What are the types of social engineering attacks?

What is Social Engineering in Simple Words?

Most people think of cyber-threats as malware or a hacker exploiting vulnerabilities in software. However, social engineering is a threat where an attacker tricks a targeted user into divulging sensitive information by pretending to be a familiar person or service. The attacker might trick a targeted user into divulging their password, or the attacker could trick the targeted user into sending money by pretending to be a high-level executive. Attackers’ goals in a social engineering campaign vary, but generally, the attacker wants access to accounts or to steal the user’s private information.

How Does Social Engineering Work?

A threat actor might have a specific target in mind, or the attacker could cast a wide net to access as much private information as possible. Before a threat actor carries out a social engineering attack, their first step is to conduct due diligence on the targeted user or corporation. For example, the attacker could gather names and email addresses of the finance department staff from an organization’s LinkedIn page to identify targeted victims and standard operating procedures.

The reconnaissance phase is critical to the success of a social engineering attack. The attacker must fully understand the business’s organizational chart and target who has the authority to perform the actions necessary for success. In most attacks, social engineering involves the threat actor pretending to be someone the targeted user knows. The more information the threat actor collects about the targeted user, the more likely the social engineering attack will be successful.

With enough information gathered, the attacker can now carry out the next steps. Some social engineering attacks require patience to slowly build the targeted user’s trust. Other attacks are quick where the threat actor gains trust within a limited time by conveying a sense of urgency. For example, the attacker might call a targeted user and pretend to be an IT support staff member to trick the user into divulging their password.

What are the Steps to a Successful Social Engineering Attack?

Just like most effective cyber-attacks, social engineering involves a specific strategy. Each step requires thoroughness because the attacker aims to trick the user into performing a particular action. Social engineering involves four steps. These steps are:

- Information gathering: This first step is critical to social engineering success. The attacker collects information from public sources like news clippings, LinkedIn, social media, and the targeted business website. This step familiarizes the attacker with the inner workings of the business departments and procedures.

- Establish trust: At this point, the attacker contacts the targeted user. This step requires conversation and convincing, so the attacker must be equipped to handle questions and persuade the targeted user to perform an action. The attacker must be friendly and might try to connect with the targeted user on a personal level.

- Exploitation: After the attacker tricks the targeted user into divulging information, exploitation begins. The exploit depends on the attacker’s goals, but this step is when the attacker gets money, access to a system, steals files, or obtains trade secrets.

- Execution: With the sensitive information obtained, the attacker can now perform the final goal and exit the scam. The exit strategy includes methods to cover their tracks, including detection avoidance from the targeted organization’s cybersecurity controls that could warn administrators that an employee had just been tricked.

What is the Most Common Form of Social Engineering?

The term “social engineering” is a broad term that covers many cyber-criminal strategies. Social engineering involves human error, so attackers target insiders. The most common form of social engineering is phishing, which uses email messages. Under the umbrella of phishing are vishing (voice) and smishing (text messages). In a typical phishing attack, the goal is to obtain information for monetary gain or data theft.

In a phishing email, the attacker pretends to be a person from a legitimate organization or a family member. The message might ask for a simple reply, or the message will contain a link to a malicious website. Phishing campaigns can target specific people within an organization – spear phishing – or the attacker can send hundreds of emails to random users hoping that at least one falls for the fraudulent message. Untargeted phishing campaigns have a low success rate, but it doesn’t take many successful messages for an attacker to obtain necessary information for monetary gain.

The two phishing variants – smishing and vishing – have the same goals as a general phishing campaign but different methods. A “smishing” attack uses text messages to tell targeted users that they have won a prize and need to pay a shipping fee to receive their gifts. “Voice” phishing requires voice-changing software to trick users into thinking the attacker is someone from a legitimate organization.

What Percentage of Hackers Use Social Engineering?

Hackers use social engineering frequently because it works. Social engineering and phishing are often used in combination as a more effective way to trick users into sending money or divulging their sensitive information (e.g., network credentials and banking information). In fact, most emails received by individuals and corporations are spam or scam emails, so it’s critical to integrate cybersecurity with any email system.

It’s estimated that 91% of cyber-attacks start with an email message. Many of them prey on a sense of urgency so that targeted victims don’t have time to process that the messages are a scam. Only 3% of attacks use malware, leaving 97% of attacks to social engineering. In some sophisticated attacks, the targeted victim receives an email and then a follow-up call or message.

Is Social Engineering Illegal?

Social engineering is indeed a crime because it uses deceit to trick targeted victims into divulging sensitive information. The typical aftermath results in additional crimes in the form of fraudulently accessing a private network, stealing money or the user’s identity, and then selling private data on darknet markets.

Consumer fraud is common in social engineering attacks. The attacker pretends to be a legitimate organization giving away prize money in exchange for financial data or a small payment. After the targeted victim provides financial data, the attacker steals money directly from the bank account or sells the credit card number on the dark web markets. Identity theft and stealing money from targeted victims are serious crimes.

Some social engineering is classified as a misdemeanor and only carries fines and short-term jail sentences. If crimes involve larger monetary amounts or target several victims, they can carry higher sentences and larger fines. Some crimes lead to civil suits where victims win judgments against criminals and those involved in helping with social engineering scams.

How Common is Social Engineering?

It depends, but it’s estimated that social engineering is used in 95%-98% of targeted attacks on individuals and corporations. High-privilege accounts are a common target, and 43% of administrators within IT operations have reported being a target in social engineering attacks. Recent hires within IT operations are even more likely to be a target. Corporations say that 60% of new hires are targets rather than long-term current staff members.

Because social engineering is so successful, attacks based on phishing and identity theft increased by 500% in recent years. Identity theft isn’t the only goal for an attacker. A few other reasons social engineering is a primary attack vector include:

- Fraudulent account access for data or monetary theft
- Financial access to banking or credit card accounts
- Simple nuisance reasons

Is Social Engineering Ethical?

Social engineering is a crime, so malicious threats do not consider ethics when targeting individuals and corporations. Everyone is a target for an attacker, so both individuals and employees should be aware of how social engineering is carried out. An attacker must know their target and perform reconnaissance before carrying out a social engineering campaign, so users should also understand the ways social engineering works.

The first red flag that indicates you’re the target of social engineering is that the caller or email sender will not answer any questions and discourage you from asking questions to clarify why they have an urgent request. Their requests may seem subtle, but they ask for sensitive information without answering any of your questions. In a legitimate financial transaction, an organization or bank answers as many questions as required until you feel comfortable with the actions that they need you to take.

Another unethical red flag is that most attackers use phishing with no voice conversations. If you ask to have a voice conversation with the requester, the attacker will refuse. This red flag is not always the case, but it should tell you that the email sender is not from a legitimate organization. In any scenario, you should hang up or stop communication with the email sender and directly call the phone number on the company’s website.

Some social engineering is ethical. When you hire white-hat hackers to penetration test cybersecurity, they will test all employees for their ability to detect social engineering attacks. In a penetration test, a certified ethical hacker calls employees to determine if they will divulge their network credentials or send phishing emails with a link that points to a malicious website. They log every user who clicks the link and take note of users who enter their private network credentials. This activity helps organizations determine the employees vulnerable to social engineering and provide them with more education on cybersecurity protocols.

What is the Cost of a Social Engineering Attack?

According to the Federal Bureau of Investigations, social engineering costs organizations $1.6 billion globally. Organizations pay an average of $11.7 million annually for cybersecurity crimes.

A significant component in cost is the time it takes for organizations to detect a data breach, which is an average of 146 days. In a social engineering attack, it’s much more difficult for administrators and cybersecurity infrastructure to determine when an employee falls victim to an attack. Any employees with legitimate access can leave the environment vulnerable to attackers when they fall for a social engineering campaign and install malicious software, provide credentials to attackers, or divulge sensitive information.

What are the 5 types of social engineering?

How many types of social engineering attacks are there?

What is the most common type of social engineering attack?

What are the six types of social engineering?