5 Common Examples of Social Engineering

The word "social" implies good times, sharing, and community. But in cybersecurity, "social engineering" has a dark, dangerous implication. Social engineering attacks are a rising and increasingly sophisticated threat. At the same time, security vendors like Mimecast are continually innovating the defenses against social engineering our human risk management platform.

What Is a Social Engineering Attack?

As its name implies, social engineering is a method of attack where the fraudster weaponizes personal information to target a user. The information could be a person's job title or duties, the name of a supervisor or top officer in the organization, or details about some important upcoming event. Often by impersonating other persons or organizations - peers, partners, or supervisors - the fraudster creates a convincing message that makes the receiver go along with malicious activities, such as unintentionally installing malware, transferring funds, or sharing sensitive information with cybercriminals.

Five Types of Social Engineering Attacks

Social engineering methods keep evolving along with the channels and technology available to fraudsters. Just as phishing has expanded beyond "click here for a prize" emails to "smishing" (by text), fraudsters have become more sophisticated in their use of social engineering. Thanks to social media and to the sale of databases of stolen information on the Dark Web, cybercriminals can acquire large stores of data to enable their attacks. Their approaches include:

• Whaling: Just as spear phishing uses information to target one user with a personalized message, whaling goes a step further to target a big fish in the organization. It's also known as CEO or CFO fraud for that reason.
• Pretexting: Usually, pretexting involves an email that appears to be from a vendor or partner, looking to solve an urgent issue. But this pretext is a way for the impostor to con the user out of passwords or sensitive information. For example, the fraudster may send an email, claiming to be a customer who needs access to a business account to pay an invoice.
• Quid pro quo: As the name implies, this kind of attack involves an exchange of information or services. The fraudster can impersonate an admin trying to "resolve" a technical issue, by asking the employee for access to their computer. Once the fraudsters are in, they can move around the network as that user, and access any files without being spotted by security.
• Watering hole: Cybercriminals sometimes target websites frequented by members of a particular industry or organization. The fraudsters infect the site with malware and wait for users to access the site and then carry the malicious code back to their servers.
• Angler phishing: This is a form of man-in-the-middle fraud where fraudsters intercept users posting about customer service issues on social media platforms. They impersonate the company, using a lookalike fake account, and post or DM the users, offering help. When the user responds, the fraudsters make off with their personal information or credentials, or trick them into downloading malware onto their networks. Not only does this attack hurt users, but it also damages the reputation of the company being spoofed.

Examples of Real Social Engineering Attacks

As some of the top phishing attacks in the last decade have shown, high-profile cybercrimes often involve a dose of social engineering:

• Whaling: The CEO and CFO of a European aerospace manufacturer lost their jobs after a whaling incident that cost the company over $47 million. An email, claiming to be from the CEO, asked an employee to transfer funds to support an acquisition. Both the email and the deal were fake, and the money went into an account held by the thieves. In terminating the officers, the board of directors said they should have done a better job protecting their emails.[1]
• Pretexting: A pretexting attack targeted two tech giants when a thief impersonated a hardware vendor and sent fake invoices, which were paid to offshore bank accounts. Nearly $100 million was stolen over a period of years in multiple attacks.[2]
• Quid pro quo: Phony tech support fraud surged along with the rise of remote work, turning what had been more of a consumer scam into a business risk.[3]
• Watering hole: An international aviation trade group affiliated with the United Nations was the unwilling partner of cyberspies. State-sponsored hackers infiltrated its network in 2016 and used it as a watering hole to breach member airlines and aviation authorities around the world for as long as a year.[4]
• Angler phishing: Security professionals in the UK spotted a rash of angler phishing attacks in 2016, targeting a number of British banks. The fraudsters created lookalike Twitter profiles that mimicked the banks' customer service accounts and used them to collect credit card and PIN numbers and other sensitive information from unsuspecting account holders.[5]

How Technology Can Block Social Engineering Attacks

As in so many cases of cybercrime, the best defense against social engineering attacks is security awareness training coupled with the use of an advanced human risk management platform.

Organizations must train all users to be skeptical of any messages requesting sensitive information, payments, or software installations, even if they seem to come from the boss.

When it comes to advanced business email compromise (BEC), employees should make sure the URLs in any emails actually match the organization they claim to represent, check that any links included in the email are spelled correctly (fraudsters often use lookalike addresses) and never share personal information over email. Organizations should also ensure the settings in their employees' workstations are tuned to see the extensions on email addresses, so they can spot phishing messages that are spoofing a legitimate sender by replacing a ".com", for example, with a ".org".

But awareness can only go so far, especially when attackers keep evolving their social engineering tactics. Artificial intelligence (AI) and machine learning are helpful in keeping up with the evolution of the fraudsters, building stronger defenses as they learn from current attacks:

• Automation can screen email traffic, searching for lookalike URLs, misspelled addresses, and suspect websites that can be signs of fraud in progress. Those emails can be flagged as suspect to the receiver with alerts showing their level of risk. The suspect emails can also be quarantined in a virtual "sandbox" where they can't infect any systems. Tools that prevent email trackers also stop tactics used to identify victims and refine messaging.
• AI can provide real-time protection to networks by analyzing user behavior. Not only can Al flag any activity that is out of the norm, such as a sender's location, but it can analyze the text and spot if it does not read as something that person would have sent. Identity graph technology powered by machine learning can match users to their usual context - the server and devices connected to a person's profile - and notice unusual behaviors that can signal an impostor is on the loose.
• AI and machine learning can also help adapt to changing tactics as fraud evolves, analyzing patterns and learning from them to continually improve threat detection models and change the rules that apply.

The Mimecast Human Risk Management Platform

All of these capabilities are delivered by the Mimecast Human Risk Management Platform. In response to customer and market demand for a more effective means of mitigating risk brought on by employee mistakes and user errors, like those exploited by social engineering attacks, Mimecast has charted a new path forward by developing a connected HRM platform. The platform provides unprecedented visibility into an organization's risk profile, scoring users by risk and allowing security teams to educate and protect the riskiest part of their employee base.

How Mimecast Can Help

The Mimecast HRM Platform has been designed by having human beings at the center of everything we do, aligning key protection and data controls to offer the most comprehensive approach to human risk management. With the Mimecast HRM Platform, organizations get a single solution that brings multiple products together to help protect collaboration, educate employees, and detect insider risk. This is the connected human risk management platform organizations need.

Mimecast is pioneering human risk management. The Mimecast HRM Platform and Mimecast Engage technology are the latest innovations in its mission to advance security and transform the way organizations manage and mitigate risk. By integrating security into the very fabric of human interaction, Mimecast is setting a new standard for protecting businesses in an increasingly complex digital world.

The Bottom Line

Social engineering is a growing issue in human risk, but the tools to counteract this practice are on hand. Security awareness training coupled with an advanced human risk management platform are the best defense, and can help security teams stay on point and evolve their defenses to block the attackers' latest tactics. Learn more about how the Mimecast HRM Platform can help your organization thwart social engineering attacks.

[1] "Aerospace firm, hit by cyber fraud, fires CEO," Business Insurance

[2] "How this scammer used phishing emails to steal over $100 million," CNBC

[3] "Phony Tech Support Scams Target Remote Workers during the Pandemic," Cognizant

[4] "Montreal-based UN aviation agency tried to cover up 2016 cyberattack, documents show," CBC News

[5] "Twitter phishing campaign targets customers of all major UK banks," ZDNet

Public link

Please use the above public link if you want to share this noodl on another website.