We all know about the attacker who leverages their technical expertise to infiltrate protected computer systems and compromise sensitive data. This type of malicious actor ends up in the news all the time. But they’re not the only ones making headlines. So too are “social engineers,” individuals who use phone calls and other media to exploit human psychology and trick people into handing over access to the organization’s sensitive information.

Social engineering is a term that encompasses a broad spectrum of malicious activity. For the purposes of this article, let’s focus on the five most common attack types that social engineers use to target their victims. These are phishing, pretexting, baiting, quid pro quo, and tailgating.

1. Phishing

Phishing is the most common type of social engineering attack. At a high level, most phishing scams aim to accomplish three things:

  • Obtain personal information such as names, addresses, and Social Security Numbers;
  • Use shortened or misleading links that redirect users to suspicious websites that host phishing landing pages; and
  • Leverage fear and a sense of urgency to manipulate the user into responding quickly.

No two phishing emails are the same. There are at least six different sub-categories of phishing attacks. Beyond that, we all know that phishers invest varying amounts of time into crafting their attacks. Hence why there are so many phishing messages with spelling and grammar errors.

A recent phishing campaign used LinkedIn branding to trick job hunters into thinking that people at well-known companies like American Express and CVS Carepoint had sent them a message or looked them up using the social network, wrote ThreatPost. If they clicked on the email links, recipients found themselves redirected to pages designed to steal their LinkedIn credentials.

2. Pretexting

Pretexting is another form of social engineering where attackers focus on creating (Read more...)