual into disclosing sensitive personal information?

By George Rouse

Social engineering scams have been going on for years and yet users continue to fall for them every single day. In an effort to spread awareness of this tactic and fight back, here is a quick overview of social engineering.

By learning how to identify these attacks and improve cyber resiliency it makes avoiding threats like ransomware much easier.

Social engineering is a type of cyber attack that relies on tricking people into bypassing normal security procedures. To gain unauthorized access to systems, networks, or physical locations, or for financial gain, attackers build trust with users.

The theory behind social engineering is that humans have a natural tendency to trust others. This makes it easier to trick someone into divulging personal information than it is to hack an account.

To build trust, and then exploit it, social engineers follow a lifecycle to victimize their targets:

Investing. This phase allows the attacker to identify victims and determine the best method of attack
Hooking. Is when an attacker actually starts to engage with their victim and begins to create trust through messaging
Attacking. This is when an attacker finally deploys their method of attack and begins to collect the targeted data
Exiting. When the attacker has what they want, they will remove traces of malware and cover their tracks so they can move to the next victim

Because a social engineer’s strategy is built on trust, victims often don’t recognize they’ve been attacked until it’s too late.

The following are the five most common forms of social engineering attacks.

Phishing
Baiting
Pretexting
Scareware
Business Email Compromise (BEC)

Phishing attacks

Phishing attacks are one of the most common types of social engineering attacks. These attacks occur when the attacker sends an email or message to the target, which typically includes a link to a website that looks legitimate.

The goal is to get the target to enter their personal information and login credentials into the website by pretending it is something else, such as a popular site or service.

Common examples of phishing:

Emails from fake businesses asking for personal information.
Emails from fake financial institutions asking for bank account numbers and passwords.
Emails from government agencies asking for personal information.
Messages on social media sites that ask you to log in with your username and password.

Phishing messages are designed to convey a sense of urgency and sometimes fear with the end user. This time pressure is a key tactic in getting users to unknowingly give over their sensitive information.

Once the time pressure is applied there's two common types of capture methods that attackers use in phishing scams.

Ask the end user to “verify” their login information.
Phishing messages might claim a user's account has been breached or part of an annual security check. When a user clicks the target link it will go to a mocked-up login page that looks legitimate. However this login page is actually a capture point and users can unknowingly be handing over their login credentials.
Claiming the end user is the “winner” of a grand prize or lottery.
These types of attacks can be extremely costly and may involve requesting access to a bank account in which to deliver the winnings. Some ask for charitable donations (and provide wiring instructions) after a natural disaster or tragedy. A successful attack often culminates in access to systems, lost data or finances.

It’s important to be aware that phishing campaigns can come in many different forms so it's vital to stay vigilant.

Baiting attacks

Baiting is as it suggests, it’s a type of cyber attack that involves enticing a users to engage with some type of media. These attacks come in two forms, digital and physical.

Digital Baiting Attacks

Baiting is one of the common methods of delivering malware or ransomware. In digital attacks, the attackers offer something such as a new song release or movie download. These files though don’t include what a user is expecting and instead are infected with malware that will encrypt or take control of your data. Attackers then normally charge for decryption or to return control of the data.

Physical baiting scams

These attacks are less common as they involve more effort to execute the delivery than digital attacks. Physical scams involve users finding or being sent items like a USB drive or CD that peaks a user's interest. For example, a corporate branded flash drive labelled “Executive Salary Summary Q3” that is left out on a desk for an end user to find.

Both of these types of attacks are baited social engineering. Once the bait is downloaded or used, malicious software is delivered directly into the end users system and the hacker is able to get to work.

Pretexting attacks

Pretexting is where a hacker uses a known connection to the end user and exploits that trust built up between contacts.

One of the common examples in attacks like this is where a hacker pretends to be a co-worker or service provider of the end user.

This type of scam might be an email to an employee from what appears to be the head of IT support or a chat message from an investigator who claims to be performing a corporate audit. In order to execute a task the hacker will ask for login credentials, as the end user believes that the hacker is a known connection they might hand over their credentials.

Pretexting is highly effective as it reduces human defenses to phishing by creating the expectation that something is legitimate and safe to interact with.

Due to this type of social engineering, its key is to educate users to never share their credentials with anyone, including any IT support professionals.

Quid Pro Quo

Quid Pro Quo social engineering attacks are all about give and take between the end users and the hackers. These types of attacks are less sophisticated than the other types of attacks and normally involve users being aware of what they are doing.

Similar to baiting, quid pro quo involves a hacker requesting the exchange of critical data or login credentials in exchange for a service or money.

For example, an end user has been let go from a company and they didn’t leave on good terms. Hackers might try to locate users like this by reading an upset social post or comment made online. Once they have found the user they might try to buy their old login credentials to attack their old company.

These types of attacks can be mitigated by keeping a tight control on user access controls.

Tailgating and Piggybacking attacks

Piggybacking, also called tailgating, is a type of social engineering attack that is primarily designed to target users in a physical environment.

One example of this is when an unauthorized person physically follows an authorized person into a restricted corporate area or system to gain access.

As more users return to the office environment attackers are looking to take advantage. One of the most common methods of piggybacking is when a hacker calls out to an employee to hold a door open for them as they’ve forgotten their ID card. Once hackers are in the office, they will try to access systems or “borrow” a laptop and see what they can use for their own benefit.

Social engineering attacks are both prevalent, tricky and take advantage of natural human instincts to be successful. These characteristics make them hard to spot and why it's critical for everyone to stay aware of the threat.

Best practices to protecting yourself social engineering attacks:

Never respond to a request for financial information or passwords. Legitimate organizations will never send a message asking for personal information.
Never share personal information such as passwords
Never plug in an unknown USB stick or digital media into your computer
Don’t unsubscribe from emails (this can be a tactic) just block email senders in your email client.
Educate employees and clients

It’s essential for all users with access to a network or systems to be aware of these various forms of social engineering to ensure corporate cyber security. If users know the main characteristics of these attacks, it’s much more likely they can avoid falling for them.

Protect your critical data with a reliable backup and recovery solution as a last line of defense

Datto SIRIS is a business continuity and disaster recovery (BCDR) solution built for manage service providers to protect their clients from data loss and minimise downtime.

Want to learn more about Datto SIRIS? Request a demo

Originally published by New Context.

One of the biggest weaknesses in any organization’s cybersecurity strategy is human error. Social engineering attacks take advantage of this vulnerability by conning unsuspecting people into compromising security and giving out sensitive information. Social engineers use various psychological hacks to trick you into trusting them or create a false sense of urgency and anxiety to lower your natural defenses. Attackers can then breach your physical or technological security to steal money or confidential information.

The only way to prevent being targeted by social engineering is to study the methods, psychological triggers, and technological tools these attackers use. Scammers use many different types of social engineering attacks, but some common giveaways can help you spot and avoid them.

To prevent a social engineering attack, you need to understand what they look like and how you might be targeted. These are the 10 most common types of social engineering attacks to be aware of.

1. Phishing

Phishing is the most common type of social engineering attack, typically using spoofed email addresses and links to trick people into providing login credentials, credit card numbers, or other personal information. Variations of phishing attacks include:

Angler phishing – using spoofed customer service accounts on social media

Spear phishing – phishing attacks that target specific organizations or individuals

2. Whaling

Whaling is another common variation of phishing that specifically targets top-level business executives and the heads of government agencies. Whaling attacks usually spoof the email addresses of other high-ranking people in the company or agency and contain urgent messaging about a fake emergency or time-sensitive opportunity. Successful whaling attacks can expose a lot of confidential, sensitive information due to the high-level network access these executives and directors have.

3. Diversion Theft

In an old-school diversion theft scheme, the thief persuades a delivery driver or courier to travel to the wrong location or hand off a parcel to someone other than the intended recipient. In an online diversion theft scheme, a thief steals sensitive data by tricking the victim into sending it to or sharing it with the wrong person. The thief often accomplishes this by spoofing the email address of someone in the victim’s company—an auditing firm or a financial institution, for example.

4. Baiting

Baiting is a type of social engineering attack that lures victims into providing sensitive information or credentials by promising something of value for free. For example, the victim receives an email that promises a free gift card if they click a link to take a survey. The link might redirect them to a spoofed Office 365 login page that captures their email address and password and sends them to a malicious actor.

5. Honey Trap

In a honey trap attack, the perpetrator pretends to be romantically or sexually interested in the victim and lures them into an online relationship. The attacker then persuades the victim to reveal confidential information or pay them large sums of money.

6. Pretexting

Pretexting is a fairly sophisticated type of social engineering attack in which a scammer creates a pretext or fabricated scenario—pretending to be an IRS auditor, for example—to con someone into providing sensitive personal or financial information, such as their social security number. In this type of attack, someone can also physically acquire access to your data by pretending to be a vendor, delivery driver, or contractor to gain your staff’s trust.

7. SMS Phishing

SMS phishing is becoming a much larger problem as more organizations embrace texting as a primary method of communication. In one method of SMS phishing, scammers send text messages that spoof multi-factor authentication requests and redirect victims to malicious web pages that collect their credentials or install malware on their phones.

8. Scareware

Scareware is a form of social engineering in which a scammer inserts malicious code into a webpage that causes pop-up windows with flashing colors and alarming sounds to appear. These pop-up windows will falsely alert you to a virus that’s been installed on your system. You’ll be told to purchase and download their security software, and the scammers will either steal your credit card information, install real viruses on your system, or (most likely) both.

9. Tailgating/Piggybacking

Tailgating, also known as piggybacking, is a social engineering tactic in which an attacker physically follows someone into a secure or restricted area. Sometimes the scammer will pretend they forgot their access card, or they’ll engage someone in an animated conversation on their way into the area so their lack of authorized identification goes unnoticed.

10. Watering Hole

In a watering hole attack, a hacker infects a legitimate website that their targets are known to visit. Then, when their chosen victims log into the site, the hacker either captures their credentials and uses them to breach the target’s network, or they install a backdoor trojan to access the network.

Social engineering represents a critical threat to your organization’s security, so you must prioritize the prevention and mitigation of these attacks as a core part of your cybersecurity strategy. Preventing a social engineering attack requires a holistic approach to security that combines technological security tools with comprehensive training for staff and executives.

Your first line of defense against a social engineering attack is training. Everyone in your organization should know how to spot the most common social engineering tactics, and they should understand the psychological triggers that scammers use to take advantage of people. A comprehensive social engineering and security awareness training course should teach staff to:

Determine whether an email has been spoofed by hovering over the sender’s name to make sure it matches the email address and checking the email address for spelling errors and other common giveaways.

Be suspicious of any unsolicited communication, especially from someone they don’t know.

Avoid downloading suspicious email attachments.

Hover over links in emails to make sure the website URL is valid.

Verify someone’s identity through an alternate contact method (e.g. in person or by calling them directly) before providing any sensitive information.

You also need to follow up your security awareness training with periodic tests to ensure your staff hasn’t become complacent. Many training programs allow for the administration of simulated phishing tests in which fake phishing emails are sent to staff members to gauge how many people fall for the social engineering tactics. Those staff members can then be retrained as needed.

Creating a positive security culture within your organization is critical for containing a social engineering attack that’s already happened. Your staff needs to feel comfortable self-reporting if they believe they’ve fallen victim to a social engineering attack, which they won’t do if they’re concerned about facing punishment or public humiliation. If these issues are reported as soon as they occur, the threat can be mitigated quickly before too much damage has occurred.

Finally, you need to implement technological security tools to prevent attacks on your organization and minimize the damage from any successful breaches. These tools should include firewalls, email spam filters, antivirus and anti-malware software, network monitoring tools, and patch management.