Top Social Engineering Techniques

Almost every type of cybersecurity attack contains some kind of social engineering. For example, the classic email and virus scams are laden with social overtones.

Along with desktop computers, mobile devices can be used in social engineering attacks against you in the digital world. However, it’s equally possible for you to encounter a threat in person. These assaults can be combined and built upon one another to form a hoax.

Here are some common methods used by social engineering attackers:

Phishing Attacks

Phishing attackers pretend to be a trusted institution or individual in an attempt to persuade you to expose personal data and other valuables.

Attacks using phishing are targeted in one of two ways:

  1. Spam phishing, or mass phishing, is a widespread attack aimed at many users. These attacks are non-personalized and try to catch any unsuspecting person.
  2. Spear phishing and by extension, whaling , use personalized info to target particular users. Whaling attacks specifically aim at high-value targets like celebrities, upper management, and high government officials.

Anything you share, whether directly or through a bogus online form, travels straight to the scammer’s bank account. Even worse, you can be duped into downloading malware that contains the next phase of the phishing scam. Each phishing technique has an unique delivery method, including but not limited to:

  • Voice phishing (vishing) phone calls may be automated message systems recording all your inputs. Sometimes, a live person might speak with you to increase trust and urgency.
  • SMS phishing (smishing) texts or mobile app messages might include a web link or a prompt to follow-up via a fraudulent email or phone number.
  • Email phishing is the most traditional means of phishing, using an email urging you to reply or follow-up by other means. Web links, phone numbers, or malware attachments can be used.
  • Angler phishing takes place on social media, where an attacker imitates a trusted company’s customer service team. They intercept your communications with a brand to hijack and divert your conversation into private messages, where they then advance the attack.
  • Search engine phishing attempt to place links to fake websites at the top of search results. These may be paid ads or use legitimate optimization methods to manipulate search rankings.
  • URL phishing links tempt you to travel to phishing websites. These links are commonly delivered in emails, texts, social media messages, and online ads. Attacks hide links in hyperlinked text or buttons, using link-shortening tools, or deceptively spelled URLs.
  • In-session phishing appears as an interruption to your normal web browsing. For example, you may see such as fake login pop-ups for pages you’re currently visiting. 

Baiting Attacks

Baiting abuses your natural curiosity to coax you into exposing yourself to an attacker. Typically, potential for something free or exclusive is the manipulation used to exploit you. The attack usually involves infecting you with malware.

Popular methods of baiting can include:

  • USB drives left in public spaces, like libraries and parking lots.
  • Email attachments including details on a free offer, or fraudulent free software.

Physical Breach Attacks

Physical breaches involve attackers appearing in-person, posing as someone legitimate to gain access to otherwise unauthorized areas or information.

Attacks of this nature are most common in enterprise environments, such as governments, businesses, or other organizations. Attackers may pretend to be a representative of a known, trusted vendor for the company. Some attackers may even be recently fired employees with a vendetta against their former employer.

They make their identity obscure but believable enough to avoid questions. This requires a bit of research on the attacker’s part and involves high-risk. So, if someone is attempting this method, they’ve identified clear potential for a highly valuable reward if successful.

Pretexting Attacks

Pretexting uses a deceptive identity as the “pretext” for establishing trust, such as directly impersonating a vendor or a facility employee. This approach requires the attacker to interact with you more proactively. The exploit follows once they’ve convinced you they are legitimate.

Access Tailgating Attacks

Tailgating , or piggybacking, is the act of trailing an authorized staff member into a restricted-access area. Attackers may play on social courtesy to get you to hold the door for them or convince you that they are also authorized to be in the area. Pretexting can play a role here too.

Quid Pro Quo Attacks

Quid pro quo is a term roughly meaning “a favor for a favor,” which in the context of phishing means an exchange of your personal info for some reward or other compensation. Giveaways or offers to take part in research studies might expose you to this type of attack.

The exploit comes from getting you excited for something valuable that comes with a low investment on your end. However, the attacker simply takes your data with no reward for you. 

DNS Spoofing and Cache Poisoning Attacks

DNS spoofing manipulates your browser and web servers to travel to malicious websites when you enter a legitimate URL. Once infected with this exploit, the redirect will continue unless the inaccurate routing data is cleared from the systems involved.

DNS cache poisoning attacks specifically infect your device with routing instructions for the legitimate URL or multiple URLs to connect to fraudulent websites.

Scareware Attacks

Scareware is a form of malware used to frighten you into taking an action. This deceptive malware uses alarming warnings that report fake malware infections or claim one of your accounts has been compromised.

As a result, scareware pushes you to buy fraudulent cybersecurity software, or divulge private details like your account credentials.

Watering Hole Attacks

Watering hole attacks infect popular webpages with malware to impact many users at a time. It requires careful planning on the attacker’s part to find weaknesses in specific sites. They look for existing vulnerabilities that are not known and patched — such weaknesses are deemed zero-day exploits .

Other times, they may find that a site has not updated their infrastructure to patch out known issues. Website owners may choose delay software updates to keep software versions they know are stable. They’ll switch once the newer version has a proven track record of system stability. Hackers abuse this behavior to target recently patched vulnerabilities.

Unusual Social Engineering Methods

In some cases, cybercriminals have used complex methods to complete their cyberattacks, including:

  • Fax-based phishing: When one bank’s customers received a fake email that claimed to be from the bank — asking the customer to confirm their access codes – the method of confirmation was not via the usual email / Internet routes. Instead, the customer was asked to print out the form in the email, then fill in their details and fax the form to the cybercriminal’s telephone number.
  • Traditional mail malware distribution: In Japan, cybercriminals used a home-delivery service to distribute CDs that were infected with Trojan spyware. The disks were delivered to the clients of a Japanese bank. The clients’ addresses had previously been stolen from the bank’s database.

Examples of Social Engineering Attacks

Malware attacks deserve a special focus, as they are common and have prolonged effects.

When malware creators use social engineering techniques, they can lure an unwary user into launching an infected file or opening a link to an infected website. Many email worms and other types of malware use these methods. Without a comprehensive security software suite for your mobile and desktop devices, you’re likely exposing yourself to an infection.

Worm Attacks

The cybercriminal will aim to attract the user’s attention to the link or infected file – and then get the user to click on it.

Examples of this type of attack include:

  • The LoveLetter worm that overloaded many companies’ email servers in 2000. Victims received an email that invited them to open the attached love letter. When they opened the attached file, the worm copied itself to all of the contacts in the victim’s address book. This worm is still regarded as one of the most devastating, in terms of the financial damage that it inflicted.
  • The Mydoom email worm — which appeared on the Internet in January 2004 — used texts that imitated technical messages issued by the mail server.
  • The Swen worm passed itself off as a message that had been sent from Microsoft. It claimed that the attachment was a patch that would remove Windows vulnerabilities. It’s hardly surprising that many people took the claim seriously and tried to install the bogus security patch — even though it was really a worm.

Malware Link Delivery Channels

Links to infected sites can be sent via email, ICQ and other IM systems — or even via IRC Internet chat rooms. Mobile viruses are often delivered by SMS message.

Regardless of the mode of distribution, the message will typically have intriguing or catchy wording that tempt the unwary user to click the link. The malware may be able to get past the antivirus filters on the mail server using this type of system penetration.

Peer-to-Peer (P2P) Network Attacks

P2P networks are also used to distribute malware. A worm or a Trojan virus will appear on the P2P network but will be named in a way that’s likely to attract attention and get users to download and launch the file. For example:

  • AIM & AOL Password Hacker.exe
  • Microsoft CD Key Generator.exe
  • PornStar3D.exe
  • Play Station emulator crack.exe

Shaming Infected Users out of Reporting an Attack

In some cases, the malware creators and distributors take steps that reduce the likelihood of victims reporting an infection:

Victims may respond to a fake offer of a free utility or a guide that promises illegal benefits like:

  • Free Internet or mobile communications access.
  • The chance to download a credit card number generator.
  • A method to increase the victim’s online account balance.

In these cases, when the download turns out to be a Trojan virus, the victim will be keen to avoid disclosing their own illegal intentions. Hence, the victim will probably not report the infection to any law enforcement agencies.

As an example of this technique, a Trojan virus was once sent to email addresses that were taken from a recruitment website. People that had registered on the site received fake job offers, but the offers included a Trojan virus. The attack mainly targeted corporate email addresses. The cybercriminals knew that the staff that received the Trojan would not want to tell their employers that they had been infected while they were looking for alternative employment. 

How to Spot Social Engineering Attacks

Defending against social engineering requires you to practice self-awareness. Always slow down and think before doing anything or responding.

Attackers expect you to take action before considering the risks, which means you should do the opposite. To help you, here are some questions to ask yourself if you suspect an attack:

  • Are my emotions heightened? When you’re especially curious, fearful, or excited, you’re less likely to evaluate the consequences of your actions. In fact, you probably will not consider the legitimacy of the situation presented to you. Consider this a red flag if your emotional state is elevated.
  • Did this message come from a legitimate sender? Inspect email addresses and social media profiles carefully when getting a suspect message. There may be characters that mimic others, such as “” instead of “” Fake social media profiles that duplicate your friend’s picture and other details are also common.
  • Did my friend actually send this message to me? It’s always good to ask the sender if they were the true sender of the message in question. Whether it was a coworker or another person in your life, ask them in-person or via a phone call if possible. They may be hacked and not know, or someone may be impersonating their accounts.
  • Does the website I’m on have odd details? Irregularities in the URL, poor image quality, old or incorrect company logos, and webpage typos can all be red flags of a fraudulent website. If you enter a spoofed website, be sure to leave immediately.
  • Does this offer sound too good to be true? In the case of giveaways or other targeting methods, offers are a strong motivation to drive a social engineering attack forward. You should consider why someone is offering you something of value for little gain on their end. Be wary at all times because even basic data like your email address can be harvested and sold to unsavory advertisers.
  • Attachments or links suspicious? If a link or file name appears vague or odd in a message, reconsider the authenticity of the whole communication. Also, consider if the message itself was sent in an odd context, time, or raises any other red flags.
  • Can this person prove their identity? If you cannot get this person to verify their identity with the organization, they claim to be a part of, do not allow them the access they are asking for. This applies both in-person and online, as physical breaches require that you overlook the attacker’s identity.

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *