The 10 most common social engineering techniques - and how to protect yourself
by Tina Siering
If you think of cyberattacks as high-tech hackers who use cutting-edge malware to bypass corporate security measures in order to steal data or carry out blackmail attempts, you're not necessarily wrong. However, cybercriminals are much more likely to exploit a completely different vulnerability for their machinations: people and their mistakes. Social engineering is a form of cybercrime that is currently responsible for 98% of all attacks. In this article, you will learn what the 10 most common social engineering methods are and how you can reliably protect your company against them.
Method 1: Phishing
Phishing is a made-up word derived from "fishing". Phishing involves sending masses of messages that pretend to be from a real sender and ask the recipient to enter passwords or bank details. Other phishing messages include links to compromised websites. The perfidious thing about phishing messages is that in many cases they cannot be distinguished from "real" messages. The attackers rely here on psychology and interpersonal manipulation, often supported by emotionality and perfectly forged logos or direct address of the recipient. The more professional the social engineer behind the phishing messages sent, the harder it is to detect the fraud attempts.
How do you protect yourself from phishing?
As with all activities on the Internet, the same applies to messages received: Think first, then click. First and foremost, look at the sender of the message. Does the sender's address match the data you have on file? If you have the slightest doubt, you should contact the sender in person before opening the message.
Method 2: Spear Phishing
Spear phishing is even more perfidious. Spear phishing is a much more targeted, individual form of phishing in which the attackers target a selected victim. While conventional phishing is mostly about grabbing access data or bank details, in spear phishing social engineers aim to infiltrate a company. The actual attack is preceded by intensive monitoring of the victim - this can be a target person or a target organization. In this phase, the attackers gather insider information about the company, spy on employees or request confidential data from suppliers. The knowledge gained is then used to target selected individuals within the company. The attackers' goal: undetected entry into a corporate network.
How do you protect yourself against spear phishing?
Since the attackers are well-informed about the status quo of a company, its structure and internal knowledge before their actual activities, spear phishing attacks are incredibly difficult to detect. The best protection here is healthy mistrust!
Method 3: Quid pro quo
Free security checks of the company network, free products or help with urgent tasks: Quid pro quo attacks rely on the trust principle. One hand washes the other, both sides benefit - actually a good thing. Actually, because behind the supposedly good barter deal is in reality far too often a social engineer attack. In exchange for the free services, the attackers like to demand login data or passwords - which can then be used to carry out the actual cyberattack in the wake of the quid pro quo attack.
How do you protect yourself from quid pro quo attacks?
The old saying "what costs nothing is nothing" also applies, and especially in the business environment. If you are offered free services or products for which you "only" have to hand over your network login data or password, you should be alert.
Method 4: Baiting
Closely related to the quid pro quo method is baiting. In this method, the social engineers offer "bait" in the form of free downloads or free products that can be requested easily and conveniently via an online form or by clicking on a link. Behind the supposed gift is malware that compromises the target's computer - or the data entered is immediately tapped and misused for further cyberattacks.
How do you protect yourself from baiting?
Nobody has anything to give away - not even on the Internet. If you are offered free software or products, you can always assume that you are being scammed. Delete such messages without even giving them another thought.
Method 5: Pretexting
Pretexting performs two functions at once. On the one hand, pretexting is a social engineering attack in its own right; on the other hand, the method forms the basis for many other cyberattacks mentioned here. Pretexting is best described as inventing extensive scenarios around a company that fraudsters can use to trick their victims into releasing personal information. The cyber attackers sometimes develop extremely complex stories around the business or even personal relationship with the selected victim. Pretexting relies on trust. There are virtually no limits to the lies that can be told - from websites set up especially for the attack, to specially created e-mail addresses, to the perfect disguise for the "on-site visit", no creative possibility is left out in order to obtain access data or internal company information. The friendly service technician who wants to take care of the company server can be just as much a social engineer as the supplier who asks the gatekeeper for admission or the financial officer who wants to clarify "a few unanswered questions about the last balance sheet" with the accounting department.
How do you protect yourself from pretexting?
Unfortunately, social engineers who practice pretexting are mostly masters of their trade. It is correspondingly difficult to reliably unmask the attackers. Always remain suspicious even of supposedly reputable visitors who do not know you personally - and rather ask once more by phone whether the person standing in front of you was really sent by the company mentioned.
Method 6: Tailgating
Social engineers do not always work purely digitally, as we have just seen from the example of pretexting. In tailgating, too, the social engineer leaves the digital world to physically penetrate areas of a company that are actually closed off. Whether as a new colleague in the company, as a supplier to your subcontractors, or as a service technician: in principle, a social engineer can hide behind even the most trustworthy façade.
How do you protect yourself from tailgating?
Be sure to check the background of new contacts who come to your company's doorstep and avoid giving out data prematurely or even authorizing access to sensitive areas of your company.
Method 7: Media Dropping
Maybe you have already misplaced or even lost a USB stick or a data CD. It happens - and everyone is happy when the small data carriers are found again. With media dropping, social engineers "lose" data carriers within their company - in such a way that there is a very high possibility that the data carriers will be found by employees. The method is supported by the fact that the data carriers are often provided with labels or imprints that arouse curiosity and encourage the finder to open the data carrier. If the data medium finds its way into the finder's computer, malware is installed or bots are activated for DDoS attacks.
How do you protect yourself from media dropping?
Beware of all "found" media! Even if curiosity is more than human - definitely prevent opening found USB sticks or CDs on your company computer!
Method 8: Scareware
Fear is a powerful motivator - and an extremely popular tool for social engineers to get to their target. Scareware exploits people's fear - by using automated tools to simulate a danger that doesn't actually exist. One example is a window that suddenly pops up on the screen, warning that the system has been infected with dangerous viruses or informing the attacker that criminal content has been found on the system. The pressure built up is intended to coerce victims into rash, hasty actions - for example, downloading the "only virus scanner that can solve the problem". Malware then lurks behind the hopeful click and is downloaded onto the computer.
How do you protect yourself from scareware?
Do not be frightened by the bad news on your screen - and above all, do not click on the links that are offered to you.
Method 9: Honeypots
Honeypots are opportunities that are perceived as exceedingly attractive and irresistible. In the economic sector, honeypots are primarily pretended business relationships that promise unique, profitable opportunities. In the private sector, honeypots often present themselves as lonely people in search of true love. In both cases, however, a social engineer is behind the honeypot and wants to use this method to obtain company internals, sensitive data or compromising material.
How do you protect yourself from honeypots?
An opportunity is too good to be true? If so, you can assume that a social engineer is trying to dupe you. Let the opportunity pass and ignore all attempts to contact you.
Method 10: CEO Fraud
In the case of CEO fraud (also known as the "boss trick"), the attackers impersonate a direct superior by e-mail or on the phone and put the person contacted under immense pressure. The means of pressure can include the demand for payment of a large sum to an unknown account abroad, the forwarding of data on which "the immediate success of the business" depends, or the handing over of access data to a technician who has to eliminate an urgent emergency in the server room. The perfidious game of authority, strong pressure and utmost haste is based on the assumption that requests are seldom knocked off if they are imposed directly "from above". CEO Fraud is so successful because the attackers familiarize themselves with the company's circumstances in great detail beforehand - and can thus enter into CEO Fraud with detailed knowledge that can convince even the most skeptical employee.
How do you protect yourself from CEO Frauds?
With all due respect to superiors - caution should be exercised in all matters that deviate partially or even significantly from the usual work procedures. When in doubt, seek direct, personal discussion with the supervisor and make sure the concern is genuine.
Conclusion on the 10 most common social engineering methods
Social engineering combines digital and analog forms of cybercrime in a devious, but unfortunately also creative way. Many of the methods listed here are also linked by the hackers - which can make social engineering even more insidious. With a strong cyber security awareness and knowledge of the perfidious tactics of social engineers, users can protect themselves from this form of cybercrime. What exactly does this mean for organizations and companies? On the one hand, it means being more vigilant than ever - and sensitizing employees to current dangers from the Internet. Training that prepares for attacks raises awareness and prepares employees to respond quickly and early to cyberattacks if the worst happens. In combination with broad-based information campaigns on cyber security, this enables continuous awareness building within a company or organization.