In the wake of cyber attacks targeting casino giants MGM and Caesars, social engineering remains one of the most effective techniques cyber criminals employ. In these incidents, threat actors used a phone-based impersonation tactic, known as vishing, to manipulate an outsourced IT help desk into providing critical access, which paved the way for ransomware attacks costing millions. Below, explain the various types of social engineering and describe the signs that your employees need to be looking out for to stay safe.
This highlights an uncomfortable truth: humans are often the weakest link in the cyber security chain. According to the 2023 Verizon Data Breach Investigations Report, 74% of breaches involve human factors, such as errors, misuse of privileges, or victimisation by social engineering tactics.
Understanding and addressing the risks associated with social engineering is vital for organisations to safeguard data, financial assets, and reputation.
What Is Social Engineering?
Social engineering is a manipulation tactic in which threat actors exploit human behaviour to access data, credentials, or systems. These attacks rely on emotional triggers like fear, urgency, or trust and can involve various mediums such as email, phone calls, or spoofed websites.
Often, social engineering is not the end goal but the entry point to a more significant attack, such as ransomware or credential theft. For example, in the MGM attack, the initial impersonation led to access that enabled a widespread ransomware deployment.
The Social Engineering Attack Cycle
Social engineering attacks typically follow four stages:
- Information Gathering: Research the target to identify vulnerabilities.
- Establishing a Relationship: Crafting a strategy, such as impersonating a trusted figure or sending a phishing email.
- Exploitation: Executing the attack, such as calling a help desk to gain access.
- Execution: Achieving the intended goal, whether credential theft or system infiltration.
These stages may repeat to ensure success, especially in more significant, multi-phase attacks.
Why Is Social Engineering So Effective?
Social engineering works because it targets the human element, often bypassing technical defences entirely. Employees may unknowingly share credentials or approve malicious actions, making them the most straightforward entry point for threat actors.
The financial rewards for attackers are significant. Business Email Compromise (BEC), a common form of social engineering, accounted for over $2.7 billion in losses in 2022 alone, with incidents rising annually.
7 Types of Social Engineering Attacks
Phishing
The most common social engineering tactic, phishing involves impersonating a trusted entity via email to steal credentials or deliver malware. Variations include:
-
- Spear Phishing: Targeted attacks on specific individuals.
- Whaling: High-value targets like executives or public figures.
- Vishing: Phone-based phishing attacks.
- Smishing: Phishing via SMS.
Business Email Compromise (BEC)
Attackers compromise an email account to send fraudulent requests, often for financial transactions. This low-effort, high-reward attack remains a top threat for industries like manufacturing.
Baiting
Threat actors lure victims with promises of free software or prizes to infect systems or steal information.
Scareware
Fake alerts trick victims into downloading malicious software by creating a sense of urgency.
Tailgating
A physical security breach is when attackers deceive employees to access secure areas.
Shoulder Surfing
Eavesdropping or visually spying to steal sensitive information in public settings.
DNS Spoofing
Threat actors poison DNS caches to redirect users to fake websites, capturing credentials and other sensitive data.
Mitigating Social Engineering Risks
Security Awareness Training
Leveraging Technology
- Multi-Factor Authentication (MFA): Adds a layer of security to login processes.
- Identity and Access Management (IAM): Implements Zero Trust principles, requiring verification for access.
- Managed Detection and Response (MDR): Identifies and mitigates suspicious activities, such as unauthorised logins or unusual account behaviour.
Defend Your Business Against Social Engineering
At Neuways, our dedicated Threatsafe team provides advanced cyber security solutions to combat the various types of social engineering attacks. From implementing MFA and IAM frameworks to delivering employee training and managed detection services, we help businesses safeguard their people, data, and systems against evolving threats.
Don’t wait for an incident to occur. Contact Neuways today to build a more vigorous defence against social engineering and other cyber threats.
