Select Page

Social Engineering Attacks

by | Sep 22, 2012

Employees are vulnerable to social engineering attacks which are the modern day high tech confidence scams. In business, there is constant inflow and outflow of data and that information is controlled by solely by employee discretion. This is unavoidable, but it does create a target rich environment for social engineering attacks such as phishing and pretexting and can yield large payoffs for the malicious entity. Phishing is the attempt to gain business or personal information usually through official looking emails or other communications. Pretexting is a more detailed scam that incorporates a story line and direct contact with the victim to get confidential information. There are many different scam methods and they can be very effective. Professional security experts are even prone to falling for some of the more sophisticated techniques.

Common Types of Attacks

 

Phishing

  • Usually emails that are trying to obtain personal information, such as names, addresses, and social security numbers.
  • Often appear to be from a legitimate business or agency.
  • Use embed links that direct users to websites  that appear legitimate but are really attack sites.
  • Some phishing emails are so poorly crafted that the messages often exhibit spelling and grammar errors.
  • Some look surprisingly realistic.

 

Spear phishing

  • Similar to phishing, but targeted to specific individuals.
  • May include some private information such as account information to add credibility.

 

Whaling

  • Similar to phishing, but targeted at corporate executives.
  • Goal is to acquire confidential corporate information.
  • May impersonate alternate division staff, vendors, or even governmental organizations.

 

Pretexting

 

  • Attackers create a realistic pretext, or a fabricated scenario, that they can use to try and steal their victims’ personal information.
  • These types of attacks commonly takes the form of a fictitious authority who “needs” information from the target in order to confirm their identity, or for the target to perform a function.
  • The attacker relies on building a false sense of trust with the victim.
  • An example of this would be an attacker who impersonates an external IT auditor and manipulates target staff into giving up login credentials.

 

 

Tailgating

  • An intruder who lacks the proper authentication follows an employee into a restricted area.
  • Also called “piggybacking.”
  • Often relies on the property of normal courtesy.
  • Example: the intruder impersonates a delivery driver and waits outside a building. When an employee opens the secure door to enter, the attacker asks for the door to be held open, thereby gaining access.