Different Social Engineering Attack Vectors

Social engineering is a style of hacking where the social engineer tries to trick someone into divulging sensitive information such as login credentials, credit card number, or a social security number. Social engineering is also referred to as “human hacking”. Social engineers (SE’s) use a variety of attack vectors to target their victims such as email, text message, fraudulent web, social media, traditional phone call, or even in-person.

A phishing email is an email sent from a SE that contains malicious code that is designed to steal information from you. The malicious code is activated when you click a link inside the phishing email. Phishing emails are specifically designed to entice the victim to click and the hacker will use many different tactics to get them to do so.

Similar to phishing, smishing is when a SE tries to steal a victim’s information by sending them a malicious text message. The text message contains a link which will automatically download malicious software or try to get the victim to download a malicious app onto their device.

A fraudulent website is a website set up by a SE that’s meant to steal information or money from you. SE’s are very good at setting up fraudulent websites and they aren’t always easy to spot. Fraudulent websites typically use a domain name that is close to a well-known brand or company. What’s even more deceptive is a fraudulent website can very easily adopt the look and feel of the actual website it is trying to mimic. Closely examine the domain name when you are visiting a website to make sure it’s spelled correctly.

Angler phishing is when a SE uses social media to try and steal information from a victim. Angler phishing, also known as social media phishing, is a relatively new attack vector social engineers are using. Admittedly, the tactic is very clever. Here’s how it works. A social engineer will open a fraudulent social media account on sites like Facebook and Twitter. The profile name will closely resemble a company you’re familiar with and their profile name will also imply they are a support representative from that company. For example: “BofA_Login_Support” (implying they are Bank of America technical support).

SE will use voice phishing because a certain generation of people tend to trust a phone call over other communication channels. Similar to how a social engineer is able to “spoof” the from email address in an email phishing scam, they are also able to “spoof” the display name on a caller ID. Meaning, the caller ID could read “Bank of America” but the social engineer is the one actually on the line.

In-person phishing is the ultimate, most brazen, hacking tactic in the toolbelt of the social engineer. In-person phishing is when a social engineer physically shows up to your office under guise of an alias and tries to steal information from you. Typically, the hacker will attempt to insert a USB drive into a computer or device that’s hooked up to your company’s network. The USB drive could contain software which automatically activates once it’s plugged in. Once the USB drive is plugged into a computer on your system, it could deploy a keystroke logger, a virus, download everything on your network, ransomware, or more.

The threat of a successful malicious cyber incursion lies with a single employee unwittingly falling victim to a social engineering attack. Meaning, an employee clicks a malicious link in an email or text, or divulges sensitive information over the phone or on social media which opens the door. Once the cyber criminal is in your system, it can lead to massive data loss, ransom ware, or even a complete data wipe!

Given this, employee behavior is a critical component of keeping your data safe. You could have the most sophisticated cyber defense in the world, but if an employee unwittingly opens the front door there’s not much you can do about it. Employee education plays a pivotal role in preventing social engineering attacks.