Blog

Back

Real Life Examples of Social Engineering Attacks

Cyberattacks are off the front page currently due to world events and the cyclical nature of the news. Nevertheless, our extensive experience as a decades-long leading agency in the NJ Cyber Insurance market indicates the threat is pervasive and growing.

Human beings and not software programs are behind social engineering attacks. They succeed because they gain the target’s trust and then exploit it to obtain confidential information. As a result, they can cause severe damage if not detected early. 

Social Engineering is an interaction between humans where a perpetrator manipulates someone into doing something wrong that they don’t want to do. Tactics include using psychological persuasion and outright trickery to lure a victim into providing sensitive information or making a security blunder. Detecting social engineering attacks is difficult because errors from human involvement make them look legitimate.

Examples of Common Social Engineering Attacks

Social engineering attacks come from various sources and happen wherever humans interact. Here are some common types of Social Engineering attacks.

Phishing

There are different types of phishing attacks using a form of social engineering where attackers send a fraudulent email pretending to be from a legitimate company. The predominant phishing methods are as follows.

Spear Phishing

A spear-phishing attack starts by creating a fake web page to look like an authentic site. After searching for information about a specific target online, the attacker sends a believable and tempting email encouraging the viewer to visit the page and click a link. Email messages from banks, Amazon, PayPal, Microsoft, Apple, and Netflix, are among the most used to disguise phishing threats.

Whaling

As the name suggests, whaling is hunting for the big fish within a company. So, whale fishing is a social engineering attack that aims at high-value targets, such as C-level execs like CEOs and CFOs instead of average users.

Smishing

Smishing uses SMS text messages to create social engineering attacks that exploit the widespread use of texting. Scammers send texts that include links that open a dangerous web page or even automatically dial a number. The ongoing integration of email, voice, and text messaging into browser functionality makes users vulnerable to becoming victims of socially engineered Smishing activities. 

Baiting

Baiting is like phishing, with the difference being that baiters use the promise of items, goods, or services to entice their victims. For example, hackers use baiting attacks to steal valuable information by using enticing bait to lure their prey.

Scammers may leave USB sticks or other external storage devices where victims can easily find them or present them in gift baskets. They use logos or other identifying marks to make them seem legitimate. In addition, the devices often have fake “Confidential” “Payroll Data” labels or imprints to create enough curiosity for users to connect the external drive into a computer, causing a malware infection across the network.

Other baiting scams are found in online forms, web pages, or ads that invite users to download free entertainment such as games, software, movies, or music that contain a malware-infected application. The result is that malware infects networked computers through email or peer-to-peer networks. Some baiting attacks use offers of free downloads that require users to provide their login credentials.

Scareware

Scareware is a type of adware that tricks users into thinking their computers are infected with viruses. Scammers use deception to scare users into installing fake security tools that contain malware. For example, spam emails often contain phony threats that users can fix by visiting a page with malware downloads disguised as helpful solutions.  Therefore, it is essential to educate users to be wary of scary warnings or messages. Train them to ask before they act.  

Scareware often appears as a popup in a browser, making it difficult to identify its source.  People who use scareware believe their computer is infected with malware. Users see messages appear as they browse the internet that entices them to download malware disguised as a fix. Scareware is also distributed via email.

Pretexting

Pretexting describes situations where a scammer pretends to be someone else to access someone’s private information. They lie to obtain information from their victims. For example, they pretend to be another person in an attempt to pry information from a target. The attacker aims to convince their contact within the company to help them recover the username and password of someone they pretend to be.

Conversely, they may request users to provide private data such as name, address, phone number, social security, credit card info, and other confidential information and records under various pretenses.  Scammers can pretend to be a government official asking questions about taxes or claim to be from Dell or Microsoft responding to an automated security alert sent from the target’s computer.

Tailgating

Another social engineering attack is tailgating or piggybacking. An attacker may pretend to be a delivery driver or courier waiting near a secure building entrance. The attacker asks an authorized user or employee to hold the door for them as their means of gaining access.

How to Avoid Social Engineering Attacks

The Cybersecurity and Infrastructure Security Agency (CISA) provides these tips:

  • Be suspicious of unsolicited phone calls, visits, or email messages from individuals asking about employees or other internal information. For example, should an unknown individual claim to be from a legitimate organization, try to verify their identity directly with the company.
  • Do not provide personal information or information about your organization, including its structure or networks, unless you are confident of a person’s authority to have the information.
  • Do not reveal personal or financial information in an email, and do not respond to email solicitations for this information. So, don’t click on links sent in email.
  • Don’t send sensitive information over the internet before checking a website’s security.
  • Pay attention to the Uniform Resource Locator (URL) of a website. Look for URLs that begin with “https”—an indication that sites are secure—rather than “http.”
  • Look for a closed padlock icon—a sign your information will be encrypted.
  • If you are unsure whether an email request is legitimate, try to verify it by contacting the company directly. Do not use the contact information provided on a website connected to the request; check previous statements for contact information. Information about known phishing attacks is also available online from groups such as the Anti-Phishing Working Group.
  • Install and maintain anti-virus software, firewalls, and email filters to reduce some of this traffic.
  • Take advantage of any anti-phishing features your email client and web browser offer.
  • Enforce multi-factor authentication (MFA).

With remote work becoming standard, companies of all sizes are increasingly vulnerable to hackers. They experience data breaches, ransomware, or other cyber threats. We would appreciate the chance to work with you to determine your exposures to cyber-attacks and explain how a comprehensive NJ Cyber Insurance program can protect your business.

We design coverage to help your business recover after a ransomware attack or data breach by providing financial support to correct damages from the attack while helping to pay legal fees and solve regulatory headaches in the wake of an incident. Our recent Guide for Creating a Cyber Incident Response Plan post is part of our ongoing efforts to help you deal with cybercrime.

About Dickstein Associates Agency

Dickstein Associates Agency has distinguished itself as a leading provider of personal and business insurance in the tri-state area since 1965. We pride ourselves on being advocates for our clients and providing them with quality and affordable coverages. As Trusted Choice™ independent insurance agency, we partner with various national and regional carriers, allowing for flexible coverage for each client’s unique circumstances. For more information on how you can leverage all your insurance to work best for you, and how we can secure the best insurance in the marketplace suited to your specific needs and business objectives, contact us today at (800) 862-6662 or www.dicksteininsurance.com.

SUBSCRIBE

Be the first to get updates and new offers.

related post

Locations We Serve

New Jersey, New York, Pennsylvania, Delaware, Florida, Iowa, Illinois, Indiana, Maryland, Michigan and Utah.

Connect with one of our experts
Facebook-f Pinterest Linkedin-in Twitter Youtube
New Project

Make A Payment

New Project

Report A Claim

New Project

Obtain Certificates

Request A Quote

Personal Insurance

Business Insurance

Employee Benefits

Trusted Choice
wedding
at

© 2022 Dickstein Associates Agency, LLC   |   Privacy Policy   |   Terms and Conditions   |   Legal Notices