The most common social engineering attacks occur via email. Phishing schemes involve sending out bulk email attempting to lure recipients into giving up personal information. Spear-phishing involves a more targeted approach. Criminals perform reconnaissance against a high-value target like an executive, then craft extremely convincing emails based on the intelligence they’ve gathered.
Both attacks occur over email. However, social engineering attacks don’t stop with the inbox. Here are a few other common attacks:
Voice phishing, or vishing for short, refers to phone phishing. Vishing is an easy method for scammers to make money because it’s easy to forge caller ID and use automated messages. In general, most people have become used to companies using automated voice messages, so scammers can take advantage of this. Plus, once someone answers, the scammer can get on the phone and guide the victim toward the desired outcome.
A common example might include someone using an automated voice system and dialer to call people from a fake caller ID (which helps conceal the scammers) claiming the victim has been hacked. Once the recipient responds, a human can get on the line and try to get them to install or remote access tools, giving the scammer control over the victim’s computer.
As texting has become more common, criminals have shifted toward using SMS messages to phish people (this is called smishing). People may receive a message like, “Your bank account has been compromised. Please click the link to unlock your account.” Once that occurs, the victim goes to the site and enters their bank credentials, which scammers then use to steal funds.
Smishing attacks aren’t as widespread as email phishing, but they’re becoming more common. In fact, some reports claim 15% of enterprise users have received a smishing message. It’s important to make customers aware of the dangers of clicking unsolicited links in their text messages.
Social media phishing
Ultimately, if there’s an easily usable communication method, criminals will find a way to weaponize it as a phishing tool. Social media is no exception. Creating false social media profiles can be an easy method of tricking people into giving up important information. A criminal may attempt to impersonate a friend by using their photos and name and ask for money via a link. Plus, people often have their guards down when using social media—especially on mobile—when compared to using work email.
Baiting plays on people’s natural curiosity to get them to perform an action. Most commonly, this refers to someone leaving a piece of physical media like a USB drive lying around in plain view, assuming a passerby will then plug it into their computer to examine the contents. However, these USB drives often contain malware and start the process of compromising a system or a network.
Another social engineering attack that occurs outside of cyberspace, tailgating refers to the practice of trying to enter an unauthorized physical area. One common method involves a criminal trying to get into a company’s building by asking an employee to hold the door for them and claiming they’ve forgotten their badge or key. This preys on people’s manners but can lead to employees letting malicious actors in just long enough for them to cause damage to the network.
Protection against social engineering
Social engineering requires strengthening the human element of security. Odds are good you already offer some form of user security training to keep users from falling victim. If you do, make sure your training goes beyond covering email threats like spam, attachments, and phishing to ensure customers also know to be careful on other channels like text or social media. Additionally, make sure your training reminds people to avoid using unknown physical media like USBs, CDs, or DVDs and to think twice before letting someone in the building. Also, consider providing frequent refreshers so people stay vigilant.
Another important thing to remember is social engineering is typically only one piece of a larger attack. For this reason, having other layers of security in place can make a major difference in your customers’ security postures. This means keeping up with patching, running frequent backups, and installing endpoint protection on devices.
SolarWinds® RMM offers patch management, integrated backup, web protection, and email protection. You can also run advanced endpoint protection via SolarWinds Endpoint Detection and Response (EDR), powered by SentinelOne, alongside SolarWinds RMM to discover and fight back against advanced threats at the endpoint level. Learn more about both SolarWinds EDR and SolarWinds RMM today.
Jay Pitzer is Senior Manager, Product Marketing at SolarWinds MSP