Phishing is high on the list of cyber-security threats and is deployed against enterprises and SMEs alike, but it is far from the only one. Pretexting, baiting, quid pro quo attacks, and tailgating are some other prominent examples of security risks facing organisations, not to mention malware and ransomware.
Let's look at the most popular sorts of social engineering attacks and how they target their victims.
Phishing is when attackers send emails or other communications with the intention of tricking employees and other individuals into sharing sensitive information, such as passwords or financial information.
While this type of cyber-attack is considered common, they are becoming increasingly hard to spot. Many attackers are now profiling targets using social media to boost the legitimate appearance of their attempts to steal data, sometimes posing as friends or co-workers. More carefully targeted attacks are referred to as spear phishing attacks, while the standard variant tends to be used for a broader, less personalised approach.
Pretexting is also used to steal personal data, but in this case the attack is a form of social engineering designed to manipulate victims. When executing this form of attack, cyber-criminals will ask the victim for information to prove their identity or may even pose as the victim’s manager or HR personnel in a bid to scare them into acting quickly and rashly.
In some cases, these attacks are sophisticated enough to reveal digital weaknesses in an organisation that can be exploited with other forms of cyber-attack.
Baiting links closely to pretexting, but in this case the attacker attempts to offer an attractive reward or promise to trap the victim. The bait is just the beginning in the case of this cyber-attack, as it typically provides the attacker with an opportunity to deploy malware that will ultimately steal the sensitive information they want.
In many cases, attackers leave physical USB flash drives in locations where people will find them and use them on their personal devices to see what they contain, or sometimes they direct victims to enter their credentials via malicious advertising.
Quid pro quo
Quid pro quo attacks seek to trick unsuspecting individuals into sharing information, but this variant is unique as the attacker suggests offering something in return for the desired action. Like with baiting, this attack simply provides an inroad for hackers to launch a more damaging attack, whether it is ransomware or a Business Email Compromise (BEC) attack.
Quid pro quo attacks also stand out because of how much interaction is required from the attacker to carry it out, including negotiating and trading.
Tailgating can happen online or in the real-world, whereby attackers attempt to follow staff through doors that require security passes. This usually involves the attacker posing as a fellow employee or as maintenance staff, gaining access when doors are held open for them, or simply by following staff through open doors as the name suggests.
These attacks are often more effective when attackers target organisations with large workforces, where individuals are less likely to be surprised by unfamiliar faces. Once inside, attackers will seek to find sensitive and personal information that can be used to cause more serious data breaches.