Hackers that target a network are not always looking for vulnerabilities in a business’s cybersecurity technology. Instead, they may use social engineering to target employees without the right cybersecurity training.
Phishing and spear-phishing attacks are two examples of how hackers use social engineering to steal information, spread malware and break into secure networks.
Here’s how individuals and businesses can watch out for these attacks.
What Is a Social Engineering Attack?
In a social engineering attack, a hacker uses manipulation techniques to convince a person to breach security protocols — like downloading malicious software or handing over a password.
These attacks rely heavily on social interactions, often over email.
Phishing and Spear-Phishing: Common Social Engineering Attack Strategies
One of the most common types of social engineering attacks is the phish. In a phishing attack, hackers use address spoofing to cloak their email and pretend to be someone else.
Typically, they pretend to represent a reliable or trustworthy organization that the target has an existing relationship with — for example, Amazon, their bank or a government agency. The hacker may pretend to be a co-worker or supervisor in other cases.
These requests for information or action rely heavily on manipulative language. The hacker will typically create urgency to panic the target and encourage them to forget security training.
For example, a phishing email that targets many individuals may appear to be an automated bank message letting the recipient know about unusual card activity. The email may request financial institution details or account information. It could also direct the recipient to a malicious link.
Spear-phishing is a variant of this type of attack. Instead of casting a wide net and attempting to gather large amounts of information from many targets, the hacker carefully selects a small number of people or even a single important individual.
Hackers often use the technique to break into the business network their target works for.
For example, cybercriminals that broke into Colonial Pipeline’s network in 2021 used credentials stolen through a spear-phishing attack.
Failure to properly defend confidential data can have serious consequences. For example, the SEC has charged “dark pool” operators after they were caught failing to secure trader data. The company agreed to settle and paid $2 million in penalties.
If an employee of a business falls victim to a phish and a hacker gains access to confidential data as a result, the company may face fines, fees and legal action.
Other Types of Social Engineering Attacks
Phishes are extremely common, but they’re not the only way hackers use social engineering as an attack vector.
With baiting, a hacker uses social engineering to encourage an employee to plug a USB containing malicious software into a secure device. They may ask an employee to print out a resume or other important document using their computer.
Defending Against a Social Engineering Attack
Some people think hackers primarily attack networks by breaching systems and taking advantage of security exploits. However, a significant portion of successful hacks is due to a phish.
It’s often much easier to trick an employee into handing over credentials or installing a virus than it is to uncover vulnerabilities in a business’s cybersecurity strategy.
Social engineering attacks, primarily phishing and spear-phishing, are on the rise. Cybersecurity company F5 found that these attacks rose by 220% during COVID-19, and there’s no reason to believe this trend is about to reverse.
Fortunately, it’s usually easy for people to avoid a social engineering attack if they know what they’re looking for.
How to Spot a Phish
The typical phishing email tells a story to convince the target to take action — usually downloading a file, replying with information or clicking on a link. The narrative creates a sense of urgency that compels the target to act.
For example, the email may offer a special deal, recommend the recipient reset their password for an account or present an invoice for an item they never purchased. The message will likely be from a person or brand they trust and may include logos, branded headers or similar elements.
Sometimes, phishing emails will be poorly written and include misspelled words or unusual grammar. The information may be outdated or completely incorrect. The domain name may also be spelled wrong. However, not every phishing email will be written poorly, and it is possible to spoof the sender’s domain name.
A wide-net phishing email may use a generic greeting — like “Hello” or “Dear Customer” — and a spear-phishing attack may begin with a name or title.
The links in the account will likely lead to suspicious URLs and not the official site of the brand the hacker is impersonating. The email may also have suspicious files attached. Recipients shouldn’t click any of these links or download anything.
Following security news can also help people learn more about ongoing scams and phishing trends.
Avoid These Digital Social Engineering Attacks
Social engineering attacks take advantage of human interaction rather than exploits or vulnerabilities. Hackers who successfully phish a target may be able to infect computers or steal important information.
These attacks are on the rise, so it’s more important than ever to know how to spot them. People should be on the lookout for misspelled words, suspicious links and files to stay safe from a phish.