Infosecurity Europe
4-6 June 2024
ExCeL London

Hacking Your Brain: Top 13 Social Engineering Techniques

Email phishing is just the tip of the social engineering iceberg.

It seems that any report on phishing you read published over the past five years, the numbers always seem to be on the rise. For example, one such report launched by email security firm Vade in early 2023, showed that total phishing emails increased by 61% in the second half of 2022.

Meanwhile, Hornetsecurity’s Employee Security Index (ESI) Benchmark Report 2023 analysed more than 1.7 million simulated phishing attacks across 140,000 employees and over 350 businesses also reveals that 90% of all cyber attacks start with phishing and more than 40% of all emails have the potential to pose a threat to businesses.

Email phishing, however, is not the only social engineering technique that is used by threat actors to trap their victims. Here is a list of all the main threat vectors and some of the methods attackers use to hack their victims without using high-skill hacking techniques.

Social Engineering Vectors: 50 Shades of Phishing

Email phishing, the most common type of phishing, is the use of scam emails which impersonate a person, a company or a public organization to lure the receiver into clicking on a malicious link, opening a malicious attachment or parting with sensitive information. Phishing emails can also be used to manipulate the victim into sending money directly to the attacker under a business email compromise (BEC) attack.

Typically, when we talk of general phishing, we are referring to large spamming campaigns, where a threat actor sends bulk scam emails to a large number of people – sometimes with the help of automated devices called botnets – and sees who falls for it, just like throwing a fishnet into the sea.

SMS phishing, or smishing, is very similar to traditional phishing, but using SMS and instant messaging apps instead of emails. Threat actors are increasingly utilizing platforms other than emails to deploy phishing campaigns.

Social media phishing is the same technique as smishing or email phishing but using social media platforms as a means of communication. Messages via LinkedIn or Twitter are highly popular for those seeking to target professionals but many of us will be familiar with fake Facebook, Instagram and TikTok messages also.

Voice phishing, or vishing, is a social engineering technique where the threat actor calls instead of emailling to steal confidential information or give them access to the victim's computer over the phone. They imitate people the victim has never actually spoken to or met but may need to speak to, like an IT professional.

Social Engineering Techniques: A Myriad of Motivations

Spear phishing is a targeted phishing campaign where the threat actor customizes their scam email to appeal to specific victims. For example, an email may target specific personnel within organisation including those who have critical network access permissions, like those in IT or security, or individuals with access to sensitive data, like those in HR or finance.

Whaling is a type of spear phishing where the attacker focuses on targeting higher-value targets like C-Suite executives. It’s particularly used in business email compromise (BEC) attacks.

Angler phishing is a term used for a scam technique where cyber threat actors masquerade as customer support staff using social media platforms and accounts to trick their victims.

A baiting attack is a scamming scheme where an attacker makes a false promise to lure a victim into a trap that may steal personal and financial information or inflict the system with malware. Here, the threat actor tries pique a victim’s greed or curiosity. Baiting can be operated online (enticing ads, rewards…) or in the physical world. For example, an attacker leaves the bait – typically malware-infected flash drives that look authentic – in conspicuous areas where potential victims are certain to see them.

Pretexting has common features with both whaling and baiting. It consists in creating a scenario where the victim feels compelled to comply under false pretences. First, the attacker starts by establishing trust with their victim by impersonating their co-workers, bosses, the police, the bank, tax officials, or anyone with authority. Then, the perpetrator pretends to need sensitive information from a victim so as to perform a critical task. In doing that, they can confirm the victim’s identity and can impersonate them to proceed with their attack or to make financial transactions to their accounts.

Scareware is the use of false alarms and fictitious threats to lure victims into thinking their system is infected with malware, prompting them to install software that benefits the threat actor – to gain information or to deploy a piece of malware. Scareware can take different forms, from simple spam emails to pop-ups and notifications.

Tailgating is a simple social engineering attack used to gain physical access to access to an unauthorized location. To do so, the criminal follows the victim into the area without being noticed.

Piggybacking is similar to tailgating, but here the victim allows the attacker to ‘piggyback’ off their credentials. For that, the attacker can use human feelings such as empathy or kindness. For instance, the victim would hold a secure door open for someone claiming to be a new employee who has forgotten his access badge.

The quid pro quo technique consists in requesting the exchange of some type of sensitive information in exchange for a service that the attacker offers to the victim. For example, a computer user might receive a phone call from a criminal who, posed as a technology expert, offers free IT assistance or technology improvements in exchange for login credentials.

Dumpster Diving is the act of looking for sensitive information in the trash bins before it has been destroyed. 

Enjoyed this article? Make sure to share it!

Looking for something else?