What is a social engineering attack?

Social engineering is using human interaction (social skills) to obtain or compromise data/information about an organization or its computer systems. This information can them be used to deploy an attack and/or penetrate a network further.

Social engineering attacks are particularly dangerous because they prey on our human instincts, interactions and dealings with people and our contextual environment.

An attacker may not fit the stereotype we hold in our heads. Social engineering preys on the fact that humans will have our guard up for natural signs of danger and natural enemies, but things get fuzzy when the distinction is not so clear.

In social engineering, the attacker may seem unassuming, respectable and well-presented. The attacker may claim to be someone connected to the organization, a maintenance/repair/delivery person, researcher, and may even offer credentials backing up that identity, legitimate or not.

Various forms of social engineering attacks include:

• phishing attacks
• vishing attacks
• smishing attacks

Phishing

Phishing is a form of social engineering. Phishing attacks use email or malicious websites to solicit personal information by posing as a trustworthy organization. For example, an attacker may send email seemingly from a reputable credit card company or financial institution that requests account information, often suggesting that there is a problem. When users respond with the requested information, attackers can use it to gain access to the accounts.

via CISA

Vishing

Vishing is the social engineering approach that leverages voice communication. This technique can be combined with other forms of social engineering that entice a victim to call a certain number and divulge sensitive information. Advanced vishing attacks can take place completely over voice communications by exploiting Voice over Internet Protocol (VoIP) solutions and broadcasting services. VoIP easily allows caller identity (ID) to be spoofed, which can take advantage of the public’s misplaced trust in the security of phone services, especially landline services. Landline communication cannot be intercepted without physical access to the line; however, this trait is not beneficial when communicating directly with a malicious actor.

Smishing

Smishing is a form of social engineering that exploits SMS, or text messages. Test messages can contain links to such things as webpages, email addresses or phone numbers that then clicked may automatically open a browser window or email message or dial a number. This integration of email, voice, text message, and web browser functionality increases the likelihood that users will fall victim to engineered malicious activity.