What is social engineering attack example?

Inhaltsverzeichnis Show

1. Phishing
2. Watering Hole
4. Pretexting
5. Quid Pro Quo

The biggest weakness in a cybersecurity strategy is humans, and social engineering takes advantage of a targeted user’s inability to detect an attack. In a social engineering threat, an attacker uses human emotion (usually fear and urgency) to trick the target into performing an action, such as send the attacker money, divulge sensitive customer information, or disclose authentication credentials.

Tricking users into divulging sensitive information is nothing new in the world of cybersecurity. The only thing that’s changed is the method of attack, the stories used to obtain information, and sophisticated attacks from organised groups incorporating other threats such as phishing. The term social engineering was first used in 1894 by Dutch industrialist JC Van Marken, but it’s been a method of cyber-attacks since the 1990s.

In the 1990s, social engineering involved calling users to trick them into divulging their credentials or providing the dial-in landline number that connected a threat actor to an internal corporate server. Now, attackers use social engineering to trick targeted users into sending potentially millions of dollars to offshore bank accounts, costing organisations millions in damages. In some cases, employees lose their jobs after the fallout and damages.

The lines between social engineering and phishing are blurred because they usually go hand-in-hand in a sophisticated attack. Social engineering usually involves masquerading as a legitimate employee (e.g., the CFO or CEO) or tricking an employee into thinking that the attacker is a legitimate customer in an effort to get the employee to provide the attacker with sensitive information or change account features (e.g., SIM swapping).

Regardless of the attacker’s goals, there are some clear signs that communication is from social engineering. One primary component in social engineering is playing on a targeted user’s fears and emotions. The attacker doesn’t want the targeted user digesting and contemplating the request, so social engineering involves using fear and a sense of urgency.

A few common traits in all social engineering attacks are:

The overall technique used in social engineering is using emotions to trick users, but attackers use several standard methods to push the user into performing an action (e.g., sending money to a bank account) and making the attack look more legitimate. Usually, the techniques involve email or text messages, because they can be used without voice conversations.

A few common techniques include:

Businesses are also targets for social engineering, so employees must be aware of the signs and take the necessary steps to stop the attack. It’s the responsibility of the organisation to educate their employees, so follow these steps to empower your employees with the tools to identify an ongoing social engineering attack:

Proofpoint knows that social engineering attacks are highly effective at targeting human emotions and mistakes. We have security awareness training and education programs that help employees identify social engineering and the phishing emails that work alongside these attacks.

We prepare users for the most sophisticated attacks and give them the tools necessary to react. Using real-world examples, employees will be prepared to identify social engineering and react according to the organisation's set security policies.

Cyber-attacks continue to rise, and they are getting weirder. Check out this post for a round up of the strangest social engineering tactics that we saw last year.

Social engineering is a component of nearly every threat actor’s toolbox who uses email as an initial access vector.

In our latest social engineering report, Proofpoint researchers analyse key trends and behaviours in social engineering throughout 2021 that highlight some common misconceptions people may have about how criminal or state actors engage with them.

In this first instalment of our six-part blog series, we’ll be focusing on social engineering as an essential security awareness training topic.

Social engineering attacks are a type of cybercrime based on deception.

In social engineering attacks, which is a term popularised by the hacker Kevin Mitnick, the attacker will pretend to be someone you trust, so users will be more likely to engage with the attack.

Regardless of who the attacker is impersonating in social engineering attacks, the goal is to extract money or account information from your company, such as a tax file number, log-in details for an email account or social networking site access.

What makes a social engineering attack so dangerous is the fact it relies on human error as opposed to software vulnerability which can be easier to track.

In this article we dive into 7 types of social engineering attacks to be aware of.

1. Phishing

Phishing attacks are the most common type of social engineering attack, and they can be done over email, social media sites or SMS.

The purpose of a phishing attack is to trick victims into parting with sensitive data, personal information or even money.

In these attacks, information is stolen through malware which is sent over as a URL link. When victims click a phishing link, their operating systems may be compromised.

Phishing can be disguised to look like correspondence from any platform you may trust, such as a credit card company or a government organization.

2. Watering Hole

Watering hole attacks target a group of individuals, usually from the same IP address, with malicious codes which cause malware to be downloaded onto a victim's device.

This malware allows hackers to see private information that is usually protected by information security, such as login credentials.

For this scam to work, malicious code is injected into public websites that the target frequently uses, making the attack harder to detect.

3. Whaling

This social engineering attack is similar to phishing, but the target is key individuals within an organisation such as the CEO or finance manager.

This technique uses the same social engineering tactics as a spear phishing email, where an email or message is specifically targeted to a specific individual, with the goal to solicit a click or download attachments in order to install malware.

4. Pretexting

A pretexting attack is based on gaining trust with users so they can be manipulated into providing sensitive information or revealing a vulnerability that can be used to the hacker’s advantage.

During this kind of attack, threat actors may contact a business acting as a software company with whom the business frequently works. By pretending to be someone trusted during pretexting attacks, it is easier for the hacker to ask for sensitive information without seeming suspicious.

By posing as a legitimate and ‘trusted’ business, users are more likely to disclose sensitive information because they believe it is going into safe hands.

5. Quid Pro Quo

Quid Pro Quo is a Latin term which means 'something for something', and in this kind of attack, a criminal will offer an exchange of services or information as a way to get what they want from their target.

Quid pro quo attacks can happen through websites, email addresses or even through a phone call. In these attacks, the criminal will offer some kind of service or benefit in exchange for information from the target.

6. Vishing

A vishing attack, which is not to be confused with phishing attacks, is a form of social engineering that relies on vocal communication. Phone numbers are easily accessible, and with technology such as A.I. it is easy for hackers to pretend to be someone else over a call to obtain sensitive information.

7. Baiting

This is a similar tactic to quid pro quo. However, instead of the attack offering a service or benefit in return for data, hackers instead offer a reward to bait their victims.

The promise of a prize is an easy way to play on a human's sense of curiosity.