What is the biggest vulnerability in your organization? Is it your firewall? The cloud? Could it be third-party integrations? Or is something else entirely? Many companies — and many attackers — are coming to the realization that the easiest way to gain access to an organization is through its people. Social engineering attacks are skyrocketing, with major implications.
Social engineering can be incredibly effective. According to IBM’s 2023 Cost of a Data Breach Report, data breaches that started via social engineering tactics averaged more than $4.5 million in costs last year.
In this article, we’ll look at what social engineering attacks are and why they work so well. We’ll also explore the biggest threats in this area and how to defend against them.
What Is Social Engineering in Cybersecurity?
Social engineering attacks are not unique to the world of cybersecurity — they have been used by opportunistic criminals throughout human history.
Social engineering works by using trickery or psychological manipulation to exploit a victim. Shady street performers who use rigged shell games to swindle gullible passersby out of their pocket change use social engineering. And now, so do the most sophisticated and experienced cybercriminals in the world.
There are many different types of social engineering attacks. They typically target human error and take advantage of common cognitive biases and mistakes. They can be extremely convincing, and are now both very common and highly dangerous.
In their 2024 Data Breach Investigations Report, Verizon found 3,661 social engineering incidents. Not only are these incidents a hassle to resolve, but the financial impact can be devastating.
Types of Social Engineering Attacks
What are the main types of social engineering attacks to look out for in 2024 and beyond? Let’s explore the most common threats and how they work.
1. Ransomware
Ransomware is one of the most well-known cybersecurity threats and has led to some of the biggest breaches in history. Ransomware attackers will typically infiltrate an organization and seize some critical or highly sensitive data assets. Then, they’ll encrypt the data and threaten to either delete it forever or release it to the public if the victim doesn’t pay the ransom.
And it works. The average ransom payment is rising, going up by 32% in 2022 to $233,817. One victim that year was Toyota Motor Corp, who ended up forced to suspend the operation of 14 plants, which accounted for a huge share of their global production.
But wait a minute, ransomware doesn’t fit the definition of social engineering… why are we putting it at the top of the list here?!
Well, it’s because the trend we are seeing now is to double extort victims. In 2023, one vendor reported a 75% increase in this tactic. Essentially, the attackers will social engineer their victims by quoting annual profit reports from shareholder documents or quarterly earnings figures to assure payment.
Once they have their victim on the ropes and paying to decrypt data (the ransom), they follow up with a gut punch… they tell them they want more money to not post the stolen data to web. These nefarious tactics are, unfortunately, wildly successful.
2. Phishing
Phishing is another well-known social engineering tactic. Attackers contact their victim by posing as a trusted source like a member of the organization, a banking provider, or a friend. They then extract crucial information from the victim by asking for it outright or directing them to a fake login page.
Today’s phishing scams are more advanced than ever before and can use voice imitation technology (vishing) or SMS messaging (smishing).
A well-known phishing attack was directed at healthcare provider Elara Caring in 2022. From just two compromised employees, attackers gained access to the records of more than 100,000 patients, accessing information like their names, banking information, and social security numbers.
3. Pretexting
Pretexting is a type of phishing attack, but while basic phishing tends to be based on fear (“You’ve been hacked — click here to reset your password!”) pretexting works by establishing a relationship and convincing victims that the attacker is trustworthy. To this end, pretexting attackers will often use intricate stories backed up with eerily convincing evidence.
A famous pretexting attack took place between 2013 and 2015. Attackers posing as a Taiwanese supplier called Quanta sent fake invoices to both Facebook and Google, convincing them to pay $100 million between them.
4. Quid Pro Quo
As Silence of the Lambs fans might remember, quid pro quo means “something for something.” In the world of social engineering attacks, quid pro quo attacks offer their victims something —a free service or a gift — in exchange for access to critical information.
The attacker won’t outright ask for what they want. Instead, they’ll offer a free service like help with tech support which will, in turn, allow them to access your systems.
5. Whaling
Whaling, as the name might suggest, is similar to phishing but focuses on bigger targets. Where phishing scams might be aimed at lower-level employees, whaling attacks tend to target C-level executives and key decision-makers exclusively. While this may be trickier due to the higher level of vigilance and stronger defenses around these targets, the rewards can also be much greater.
6. Watering Hole Attacks
A watering hole attack works by targeting online spaces where desired victims spend time. This could be websites, forums, or social media sites. Attackers will distribute dangerous software on these platforms, exploiting the feeling of safety and trust that users have.
A high-profile example of a watering hole attack took place in late 2019, targeting an online community visited by an Asian religious and ethnic group and spreading malware disguised as an Adobe software update.
7. Tailgating
Tailgating attacks are where attackers gain access to restricted spaces by piggybacking off another person’s status. A textbook example is walking through a restricted entrance to a building by asking someone to hold the door for you.
On the hit podcast Darknet Diaries, we’ve heard countless tails of social engineers pretending to have a broken arm or walking up to a door with their hand full or with a heavy box. And because we are human or (mostly) kind, we hold the door for them. For just one example, check out this episode with Jenny Radcliffe, who gets paid to sneak into buildings this way to test security systems.
8. Spear Phishing
Spear phishing is a form of phishing that specifically targets individual employees. As a result, attackers here can afford to spend time researching their victims and crafting tailored, highly convincing scams. This contrasts to traditional phishing, which often uses mass-outreach tactics to reach many different targets with a more generic message.
NTL World, a part of the Virgin Media company, was hit with an attempted spear phishing attack which told a specific victim to follow a link for their new employee handbook, which would have stolen their information.
9. Scareware
Have you ever been hit with a popup informing you that your device is infected and urging you to follow a link to fix the problem? If so, you were targeted by a scareware attack. These attacks use fear to shock their victims into taking actions like downloading a tool that will fix their supposedly disastrous problem. Instead, the unsuspecting user will be tricked into downloading malware, ironically putting them in far more danger than before.
In the movie Beekeeper starring Jason Statham, the protagonist seeks revenge after his friend is told her computer is infected with viruses and convinced to give the hackers access to her life savings — a textbook scareware scam.
10. Honeytraps
Looking for love online is always a risky business, and honeytrap attacks are yet another danger to look out for. Attackers set up fictional accounts on social media and dating websites, making friends and forming relationships with their victims. As they get closer, they start to ask for money and personal information.
11. Diversion Theft
The tactic of diversion theft started in the offline world, where thieves would trick delivery companies and couriers into dropping off their cargo at the wrong location, whereupon they would promptly take it.
The internet has only made this easier. Scammers just have to work out some key information about your order to intercept your delivery.
12. DNS Spoofing
Domain Name Server (DNS) spoofing involves altering a website’s DNS records to redirect visitors to a malicious site where they will be tricked into sharing important personal information or downloading malware.
A DNS spoofing attack took place in 2018 where a hacker managed to reroute traffic from the cryptocurrency site MyEtherWallet to an identical site hosted on a Russian server. Here, they would enter their login details, believing themselves to be on the correct site. The hacker was able to steal $152,000 worth of the cryptocurrency Ether.
13. Pharming
Pharming redirects users to malicious websites using code executed on their own devices. Unlike phishing, which relies on the victim actively following a link, pharming attacks install code that directs users to their fake websites.
In 2019, attackers ran a pharming scam against a Venezuelan volunteer organization called Voluntarios por Venezuela. Hackers created a copycat website for the organization and were able to capture the personal information of many visitors.
14. Baiting
In a baiting attack, criminals trick their victims into sharing valuable information by offering them something desirable. For example, they might offer a free gift in a pop up ad, whereupon excited users will follow a link to unwittingly install malware. Another variation of baiting involves loading malware onto innocent-looking devices like USB drives or CDs to lure users into accessing them.
A recent example of baiting involved a group of Chinese-based hackers who were believed to be targeting shipping companies in Europe. USB sticks were found plugged into computers on multiple ships, with the goal of scraping sensitive information.
How to Prevent Social Engineering Attacks
Social engineering attacks come in all shapes and sizes, and can range from fairly clumsy to terrifyingly sophisticated and realistic. So how can you ensure your organization stays safe? Let’s take a look at some best practices.
Train Your Employees
According to research from Forbes, the percentage of a company’s employees who fall victim to social engineering scams drops — on average — from 32.4% to just 5% after a year of training.
Regular training, along with special training for new hires focused on social engineering, can be extremely effective. Your training should teach employees about common scams, telltale signs, best practices, and new trends.
Keep Your Security Tools Sharpened
Social engineering attacks might target human error in an attempt to bypass security tools, but that doesn’t mean your security is ineffective. Focus on implementing and maintaining strong anti-malware software, and keep all your systems patched and updated. On top of that, make sure you have strong response plans in place in the event of an attack, allowing your teams to respond quickly and mitigate damage.
Build a Culture of Cyber Awareness
Security against social engineering attacks isn’t something you do once in a while — it needs to be an ongoing effort that pervades every level of your company. Your team members need to be aware of what’s at stake and the role they each play.
Best practices like secure, regularly updated passwords, authentication controls, and a culture of healthy skepticism should be in place throughout your organization.
Work With the Experts
One of the best things you can do for the overall security of your organization is work with a trusted, experienced team of experts, backed by cutting-edge tools.
DYOGUARD is DYOPATH’s solution to help you defend against a wide range of threats, including all types of social engineering attacks.