Phishing, Vishing, BEC

Social Engineering — Six Ways Criminals Try to Scam You

by Tony Richardson CISSP

How social engineering attempts to catch us all out, and make us do things we wouldn’t ordinarily do.

88% of all data breaches are caused by an employee mistake. Human error is still very much the driving force behind an overwhelming majority of cybersecurity problems.  

Cyber criminals don’t just rely on exploiting vulnerable technology to steal from you. They also study human behaviour and use their knowledge to exploit human characteristics such as gullibility, curiosity, obsession with technology, impatience and the effects of burnout.

This is the world of social engineering, one of the most common methods of cyber attack. Its purpose is to trick people into performing a specific act — often downloading an attachment, clicking on a link or transferring money, among many others.

Social engineering is a fast-growing threat. In 2021, attacks reported to the FBI rose by 270%, costing a total of $6.9 billion, and this seems typical of the worldwide picture. And it’s a threat that can only be countered by education. So what are the most common strategies, and what can you do about them?

The Six Most Common Social Engineering Strategies

  • Phishing — Perhaps the most common type of attack, phishing involves sending a legitimate-looking message (email, text, social media etc.), tailored to look attractive to the target. It will most likely involve an invitation to download an attachment or visit a website, which will install malware or give the criminals access to sensitive data.
  • Vishing — A similar strategy via the phone, where the criminals convince the victim that they’re a bank, the police or another trustworthy organisation. The object may be to trick the victim into giving them crucial data or transferring money into an account belong to the criminals.
  • Business email compromise — Also known as CEO fraud, this involves criminals creating convincing email accounts to impersonate senior executives of the organisation (such as the CEO). This enables them to convince employees to transfer money to a fraudulent account, or else to give them access to data such as wages and tax statements.
  • Romance scams — Also known as cat-fishing or honey traps, this is where the criminals develop an online relationship (normally but not always romantic) with the victim, through a fake profile on social media or dating sites. They may get vital information from the victim, or else request money to rescue them from some emergency situation.
  • Watering hole attacks — This is when criminals infect websites or apps the victim uses with malicious code. The code places software on the victim’s phone that allows the hackers to access the camera, microphone and text messages. This is most commonly used in cases of espionage.
  • Deepfake — You may have had fun with those apps that allow you to manipulate your photo to make you younger or the opposite gender, or swap your face with a celebrity. That’s harmless, but similar technology is used by criminals to alter photographs or videos in order to spread disinformation or create negative perceptions of their target.

How to Counter Social Engineering

The weakness that creates vulnerability to social engineering attacks lies in people — their credulity and naivety. And that means the solution also lies in educating people.

As senior executives of an organisation, you should be running regular training sessions for your employees, raising their awareness of the threats and their responsibilities. It’s also useful to run phishing simulations, allowing them to experience and learn from the situations they’ll encounter in reality and teaching them not to accept anything at face value.

It’s vital that your organisation has strong policies and procedures in place around security, and that these are encouraged at all times. For example, an employee who checks up on a genuine request from a senior executive for a money transfer should be praised for their vigilance, not criticised.

Training to recognise and resist social engineering attacks, from board members down to the newest recruit, is the way to minimise the risk of your organisation joining those alarming statistics. Get in touch with us and find out how SecuraProTM can help your organisation provide that secure environment.

Cyber criminals don’t just rely on exploiting vulnerable technology to steal from you. They also study human behaviour and use their knowledge to exploit human characteristics such as gullibility, curiosity, obsession with technology, impatience and the effects of burnout.

This is the world of social engineering, one of the most common methods of cyber attack. Its purpose is to trick people into performing a specific act — often downloading an attachment, clicking on a link or transferring money, among many others.

Social engineering is a fast-growing threat. In 2021, attacks reported to the FBI rose by 270%, costing a total of $6.9 billion, and this seems typical of the worldwide picture. And it’s a threat that can only be countered by education. So what are the most common strategies, and what can you do about them?

The Six Most Common Social Engineering Strategies

  • Phishing — Perhaps the most common type of attack, phishing involves sending a legitimate-looking message (email, text, social media etc.), tailored to look attractive to the target. It will most likely involve an invitation to download an attachment or visit a website, which will install malware or give the criminals access to sensitive data.
  • Vishing — A similar strategy via the phone, where the criminals convince the victim that they’re a bank, the police or another trustworthy organisation. The object may be to trick the victim into giving them crucial data or transferring money into an account belong to the criminals.
  • Business email compromise — Also known as CEO fraud, this involves criminals creating convincing email accounts to impersonate senior executives of the organisation (such as the CEO). This enables them to convince employees to transfer money to a fraudulent account, or else to give them access to data such as wages and tax statements.
  • Romance scams — Also known as cat-fishing or honey traps, this is where the criminals develop an online relationship (normally but not always romantic) with the victim, through a fake profile on social media or dating sites. They may get vital information from the victim, or else request money to rescue them from some emergency situation.
  • Watering hole attacks — This is when criminals infect websites or apps the victim uses with malicious code. The code places software on the victim’s phone that allows the hackers to access the camera, microphone and text messages. This is most commonly used in cases of espionage.
  • Deepfake — You may have had fun with those apps that allow you to manipulate your photo to make you younger or the opposite gender, or swap your face with a celebrity. That’s harmless, but similar technology is used by criminals to alter photographs or videos in order to spread disinformation or create negative perceptions of their target.

How to Counter Social Engineering

The weakness that creates vulnerability to social engineering attacks lies in people — their credulity and naivety. And that means the solution also lies in educating people.

As senior executives of an organisation, you should be running regular training sessions for your employees, raising their awareness of the threats and their responsibilities. It’s also useful to run phishing simulations, allowing them to experience and learn from the situations they’ll encounter in reality and teaching them not to accept anything at face value.

It’s vital that your organisation has strong policies and procedures in place around security, and that these are encouraged at all times. For example, an employee who checks up on a genuine request from a senior executive for a money transfer should be praised for their vigilance, not criticised.

Training to recognise and resist social engineering attacks, from board members down to the newest recruit, is the way to minimise the risk of your organisation joining those alarming statistics. Get in touch with us and find out how SecuraProTM can help your organisation provide that secure environment.