On this page you will find an easy to understand definition of social engineering and examples of the common variations.
What are the types of social engineering?
Social engineering can be divided up into the following broad classifications:
- Spear Phishing
- Phone Phishing
- Water Holing
- Baiting / Trojan Horse
- Quid Pro Quo
You can find definitions on these classifications below.
To find out if your organization is vulnerable to social engineering, please contact us to arrange a no obligation consult to discuss an audit. We also provide a hot line response service to help you deal with a social engineering event. Call us on: +61 8 6558 1825
What is phishing?
Phishing is a simple method of duping an unsuspecting person into providing confidential information.
Example: An employee receives an email requesting that they verify their account details by logging into a website. The link actually takes the user to a website that appears to be the one they were expecting to visit – e.g. a bank site. Once the user visits the site, they enter the information the scammer wants to get access to, like a password. The scammer then has basic information they need to be able to then access the bank account.
What is vishing?
Vishing (or Voice Phishing) uses the telephone as a way of getting sensitive information.
Example: the scammer calls the person directly and claims to be verifying their account details. The scammer has enough basic information to convince the person that they are who they claim to be and the person tells them directly what they want to know.
What is spear phishing?
Spear phishing is a highly targeted phishing event. General phishing is usually just a bulk email sent out to thousands of people, in the hope that a few people respond. Spear phishing targets the individual.
Example: the employee receives a person email addressed to them and contains sufficient personal information to convince them the email is real. The employee then clicks a fraudulent link and takes an action that has been orchestrated by the scammer.
What is pretexting?
Pretexting is similar to spear phishing in that the scammer often has additional information that will convince the end user sufficiently to get them to follow a certain course of actions.
Example: the scammer impersonates a policeman or bank manager and has enough background on the individual to convince them to reveal information or take a course of action. Scammers can pretend to be a person higher up in the organization and instruct a junior employee to do something like pay a fake invoice.
What is phone phishing?
Phone phishing can also be referred to as IVR or interactive voice response. The target is duped into performing a compromising act by an automated phone system.
Example: the employee gets a phone call controlled by a machine which uses automated human voice messages. The machine / voice instructs the person to use their phone keypad to enter some information.
What is water holing?
Water holing as the name suggests, relies on a person visiting somewhere on the internet that they visit regularly and perceive to be safe.
Example: a person could mistype a website URL that they often visit – e.g. instead of typing mybank.com, they type mybink.com and there is a website there that exactly replicates the site they intended to visit. The person enters key information to login and the rogue site captures the credentials.
What is baiting?
Baiting or Trojan Horse is a method of getting a person to perform an action that will compromise an IT system.
Example: the scammer leaves a USB thumb drive somewhere that attracts the victim’s attention. Perhaps the drive is labelled “confidential” or “holiday pictures”. The unsuspecting person inserts the drive into their computer which then causes an auto-loading program to run a series of commands that then facilitates an attack.
What is quid pro quo?
A quid pro quo attack is a method whereby the scammer unwittingly provides something in exchange for a benefit.
Example: the con helps the person legitimately fix a problem on their computer. In order to help the person, the scammer requests remote access to the computer, which the dupe provides. The scammer fixes the computer issue but at the same time inserts malicious code that allows them get ongoing access to the computer after the event.
What is tailgating?
Tailgating is a simple scam whereby the perpetrator follows the employee into a restricted area. The restricted area requires an access card to gain entry. The employee holds the door open, without realizing that the person has no business entering that area.