Social engineering is when someone tricks people into making security mistakes or giving away sensitive information.
Social engineering attacks are increasing. According to the FireEye email threat report, they discovered a 26% increase in malicious URLs using HTTPS and a 17% rise in phishing attempts. There was also an increase in file-sharing service exploitation and new impersonation techniques.
Juniper forecasts that cybercriminals will steal an estimated 33 billion records in 2023, compared to the 12 billion records in 2018.
The five most common forms of digital social engineering attacks are:
Baiting attacks use a false promise to make someone greedy or curious. It is a trap to steal personal information or to place malware onto target systems.
One method is to place malware onto infected flash drives and then to trick someone into pick up and use what looks like a valid drive.
Another common method is to have online ads that lead to malicious sites or get targets to download a malware-infected app.
Scareware tricks people into thinking their system is infected with malware and tells them to install a defensive software. However, the software installed is actually the real malware. Scareware is also called deception software, rogue scanner software and fraudware.
Pretexting oftens starts with someone pretending to need sensitive information to perform a critical task. They impersonate co-workers, police, bank and tax officials, or other persons who have right-to-know authority. The crook asks to confirm the victim’s identity, through which they gather important personal data. They usually target social security numbers, personal addresses and phone numbers, phone records, staff vacation dates, bank records and even security information related to a physical plant.
Phishing is one of the most popular social engineering attack types. Phishing scams are often an email that alerts that there is a problem requiring a password change.
When a Phishing Attack pretends to be from a company then:
Microsoft is faked 30% of the time.
OneDrive, Apple, PayPal and Amazon were each used as faked in the 6%-7% of phishing attempts.
Spear phishing is a more targeted version of the phishing scam. The messages are based on characteristics, job positions, and contacts belonging to their victims to make their attack less conspicuous. Spear phishing needs more information, effort and time from the criminal. They are much harder to detect and are more successful than ordinary phishing.