Social engineering fraud is deceiving people to divulge sought-after information to commit fraud, identity theft, access a secured network, determine trade secrets, sales and marketing plans, customer and supplier information, financial data, or simply disrupt business operations.

Social engineering is more effective than any hacking method because it relies on human error rather than finding and exploiting vulnerabilities in computer systems. It typically happens through email, text messages, online chat and phone calls.

With advancements in technology and modern security systems in place, hackers can’t break into systems easily. That’s why they target the weakest link in the security chain – the user. It’s much easier to trick someone into providing confidential information such as passwords, bank information and credit card numbers.

The world’s most notorious hacker, Kevin Mitnick, helped popularise the term ‘social engineering’ in the 90s with his book “The Art of Deception”. It contains real stories on why attacks are successful and how to prevent them.

Types Of Social Engineering Attacks

Hackers use different social engineering tactics to manipulate their target depending on how they implement the attack. For example, they may use email, web, phone, USB drives, or other means. So, here are the some of the social engineering tactics:

There are two major types of Social Engineering attack – remote or in-person.

1. Remote Attacks (Phishing)

Phishing is one of the most popular social engineering tactics attackers use to get sensitive information from their target. It’s usually via email, text messages and phone calls.

– Email Attacks

Attackers send a well-crafted email with a deceptive subject line to trick the recipient into believing the email is from a trusted source. The email may contain seemingly legitimate documents, logos, contact details or a link to a cloned website to trick their target. The attack aims to create a sense of urgency and immediate action from the user. For example, you may receive an email prompting a password change or invoice for payment, which sends the attacker information or money once submitted.

– Phone Call Attacks (Vishing)

A social engineer who attacks over the phone, often called “vishing” for voice phishing, usually pretends to be someone, e.g., an account holder, business partner, staff or a trusted provider of your organisation. They typically gather necessary background information before making the call to avoid suspicion.

– Spear Phishing

Spear Phishing has the highest success rate. For example, the attacker sends a personalised spear phishing email or calls the target based on their job title or technical skills. The attacker may pretend to be a colleague within the organisation or an IT consultant who coerces the target for confidential information. Spear phishing attacks require months of preparation, making them harder to detect.

– Scareware

Scareware manipulates users through fear by deceiving the target with notifications of a malware infection. It suggests the user buy or download a fake antivirus software to get rid of it. However, the antivirus is a potentially dangerous software that can steal your personal information once installed. It’s common to encounter this type of social engineering attack while browsing the internet or via email. Rogue security software and crypto miner lock are two of the most popular scareware tactics cybercriminals use.

2. In-Person/Onsite Attacks

In-person social engineering techniques are less common than remote attacks. Yet, they’re very effective because businesses usually focus on IT security, not physical threats.

– Shoulder Surfing

Shoulder surfing is a physical social engineering attack that uses direct observation techniques to steal information. The attacker stands beside someone and watches them enter their login credentials or PIN at an ATM.

– Tailgating

Tailgating is another onsite social engineering technique used by attackers seeking entry to restricted areas where biometrics, RFID cards, or any electronic access control is present. The attacker waits for the perfect opportunity to walk in behind an authorised person or determines when the next scheduled maintenance may be and arrives dressed like one to get past the front desk successfully.

– Key Loggers

Hardware and network devices often need technical services, so hackers usually take this opportunity. They may impersonate a third-party onsite tech support and install a key logger on shared computer systems to obtain usernames and passwords. It provides the hacker with access rights to control the workstations remotely.

– Baiting

Baiting is the equivalent of a Trojan horse in social engineering. The attacker will leave a malware-infected flash drive in a public place, hoping someone will pick it up and plug it into their computers. Distributed USBs are usually labelled as “Confidential” or “Salary info” to entice the victim to use it, giving access rights to the hacker once opened. Hackers also use online baiting to attract their target with free goods in exchange for personal information.

How To Prevent Social Engineering Attacks

  • Educate staff on social engineering techniques with regular training.
  • Review company policies and processes for handling transactions and other essential business activities to ensure staff understand and follow the correct procedures.
  • Set spam filters high and regularly monitor the spam folder for any essential emails caught by accident.
  • Verify the sender’s email address and treat unsolicited emails as suspicious.
  • Increase device security with regular system updates and keep antivirus software up to date.
  • Enable multi-factor authentication (MFA), two-factor authentication (2FA) or two-step verification for an additional layer of security.
  • Always check website URLs are correct when visiting websites. Online banking websites use extended validation SSL to prove the legal entity of the website.
  • Ensure staff know how to identify phishing emails or other scams received via text and email.
  • Ensure staff download files from trusted websites. Ensure to scan files using up to date antivirus software.
  • Be wary of file attachments from unsolicited emails.
  • Be wary of any tempting offers online, such as free giveaways.
  • Encourage staff to be aware of their surroundings and tailgaters for possible onsite attacks.

Social engineering can target anyone, regardless of business size or industry. Therefore, educating your team on social engineering and the tactics cybercriminals use can help manage risk exposure.

Contact Clear Insurance today to learn more about protecting your business from social engineering risk.

General Advice Warning: This advice is general and does not take into account your objectives, financial situation or needs. You should consider whether the advice is appropriate for you and your personal circumstances. Before you make any decision about whether to acquire a certain product, you should obtain and read the relevant product disclosure statement.

Clear Insurance Pty Ltd. ABN. 41 601 916 689. AFSL No. 548953.