Many different types of attacks fall under the umbrella of social engineering. Consequently, there is no strictly defined and comprehensive database or registry identifying all types of attacks. To get a good understanding of social engineering though, we have compiled a selection of the most commonly known attacks and how they work.
Understanding the methods of social engineering
Social Engineering Attacks manipulate a target with the goal to obtain data and abuse it maliciously. Attackers often pose as a trustworthy person via some sort of communication channels such as e-mail. Social engineering vectors are the methods or channels through which social engineering attacks are carried out.
In an attack scenario, attackers will use at least one of these channels to communicate with their target. The vector used can vary depending on the goals of the attacker and the characteristics of the target.
Personal contact information becomes increasingly accessible. E-mail addresses, phone numbers and names can often be found in online forms, social media, databases, or simply be purchased from third party vendors. Private data can get into the hands of criminals through data breaches. In the dark web , for example, exists an entire industry that trades personal & financial information.
The vectors and types of social engineering attacks
Vector: E-mail | Type: Phishing
E-mails are the most common attack vector. Accounting for 96% of successful social engineering attacks in the last year.
This social engineering attack is commonly known as phishing. Phishing attacks try to trick users into revealing personal information or act in a specific way like installing malicious software. They achieve this by exploiting human emotions and instilling the need to act immediately.
In the past, phishing attacks were mostly known for rather amateurish attempts to trick a recipient. In recent years, however, they have become increasingly sophisticated.
Vector: Phone calls | Type: Vishing
Vishing (voice phishing) is a type of phishing attack, where attackers impersonate a trusted figure to obtain sensitive information via phone. The most common vishing attacks are automated voice messages.These recorded messages instruct a victim to contact a phone number where the actual attack happens. Vishing attacks are not as frequent as e-mail phishing attacks but were observed to occur in 69% of companies in 2021.
Vishing attacks are mostly known for targeting elderly people to attain giftcards or cryptocurrency, but companies have been a major target of vishing as well. Especially, the financial sector.
Vector: Text messages | Type: Smishing
Smishing (SMS phishing) is a type of phishing attack conducted via text message. This type of attack works similar to phishing via e-mail. In contrast, to phishing attacks, smishing has to work with the limited format of text messages. They are, therefore, designed to request specific types of information or action. In 2021, smishing attacks were reported by 74% of all companies.
Smishing attacks have become increasingly popular with the rise of smartphone usage. Their success mostly derives from the fact that smartphone users have a higher chance to be catched off-guard in the midst of other actions.
Vector: Website | Types: Scareware, Baiting
According to the Global Anti Scam Alliance and Scamadviser 8.3% of all websites are scams. One of the more well-known examples are fake online shops. But not only scam websites can be a risk while surfing the web. Also legitimate websites can be compromised to bait or scare users into certain actions.
Scareware is malicious software that is offered to victims as a solution to a fictional problem. Victims are scared or shocked through a pop-up on a website to install software or contact a support. What makes scareware especially vicious is that victims are scammed for prolonged time as the software can be used to collect data, serve as an entry point for hacking attempts, or simply charge high service fees regularly.
Baiting is a type of attack that tries to lure users into certain actions by serving to good to be true offers. These attacks can be often seen as ads on websites.
Common scenarios are:
- Lottery prizes
- Fake dating profiles
- Heavily discounted products
Scareware and baiting attacks are often used to scout potential targets and collect personal/financial data. This data can be later utilized for other types of phishing attacks, sold on the darknet, or for blackmailing attempts.
Vector: Social Media | Type: Anglerphishing, Catfishing
Social media platform scams are increasing drastically. Two of the most prolific ones are angler phishing and catfishing.
Catfishing occurs when a victim is contacted by a very attractive fake profile of the (usually) opposite sex. These profiles are created to appeal to a specific audience. According to the FTC, so-called “romantic scams” have caused over $1.3 billion in damages to their victims over the past five years, more than any other FTC fraud category.
Catfishing attempts heavily rely on the human need to find a partner and be sexually active. For this reason, scammers usually target age groups and sex that are known to have the above needs particularly.
Angler phishing occurs when a bad actor is impersonating a legitimate customer service. While angler phishing can also occur via other vectors such as e-mail, it is especially common on social media platforms. This type of attack is usually used to acquire customer data for future frauds, scams, or simply to access the social media account of the victim.
With the advent of mobile communication, the internet, social media, and an increasingly globalized world people have become more and more connected. Social interactions are moving away from physical interaction into a digital format. This development creates a large surface for social engineering attacks.
While these attacks were initially more catered to easy-to-fool victims in badly crafted formats, they have become progressively sophisticated. Private users as well as companies are experiencing a soaring rise of malicious attacks. For this reason, it is of the utmost importance to raise awareness about these attacks so that damages can be minimized.