Over the past month, we’ve talked about phishing, ransomware, spear phishing, identity fraud, and oversharing. We’ve also talked some about social engineering and how your information can be used against you to get you to give up sensitive or financial credentials to your accounts. Now we’d like to highlight the top 10 social engineering techniques cybercriminals use to get you to do what they want. For more on social engineering, check out KnowBe4’s full article on social engineering.
- Pretexting – where the criminal uses the information they know about you to get you to give up even more information. Like when a person calls to “verify” your information and gives you part of it that is correct but maybe not all of it so you “correct” them and give up more of your information.
- Diversion Theft – often used to physically get someone to deliver goods somewhere besides the place that was intended. Or it could be a masked email invoice that looks legitimately like a real invoice but you end up paying the cybercriminals instead of the real vendor.
- Phishing – emails are the number one way phishing is used and it often masquerades as either a trustworthy person you know or a business you work with. It could be an email that looks like it comes from a legitimate source. 77% of successful social engineering attacks start with a phish.
- Spear Phishing – a targeted phish for specific purposes and a specific “pay-off.” Where phishing typically is large-scale and uses a large “net” to get whoever with bite, spear phishing is more of a long game where a specific target is researched and the intention is a wide-scale data breach. According to KnowBe4 and Trend Micro, 91% of cyberattacks with a data breach started with a spear phishing campaign. Spear phishing is also how CEO fraud scams are generally conducted.
- Water Holing – taking advantage of a website where people hang out and exploiting any vulnerabilities of the site and then infecting subsequent visitors with malware or gathering information to be used against them.
- Baiting – dangling a carrot of information to get someone to click on something or dropping a USB drive as “bait” to get them to load malware.
- Quid Pro Quo – getting something by giving you something. This is a classic case where someone calls pretending to be IT support and they have to load a patch. They just need access to your computer to do so. You grant them access and then the malware gets installed.
- Tailgating – where someone tries to gain physical access to an unauthorized area by following behind someone else through the door.
- Honeytrap – used against men, typically, to get them to give up information to an attractive female online.
- Rogue – computer malware that gets installed and notifies you that you are infected and then you call the number where you pay to have the “malware” removed by the “tech support” team when really they just wanted your credit card information and you are out the money for the “fix”.
The more educated you are on these tactics, the easier it is to spot them. Social engineering is the number one way hackers get access because targeting people to give up credentials is usually the easiest way to gain access to network resources and/or data.