The top 5 social engineering cyber-attack methods

Social engineering is the art of tricking employees into revealing sensitive corporate information. Hackers use psychological manipulation and well-researched ‘insider knowledge’ to dupe their victims. These tactics are commonly used to steal sensitive financial data, passwords to corporate accounts or access to devices in order to install malware or keyloggers. When a Cyber Criminal or ethical hacker conducts a social engineering attack, they begin by investigating the victim in question.

This involves identifying their security weaknesses, researching employees on social media platforms and finding potential entry points to allow them to conduct the attack. The perpetrator then attempts to gain trust in order to convince the victim to violate security practices. Cyber-criminals use these methods as it is much easier to exploit human judgement rather than penetrate a secure infrastructure. For example, it can take many hours and expert technical skill to manually breach a network. Whereas, it takes seconds for an unsuspecting employee to click on phishing link and give away their password.
Social engineering tactics are also used by ethical hackers when conducting penetration tests. These can be conducted as a standalone security review or alongside a series of other penetration testing methods such as internal and external network testing. However, by using a range of testing methods you can gain a more conclusive insight into your overall security posture. This helps to identify your biggest security weaknesses so that you can eliminate key risks and remediate vulnerabilities.

Why choose a social engineering penetration test?

Most security professionals agree that human error is the biggest security risk to their business. It doesn’t matter how tightly bolted your front door is, if your gate keeper allows the parcel delivery person to walk straight into your office without confirming their identity, the security of your critical data is in jeopardy. When it comes to cyber resilience, it is not just about testing your security controls, you must also test the effectiveness of your physical security procedures. After all, one quarter of all cyber breaches are due to human error.


What are the top 5 methods of social engineering attacks? 

The term ‘social engineering’ covers a broad range of attack methods. However, these are the top 5 attack methods you should be looking out for.

  1. Phishing:

Phishing emails are the most prevalent type of social engineering attacks. Essentially, a phishing email attempts to dupe the recipient into believing it is sent from a legitimate source. The aim is to trick them into clicking on a malicious link or revealing sensitive information (such as bank details or their password to their Office365 account). To make the attack more believable, attackers often buy domains which are very similar to the brand they are masquerading as (even your own company).

There are many different types of phishing attacks, these include:

  • Spear phishing: In these email attacks, hackers pose as friends or colleagues. These bad actors invest a lot of time researching detailed information about their victim including name, age, position, language used on social media as well as likes and interests.
  • Whaling: Whaling is very similar to spear phishing, but instead they target senior leaders within the company such as Director’s or CEO’s. These kinds of attacks can take months to effectively execute.
  • Angler phishing: In these attacks, hackers masquerade as customer service teams. They target unhappy customers on social media (most commonly for banks) in an attempt to gain access to bank accounts.
  • Vishing: This is a form of fraud conducted over the phone. Criminals use social engineering tactics to coax victims into revealing private financial information or passwords to corporate accounts. Hackers commonly pose as service desk engineers or accounts departments when targeting businesses.
  • Smishing: This is similar to vishing, but instead uses SMS to fraud victims. There have been many Covid19 smishing scams during the lockdown period. The hacker sends a malicious link which infects your mobile device if clicked.
  1. Tailgating:

Tailgaiting is a method commonly used against large corporations where employees are unlikely to know every member of staff. This form of attack involves gaining access to an organisation’s physical office space. Attackers often ‘piggy-back’ behind employees by asking them to hold the door to a private building. Another tactic is to ask to borrow a device or for the password to the corporate WiFi.

  1. Pretexting:

This attack vector involves impersonating a person of trust such as an IT manager or an authoritative figure within the business. If conducted convincingly, pretexting can be an effective way to pressure staff into transferring funds or revealing information about security vulnerabilities. After establishing trust, the attacker proceeds to ask a series of questions to help to ‘prove their identity’ which is a way of manipulating the victim into revealing privileged data.

  1. Baiting:

Baiting is the act of luring a victim to click on, download or install malicious ‘bait’. This digital bait manifests itself in many forms, it could offer enticing information such as a document detailing a financial bonus, or a memory stick which is labelled ‘Business turnover summary 2020’. Once downloaded onto the user’s device the hacker is able to access the private network, steal business critical data or monitor user activity.

  1. Rogue Wifi access point:

Hackers or penetration testers install an ‘evil twin’ WiFi access point with a similar name to the corporate network. It is only a matter of time before an employee with poor internet access will connect to the malicious AP. Once a user connects, the hacker is provided with an entry point to the private network.


How to protect against social engineering attacks?

To protect your business against social engineering attacks, it is important to promote a culture which is built around strong Cyber Security protocols. Your employees need to be regularly trained to recognise key social engineering tactics. Although social engineering attacks are not always easy to spot, staff should be suspicious of psychological methods which provokes a state of fear or urgency. They also need to be cautious before opening email attachments, downloading software or clicking on links in emails.

Regular social engineering penetration tests are a good way to test the resiliency of security procedures. It is a chance to identify your security weaknesses and test the effectiveness of your employee training in a real-life scenario. Social engineering penetration tests can be conducted in the form of a simulated phishing attack, an onsite access assessment or a combination of both. As CREST certified penetration testers we are well placed to support your business with all penetration testing needs. Call us on 0121 663 0055 if you would like to talk to a CREST penetration testing expert about your requirements.

Would you like to find out more about CREST penetration testing?

If you would like to chat to a member of our team you can call us on 0121 663 0055 or email zoe@equilibrium-security.co.uk