Mouse trap symbolizes social engineering.

3 common (and effective) social engineering examples

Social engineering sounds like such an innocuous phrase. After all, engineers build things, right? But with social engineering, the engineer is a conman, building up all the resources needed to deceive you.

The biggest challenge with social engineering hacks is the realism. Interactions seem reasonable and real, but the person on the other side of the email or controlling malicious code on a website isn’t who they pretend to be.

Increasingly sophisticated social engineering attacks can fool employees into divulging sensitive information or granting access to the wrong people. Here are a few social engineering examples to be on the lookout for.

Phishing, spear phishing, and whaling

All these examples of social engineering attacks leverage the same basic methodology, but the target may differ.

A phishing attack is simple on the surface. You receive an email asking for specific information. A generic phishing email targeting the public might mention a lottery win and ask for banking information to transfer the funds.

However, with business attacks, hackers do extra research to make the email appear more legitimate. With spear phishing, you might see an email from the company’s CEO asking for a report or other information. Because the email looks legitimate, employees often don’t look any further and respond with the requested information. With whaling attacks, hackers target C-Suite executives with the same ultimate goal — unauthorized access.

Related Content: 5 steps to better physical security in your business

Building a watering hole

In the desert, trapping a watering hole means waiting for the animals to come to you, and a watering hole social engineering attack works the same way.

Instead of attacking your system, hackers attack commonly visited websites that they infect with malicious code. Visiting these sites carries the code back to your corporate systems and creates a vulnerability. By waiting for you to make the first move, hackers avoid a lot of the active security that protects your data and systems.

Setting up pretexting attacks

Pretexting attacks take a fair amount of prep work, but once established, these attacks can do a lot of damage.

In a pretext attack, a hacker sets up social accounts and digital identities that build trust. They may present themselves as industry experts, IT staff, another employee of the company, a trusted vendor, or even a friend or family member. You can’t see the person on the other end of a social media account, so a skilled conman can bypass all your social defenses before you realize they aren’t who they pretend to be. This method takes a fair amount of prep work and often depends on the skill of the hacker in building realistic personas, but it can be very difficult to avoid.

Final thoughts

Extreme caution when meeting and interacting with people and websites via digital channels is the only way to avoid some of the most sophisticated social engineering attacks. Educate your employees about the latest phishing models and implement solid firewalls and network security to catch malicious code before it can follow you home.

With pretexting attacks, be sure to conduct research on individuals you meet online. Many of their accounts will date back to a relatively recent time frame, and you should look out for any inconsistencies. The more pretext attacks a cybercriminal runs at the same time, the more likely it is they’ll make a mistake.

However, if worse comes to worse and an attack is successful, have a disaster recovery plan in place. Data breaches happen, but they don’t have to put you out of business if you’re prepared and ready for them.

Want to keep reading? Check out the 6 best ways to avoid data loss.