We all know about the type of attacker who leverages their technical expertise to infiltrate protected computer systems and compromise sensitive data. This breed of malicious actor makes news all the time, prompting us to counter their exploits by investing in new technologies that will bolster our network defenses.

However, there is another type of attacker who uses different tactics to skirt our tools and solutions. They are called “social engineers” because they exploit the one weakness that is found in every organization: human psychology. Using phone calls and other media, these attackers trick people into handing over access to the organization’s sensitive information.

Social engineering is a term that encompasses a broad spectrum of malicious activity. For the purposes of this article, let’s focus on the five most common attack types that social engineers use to target their victims. These are phishing, pretexting, baiting, quid pro quo and tailgating.

1. Phishing

Phishing is the most common type of social engineering attack that occurs today. But what is it exactly? At a high level, most phishing scams endeavor to accomplish three things:

  • Obtain personal information such as names, addresses and Social Security Numbers.
  • Use shortened or misleading links that redirect users to suspicious websites that host phishing landing pages.
  • Incorporate threats, fear and a sense of urgency in an attempt to manipulate the user into responding quickly.

No two phishing emails are the same. There are actually at least six different sub-categories of phishing attacks. Additionally, we all know some are poorly crafted to the extent that their messages suffer from spelling and grammar errors. Even so, these emails usually have the same goal of using fake websites or forms to steal user login credentials and other personal data.

A recent phishing campaign used a compromised email account to send (Read more...)