Social Engineering
Social engineering attacks account for a massive portion of all cyber attacks, and studies show that these attacks are on the rise.
Social engineers are clever and use manipulative tactics to trick their victims into disclosing private or sensitive information. Once a social engineer has tricked their victim into providing this information, they can use it to further their attacks.
One of the best ways to keep yourself safe from a social engineering attack is to be able to identify them. Let's explore the six common types of social engineering attacks:
Pretexting
Pretexting is a type of social engineering technique where the attacker creates a scenario where the victim feels compelled to comply under false pretenses. Typically, the attacker will impersonate someone in a powerful position to persuade the victim to follow their orders.
During this type of social engineering attack, a bad actor may impersonate government agencies, police officers, higher-ups within the company, auditors, investigators or any other persona they believe will help them get the information they seek.
- Always use known means of contacting an agency or institution.
- Never provide someone with sensitive information if you cannot verify their identity.
Baiting
Baiting puts something enticing or curious in front of the victim to lure them into the social engineering trap. A baiting scheme could offer a free perk or gift in an attempt to trick the user into providing credentials.
A social engineer may hand out free USB drives to users at a conference. The user may believe they are just getting a free storage device, but the attacker could have loaded it with remote access malware which infects the computer when plugged in.
To prevent yourself from being baited:
- Don’t be tempted by free perks in exchange for information;
- Never use free drives or other devices given to you by someone you do not know.
Tailgating and Piggybacking
Tailgating is a simplistic social engineering attack used to gain physical access to access to an unauthorized location. Tailgating is achieved by closely following an authorized user into the area without being noticed by the authorized user. An attacker may tailgate another individual by quickly sticking their foot or another object into the door right before the door is completely shut and locked.
Piggybacking is exceptionally similar to tailgating. The main difference between the two is that, in a piggybacking scenario, the authorized user is aware and allows the other individual to "piggyback" off their credentials. An authorized user may feel compelled by kindness to hold a secure door open for a woman holding what appears to be heavy boxes or for a person claiming to be a new employee who has forgotten his access badge.
To avoid both tailgating and piggybacking scenarios:
- Never allow anyone you don’t know to enter a restricted space without proper credentials.
- Always be aware of your surroundings and lock secured areas after you enter.
Quid Pro Quo
Quid pro quo (Latin for 'something for something') is a type of social engineering tactic in which the attacker attempts a trade of service for information. A quid pro quo scenario could involve an attacker calling the main lines of companies pretending to be from the IT department, attempting to reach someone who was having a technical issue.
Once the attacker finds a user who requires technical assistance, they would say something along the lines of, "I can fix that for you. I'll just need your login credentials to continue." This is a simple and unsophisticated way of obtaining a user's credentials.
To protect yourself from Quid pro quo attacks:
- Never provide your credentials to anyone (OppFi or otherwise).
- Always call the company or person back at a known number before proceeding with any conversation about sensitive information.
Social media scams
Watch for fake friend requests and hidden URLs to “free” quizzes. Only engage with people you know. When you provide your information to anything “free” online, know that you are likely sharing it with third parties.
TIP! Remember, we’ll never contact you via unsolicited phone call, email, or text to ask you to confirm or provide your password, or for personal information or account details.