Social Engineering Beyond the Inbox

Not all cyberattacks require high-tech wizardry to pull off. Attack vectors requiring technical knowledge certainly do occur, but a good portion of cyberattacks begin with simple social engineering.

The most common form of social engineering is phishing. However, it’s not the only form. In this blog, we’ll talk about phishing and several other forms of social engineering. But first, let’s talk about what social engineering is and why it’s so effective.

Psychological vulnerabilities

Hacking involves breaking into a network or device by exploiting vulnerabilities in code, IT infrastructure, the network, or device communications. Social engineering, on the other hand, exploits vulnerabilities in human psychology.

Humans are both wired and socialized to fall for some of these schemes. For example, one of the major social engineering techniques involves using authority to gain compliance. Most humans obey authority instinctively. That instinct gets reinforced throughout their lives by parents, teachers, police officers, and even doctors.

However, scammers can “borrow” this authority to achieve the same type of compliance from people and trick them into giving up money or personal information. For example, a scammer might pose as a technical support professional from Apple, claim the target’s computer was hacked, and ask them to install a “security” package that gives the attacker remote access to the machine. Tech support schemes like this one have been around for a while and don’t require hacking skills. However, criminals can also pose as other types of authorities like health officials, IRS officials, or private investigators.

While there are other vulnerabilities, we’ll save covering those for another day. Instead, it’s important to understand the different ways criminals launch their attacks.

Types of social engineering attacks

The most common social engineering attacks occur via email. Phishing schemes involve sending out bulk email attempting to lure recipients into giving up personal information. Spear-phishing involves a more targeted approach. Criminals perform reconnaissance against a high-value target like an executive, then craft extremely convincing emails based on the intelligence they’ve gathered.

Both attacks occur over email. However, social engineering attacks don’t stop with the inbox. Here are a few other common attacks:

VISHING

Voice phishing, or vishing for short, refers to phone phishing. Vishing is an easy method for scammers to make money because it’s easy to forge caller ID and use automated messages. In general, most people have become used to companies using automated voice messages, so scammers can take advantage of this. Plus, once someone answers, the scammer can get on the phone and guide the victim toward the desired outcome.

A common example might include someone using an automated voice system and dialer to call people from a fake caller ID (which helps conceal the scammers) claiming the victim has been hacked. Once the recipient responds, a human can get on the line and try to get them to install or remote access tools, giving the scammer control over the victim’s computer.

SMISHING

As texting has become more common, criminals have shifted toward using SMS messages to phish people (this is called smishing). People may receive a message like, “Your bank account has been compromised. Please click the link to unlock your account.” Once that occurs, the victim goes to the site and enters their bank credentials, which scammers then use to steal funds.

Smishing attacks aren’t as widespread as email phishing, but they’re becoming more common. In fact, some reports claim 15% of enterprise users have received a smishing message. It’s important to make customers aware of the dangers of clicking unsolicited links in their text messages.

SOCIAL MEDIA PHISHING

Ultimately, if there’s an easily usable communication method, criminals will find a way to weaponize it as a phishing tool. Social media is no exception. Creating false social media profiles can be an easy method of tricking people into giving up important information. A criminal may attempt to impersonate a friend by using their photos and name and ask for money via a link. Plus, people often have their guards down when using social media—especially on mobile—when compared to using work email.

BAITING

Baiting plays on people’s natural curiosity to get them to perform an action. Most commonly, this refers to someone leaving a piece of physical media like a USB drive lying around in plain view, assuming a passerby will then plug it into their computer to examine the contents. However, these USB drives often contain malware and start the process of compromising a system or a network.

TAILGATING

Another social engineering attack that occurs outside of cyberspace, tailgating refers to the practice of trying to enter an unauthorized physical area. One common method involves a criminal trying to get into a company’s building by asking an employee to hold the door for them and claiming they’ve forgotten their badge or key. This preys on people’s manners but can lead to employees letting malicious actors in just long enough for them to cause damage to the network.

PROTECTION AGAINST SOCIAL ENGINEERING

Social engineering requires strengthening the human element of security. Odds are good you already offer some form of user security training to keep users from falling victim. If you do, make sure your training goes beyond covering email threats like spam, attachments, and phishing to ensure customers also know to be careful on other channels like text or social media. Additionally, make sure your training reminds people to avoid using unknown physical media like USBs, CDs, or DVDs and to think twice before letting someone in the building. Also, consider providing frequent refreshers so people stay vigilant.

Another important thing to remember is social engineering is typically only one piece of a larger attack. For this reason, having other layers of security in place can make a major difference in your customers’ security postures. This means keeping up with patching, running frequent backups, and installing endpoint protection on devices.

SolarWinds^® RMM offers patch management, integrated backup, web protection, and email protection. You can also run advanced endpoint protection via SolarWinds Endpoint Detection and Response (EDR), powered by SentinelOne, alongside SolarWinds RMM to discover and fight back against advanced threats at the endpoint level. Learn more about both SolarWinds EDR and SolarWinds RMM today.

Jay Pitzer is Senior Manager, Product Marketing at SolarWinds MSP