Examining Social Engineering Attacks & How They Work
Social engineering attacks are becoming more prevalent in today’s high-risk digital environment. Whether it's elder fraud or hacked celebrity accounts, socially engineered attacks can result in data breaches and financial losses.
In 2021 alone, organizations reported close to one million cybercrime complaints and $6.9 billion in losses to the Federal Bureau of Investigation (FBI). Nearly 20,000 complaints were Business Email Compromise (BEC) or Email Account Compromise (EAC) attacks.
Although remote work environments and virtual collaboration have exacerbated the growing risks of social engineering attacks. However, you can keep your company safe by optimizing your cyber defenses to catch these targeted email attacks and prevent yourself from falling victim.
This blog will explore different types of social engineering attacks and common tactics cybercriminals use when deploying these attacks.
What is Social Engineering?
Social engineering refers to techniques cybercriminals use to gain access to sensitive data environments, primarily via psychological manipulation. You can also think of social engineering as the art of leveraging human psychology to bypass cybersecurity controls without raising immediate red flags for unsuspecting targets.
Learn more about social engineering attacks from friendly hacker, Rachel Tobac, who spoke at Armorblox CONTEXT 2022! Watch the full session here.
Using social engineering examples, let’s dive into cybercriminals' techniques to deploy these targeted attacks.
Phishing refers to social engineering attacks that attempt to convince individuals to take action, such as:
- Clicking on a link that unknowingly redirects victims to a malicious website
- Responding to an email with confidential information
Cybercriminals orchestrate phishing email attacks to appeal to the victims’ emotions, often falsifying distressing circumstances (e.g., bank account issues or pending account suspensions) to create an exaggerated sense of urgency and elicit a response.
Unsurprisingly, phishing is the most common type of socially engineered attack. According to Cisco, phishing was the cause of over 90% of cyberattacks in 2021.
Phishing Attack Examples
One real-life example of a credential phishing email spoofed the United Parcel Service (UPS). Hackers designed over 5,000 emails to look like legitimate UPS Express emails inquiring about a pending parcel delivery.
Victims were directed to a second screen which asked for their:
- Address and phone number
- Email credentials
- Date of birth
- PCI (payment card information)
Most targeted phishing attacks bypass native email security because attackers use trusted domains and can bypass email authentication checks. In addition, phishing emails often use familiar branding and specific language that elicits fear or excitement in an unsuspecting target.
Another real-life example of a credential phishing email attack targeted American Express customers and:
- Spoofed a notification email from AMEX that included an attachment requiring mandatory account verification
- Navigated victims to a fake, branded landing page prompting account sign in
- Used urgent language threatening account suspension
This attack bypassed native Google Workspace email security controls because it passed DKIM and SPF email authentication. Fortunately, the intended victims were protected by Armorblox, which accurately detected and stopped this email attack.
Whereas phishing emails may target any individual, spear phishing takes a more customized approach to social engineering. As the name suggests, it’s akin to hunting a specific fish—the attacker knows which target they’re after and lunges for them individually rather than casting a wide net.
In most cases, the cybercriminal has conducted their research on specific individuals in your organization and knows what will catch their attention. Malicious agents often choose their targets because they hold executive positions or roles with similar authority levels and IT system access.
When planning to deploy a spear phishing attack, cybercriminals often gather their intelligence via:
- Hacking a random email in your company to monitor conversations for specific insider information, helping to optimize the spear phishing attempt
- Browsing open sources like social media platforms to gain specific insight about a target in your company
Similar to phishing attacks, spear phishing emails elicit a sense of urgency and provoke targets to provide potentially compromising information to cybercriminals. Emails from unknown senders that mention specific personal information or request a financial transaction should raise suspicion about potential spear phishing.
Voice phishing (vishing) attacks typically involve criminals impersonating trusted sources over phone calls. More sophisticated versions also integrate aspects of both phishing and spear phishing attacks.
In vishing attacks, attackers may call victims pretending to be an authority or trusted entity and ask for sensitive information like social security numbers or credit card information. In addition, cybercriminals may use advanced voice simulation tools that mimic the tone of the entity or brand being spoofed, creating additional trust in the scheme.
Sadly, vishing attacks frequently target vulnerable populations like the elderly or individuals with limited to no experience with scams.
Vishing Attack Example
A vishing attack occurred at a cloud collaboration software company, in which a cybercriminal sent targets an email with fake order receipts for a Microsoft Defender subscription. Additionally, the email included phone numbers for the targets to call to initiate order returns.
When the targets called the number provided, the cybercriminal asked them to install the Anydesk app, which unknowingly resulted in a Remote Desktop Protocol (RDP) attack.
Similarly, another vishing attack tried to convince individuals that Amazon’s “Fraud Protection Team” was contacting them about a recent order. The email slipped through native security systems because there were no malicious links but provided a phone number for recipients to call. The attack was conducted entirely over the phone.
Here, a cybercriminal pretends to be a respected person in a company to create a sense of authority when pretexting individuals to:
- Send funds to unusual, non-business accounts
- Modify sensitive transactions such as wire transfers
- Deliver a message to another VIP in the company
VIP impersonation is often successful because most people will not ignore an email or message from a high-ranking executive like the CEO - especially when it involves an urgent request. If employees receive suspicious emails from VIPs, it is best practice to reach out to that individual through a known email address or over a separate channel to confirm the original message’s legitimacy.
Business Email Compromise (BEC)
Cybercriminals who orchestrate BEC attacks target unsuspecting members of your company and convince them to either make payments or send confidential information to fake accounts.
In a BEC attack, a perpetrator will:
- Prepare by gathering intelligence on potential targets through websites or social media
- Plan the attack by spoofing or hacking email accounts
- Deploy the BEC attack with the appropriate urgency and persuasion
- Collect fraudulent payments and distribute the funds across multiple accounts
BEC attacks are high-risk ventures. For a BEC attack to be successful, cybercriminals must employ sophisticated techniques to avoid raising suspicion in those at the receiving end.
Yet, BEC attacks are widespread because they result in substantial gains if a cybercriminal successfully convinces an executive to issue a large sum of payment for fake services.
Vendor Email Compromise (VEC)
In principle, VEC and BEC attacks are similar. However, with VEC attacks, a cybercriminal hacks a vendor’s legitimate email account and uses it to communicate with an unsuspecting client.
The attacker will send new account information (including bank account and routing numbers) for payments to be deposited directly. Then, as soon as funds are received, monies can be transferred to other accounts to eliminate traceability.
If the targeted company does not catch a VEC attack early on, the fraud can go on for extended periods. Significant financial losses are prevalent with VEC attacks, especially for larger companies with massive supply chain operations.
Common Social Engineering Tactics
Developing appropriate cyber defenses against social engineering attacks requires understanding which tactics cybercriminals use to orchestrate these attacks.
Some common tactics include:
- Intimidation – Perpetrators often intimidate unsuspecting victims by claiming they’ll suffer negative consequences if they don’t comply. For example, a well-orchestrated vishing attack can force a fearful individual into divulging social security numbers during a fake call from the IRS or other governmental agency.
- Urgency – Nearly every phishing attack uses urgent messaging to convince victims that performing specific actions quickly will mitigate undesirable consequences. Giving victims less time to think keeps them from recognizing signs that the communication is suspicious.
- Familiarity – Perpetrators will often use specific personal information to establish a sense of familiarity with their targets. Confidence is key here, and cybercriminals will pretend they have previously spoken to or met victims.
- Authority – Cybercriminals also use authoritative messaging to deploy corporate social engineering attacks. They rely on the idea that victims will most likely be eager to meet the urgent needs of an authority figure.
It’s essential to develop a strategy that helps employees recognize and report these common signs even under the stress of an ongoing attack.
Protect Your Business From Social Engineering Attacks With Armorblox
It’s not enough to invest in security awareness training when preparing cyber defenses for social engineering attacks. Gaps in security controls aid attackers in deploying these attacks on your end users and organization more effectively.
With advanced technologies like machine learning and natural language understanding, Armorblox enables your company to be well-positioned against targeted socially engineered attacks.
See the type of socially engineered attacks Armorblox stops.