Its prevalence is astounding. A subtle form of information gathering, often unnoticed due to its subtle hacking of the human mind. Social engineering is a catch-all term for a wide variety of cyberattacks that rely on manipulating the human psyche to gain unauthorized access to privileged information. Social engineering is one of the most common information gathering tools that threat actors use to scope out a target or gain initial access by using legitimate credentials for nefarious purposes.
Types of Social Engineering
There are multiple types of social engineering. Common types include Phishing, Smishing, Vishing, Spear Phishing, Dumpster Diving, Shoulder Surfing, and Tailgating. Let's dive deeper into each of these types of attacks.
- Phishing attacks are social engineering attacks designed to harvest user credentials or infect the recipient of these attacks with malware. Phishing attacks are most commonly conducted through email, using false pretenses such as a requested password reset, or a user support request. This allows attackers to gain access to credentials from unsuspecting users, thus giving the attackers access to otherwise protected systems.
- Smishing is a sub type of phishing attack that is preformed over SMS (text) messaging. Attackers send fraudulent text messages purporting to be from some kind of reputable company. In these messages, attackers generally include some kind of link to a phishing site or a link to a malware site. These attacks allow hackers to gain access to user credentials such as bank account and credit card information, mobile phone carrier accounts, and authenticator accounts.
- Vishing is type of phishing attack that relies on interactions with victims over the phone. Attackers interact with users and use social engineering techniques to gather information. Attackers then use this information to access user accounts.
- Spear Phishing
- Spear phishing is a type of targeted phishing attack where the users are specifically targeted to gain access to important user account. Victims are often prominent users such as system administrators, organizational admins, etc.
- Dumpster Diving
- Dumpster diving is a form of social engineering attack in which the attacker goes through an organization's trash to look for valuable documents such as financial information, Personally Identifiable Information, passwords, etc.
- Shoulder Surfing
- Shoulder surfing is a form of social engineering attack where attackers look over the shoulder of the victim to gain user credentials. Attackers then use these credentials to access user accounts, or they sell the credentials on the dark web for profit. One solution to this is the use of privacy screens.
- Lastly, we have tailgating. Tailgating is a form of social engineering where the attacker follows legitimate users into a controlled area. In one example, attackers take advantage of the common courtesy of holding the door for people. A simple solution to this is to use mantraps/access control "airlocks".
This is just a few examples of all of the different types of social engineering. There are many more to cover. I encourage you to do some more reading on your own time.
In this article we discussed the different types of social engineering. We discussed Phishing, Smishing, Vishing, Spear Phishing, Dumpster Diving, Shoulder Surfing, and Tailgating. While there is much more nuance to the study of social engineering, this article will give you a good foundation to get started.