Social engineering attacks take advantage of human emotions and use them to target and trick users into doing things that threaten cybersecurity. Common goals of these illegal scams are to steal money, snag authentication credentials, or divulge private information. You are most likely familiar with one of the best-known categories – phishing – but there are other kinds as well and the tactics used are getting more sophisticated and harder to detect than ever before.
Types of Phishing Attacks
Arctic Wolf lists 10 kinds of these attacks, starting with mass or spam phishing. These are directed at multiple users and are easier to detect because they are less about quality and more about quantity. These schemes only have to draw in a small number of users. Spear phishing is more personalized and targets certain people. The messages look legitimate, and usually have malicious links in them. Whaling is like spearing, but it targets big paydays like celebrities, government officials, and company executives.
Also named after the sport of fishing, angler phishing attacks start when customers interact with companies on social media. Cyber thieves find these when trolling and send those customers phishing messages via fake social media accounts.
SMS Phishing uses text messages, and vishing (voice phishing) uses phones and VoIP (voice over internet protocol) technologies. There’s also quid pro quo phishing, where victims enter information to get something in return but get nothing except exposure to cyber theft; URL phishing and in-session phishing are two other examples.
DNS, Physical and Ad-Based Social Engineering Attacks
DNS (domain name server) spoofing happens when hackers discover what sites someone visits, and then create fake entries in DNS systems. This lets them redirect users to fictitious versions of the sites, where they might enter vulnerable information. Tailgating and shoulder surfing are forms of physical social engineering, where disgruntled employees, strangers, and others with bad intentions get physical access to information through deception or coercion, like stealing a key card or peeking over someone’s shoulder when they are on the Internet or a secured network.
Scareware is an ad-based social engineering attack and uses pop-up ads that show up on user screens. They attempt to scare people into believing that they have a computer virus, and that they should buy the advertised anti-virus software for protection – the software shown is usually malicious. Baiting uses fake promises like a 75 percent off sale or threats (“your credit card account will be closed today”) to trick users into sharing sensitive information; the system then gets infected with ransomware or malware.
Safeguard Your Company Against Social Engineering
Companies that prioritize cybersecurity realize how dangerous social engineering attacks can be and incorporate intelligent strategies into their enterprise-wide safety plans. As mentioned, employee education is crucial, but training once a year is not enough; people forget things quickly, and hackers are constantly devising new ways to trick them. That’s why you should stay current on the latest scams and refresh the training at least once a month.
Email security should also be addressed. If your company emails are constantly flooded with phishing messages, the security protocols are clearly not up to the task. You’ll also want to keep your firewalls updated – it’s also best to update all your security layers and passwords on a regular schedule. This could be every 60 days or whatever best suits your needs.
Being proactive will reduce how often employees interact with social engineering scams, but prevention and a response plan are just as important. TAG Solutions has comprehensive, customized solutions to address your cybersecurity needs, and our experienced team members are up to date on the latest scams and technologies – we can also train your staff. Contact us at 800-724-0023 to learn more about our IT cybersecurity services.