A social engineering attack is a method that bad actors use to leverage the "people" vulnerabilities within an organization. Social engineering can involve email phishing, spear phishing, vishing, smishing, tailgating, pretexting, and physical access.
Types of Social Engineering Attacks
- Email phishing is done to get someone to either provide information via email, perform an action (such as send money) or click on a link, or download malware from an email.
- Spear phishing is a targeted phishing attack where a specific email is sent containing detailed information obtained via phishing or publicly available information. An example of spear phishing would be an attacker pretending to be the CEO of an organization requesting to have money wired to a fake account, usually communicated with a strong sense of importance or urgency.
- Telephone phishing, also known as vishing, is similar to email phishing but done over the phone to gain information that can exploit via phone call. Vishing attackers call pretending to be clients, the IRS, or other authority figures to obtain personal information from a person such as credentials, client information, or additional confidential company information.
- SMS phishing, also known as smishing, is a form of phishing done via text message to gain exploitable knowledge. Attackers send text messages to get individuals to provide confidential information by masking as a reputable company.
- Tailgating, commonly known as piggybacking, is a form of social engineering where the attacker follows authorized employees through physical access points that they would not otherwise be allowed.
- Pretexting is a social engineering tactic where an attacker presents themselves as an authority figure to obtain private information or access. Pretexting can be done across various platforms, including emails, text messages, and telephone calls.
- Physical access occurs where social engineers seek access to a physical location to obtain confidential information or secure access areas to get computer access or do other malicious things.
Training your employees is one of the most cost-conscious and cost-effective security solutions to reducing risk. Not only should employees know how to identify social engineering attacks, but they should also know what steps to take if they do suspect one. Hiring an outside organization to perform simulated phishing campaigns or social engineering engagements is a great way to test how prepared your organization is in the event of a real social engineering attack.