The top 5 social engineering techniques and how to prevent them

IN THIS ARTICLE
Table of Contents
Like it? Share it

Social engineering techniques were the number one cause of fraud in 2022. From political smear campaigns to bitcoin scams, fraudsters are becoming more complex by exploiting the human psyche. With over $6.9 billion stolen from businesses by social engineering scams in 2021, it’s time for organizations to fight back. Learn about what social engineering techniques are, and how to spot the red flags before protecting your business.

Trustpair continuously controls payments before they’re executed, blocking payments to suspicious third parties. Even sophisticated social engineering attacks won’t get through! Request a demo to learn more!

Nouveau call-to-action

What is social engineering?

Social engineering refers to the manipulation of human victims (as opposed to computers) into granting fraudsters access to something. Usually, the goal is either financial account access, or sensitive information.

Social engineering techniques can target both individuals and businesses. There have been many successful attempts in the past. They typically aim to build trust with the victim, introduce a figure of authority, or pretend to benefit the victim in some way.

In the next section, you’ll learn about five of the most common social engineering techniques that fraudsters apply to their scams, along with real-life examples for each method.

What are the top 5 social engineering techniques?

Here are five of the most common social engineering techniques to watch out for:

  • Phishing
  • Baiting
  • Watering Holes
  • Pretexting
  • Physical Breaches

Phishing

Phishing is the most well-known term for a social engineering technique. It refers to the impersonation of someone known to the victim, in order to gain their trust. For example, CEO fraud relies on the fraudster impersonating the CEO or another top executive. This type of impersonation is known as whaling and relies on convincing an employee to follow their request based on this authority.

In businesses, phishing can occur via email channels. But it can also be done through the phone with vishing (voice phishing). This typically includes the use of AI technology to deep fake a true voice. Alternatively, phishing can occur through text messages (smishing).

One of the most famous phishing cases targeted both Facebook and Google over multiple attempts in the 2010s. The perpetrator committed vendor fraud by pretending to be a genuine supplier, and neither company did their due diligence before paying false invoices, which came via email channels.

It resulted in losses of more than $100 million combined, and the fraudster was later convicted.

Baiting

Baiting is a little bit different from phishing, as this social engineering technique relies on the human nature of curiosity. Here, the fraudsters promise the victim something in return for them following a request, which then turns out to compromise their system.

It relies on the idea of FOMO (fear of missing out). For example, victims might click on a link for a free music download.

Baiting is sometimes known as “quid pro quo” fraud because the victim thinks they are giving away their information for something in return. Let’s imagine that you’re called up by an IT support person who’ll help you fix a broken app – of course, you’ll give them remote access to your device! Unless you realize that they’re not a real IT support person after all.

Baiting happened recently for a portion of Office365 users, who were targeted over a fake layoff scam. Employees were each sent an email reminder of their “upcoming” meeting with HR over their redundancy.

The hope of the scam was that the victims would panic, click on the Zoom link and attempt to log into the fake meeting without considering the fact that they are giving away their credentials to a spoofed site. Not only did the fraudsters walk away with Zoom data, but many people used the same passwords for multiple sites, so it’s likely that the criminals could access many more accounts too.

Watering Hole

A watering hole is another type of social engineering technique, and it’s a scam that aims to snare people who all have the same attributes, such as all banking with a certain institution, or all retirement aged. Therefore, the watering hole aims to give the fraudsters an accurate target – people who don’t fit will simply ignore it, but those who do are likely to fall for the scam.

From there, the cybercriminals snare these individuals for their credentials.

Here’s an example of how a watering hole works:

  1. The perpetrators decide they want to target employees of bank A that work in the accounting team (these employees are likely to have the authority to approve payments)
  2. The hackers find out which accounting software third party that bank A works with
  3. They spoof the real website of the accounting software with a fake one
  4. They send an email out to all employees of Bank A about the accounting software, with a link. Once clicked on, the employees will be redirected to the fake website
  5. Employees input their credentials to log into the accounting software – they do this multiple times as an error message keeps popping up

On the other end, the criminals now have the real login details for the bank into their accounting software, and can wipe all of the data from the real accounting system for malicious use. In fact, all of that really happened to Ukrainian businesses and banks last year when a common accounting platform was hacked on a national holiday in Ukraine, in an attempt to collapse the economy.

With more research and targeting, watering holes can be used to catch individuals in the form of spear phishing. But typically, this technique is used to fool groups of people who each qualify, because they’re all customers of a certain firm or they all have payment responsibilities at work.

Pretexting

Pretexting is the idea that an impersonator needs critical information in order to perform their task. Here, the social engineering masterminds tend to impersonate figures of authority in society, such as emergency services, banks, and lawyers. That’s because the average person is much more likely to follow the requests of these members of society.

A damaging example of pretexting occurred in 2022 when cybercriminals impersonated Crowdstrike, a well-known and trusted IT security firm. The fraudsters let targets know that they had fallen victim to a malware infection via letter, and to call the number listed in order to remove the infection.

The letters were made to look more legitimate because they had individual incident numbers, and mentioned recent regulatory compliance measures. Of course, any victim who did call the number to remove the malware ended up giving remote access to their device to the hackers, who deployed ransomware and extorted their data.

Physical breach

In rare cases, fraudsters will come offline and attempt to breach a workplace location in person. This physical breach is also known as tailgating, and usually happens when the perpetrator sneaks into a building. This could be possible by closely following a real employee who holds the door open (so that they aren’t required to open any doors themself), or by spoofing an ID card.

Usually, physical breaches are highly targeted, just like cases of spear phishing or whaling.

After accessing a secured area, these perpetrators might attempt to steal confidential information, but they tend to have different goals:

  • Damaging property as a disgruntled customer or ex-employee
  • Disrupt the business
  • Gain operational secrets like new prototypes
  • Theft products to be later sold on

Versprite, a security company, recently tested one of their clients’ incident response plans by setting up a real tailgating situation. Unknown to staff, an external team member had been able to sneak into their workplace.

Although a security guard spotted the breach on CCTV, their internal investigation only found that the perpetrator had stolen a laptop. Instead, he had been in the server room and moved some cables to provide access to the internal network at the client’s workplace. This was left undetected for weeks before the real security team stepped in to overhaul the response process.

Learn how to defend yourself against B2B fraud in our latest fraud report!

fraud study us

How to prevent social engineering attacks?

Social engineering attacks are hard to prevent, but if you can provide the right awareness training, staff will know what to look for. Businesses that put the right detection and protection measures in place ensure that even if their employees or systems fall victim, their data and finances remain safe.

Firstly, there are some human elements that your business can control. By implementing strong internal control policies, you can provide general rules of conduct and the exact steps that an employee should work through in the event of an attack. The code of conduct might include:

  • Don’t open emails from sources you don’t know and trust
  • Don’t ignore the spam filter indicated on your emails
  • Don’t take your laptop outside of the workplace or log into personal accounts
  • Create different passwords for separate accounts

Moreover, it could be useful to protect digital systems against social engineering. Here, organizations can implement upgraded spam filters, anti-virus software, and two-factor authentication to log into any company accounts.

Finally, use Trustpair as your last line of defense. We use automation to continuously control third-party payments by validating account information. We help to block the effects of social engineering by protecting payments from leaving your account automatically.

Demo Trustpair today to protect your business from social engineering fraudsters.

To recap…

Social engineering manipulates human nature so that fraudsters can gain access to data or money. Phishing, baiting, watering holes, pretexting, and physical breaches are examples of social engineering techniques. Prevent this fraud by setting and following the right protocols, putting physical barriers onto your devices, and educating employees. Trustpair blocks the effects of social engineering by automatically preventing payments from leaving your account when the account details can’t be verified.

You’d like these articles

FAQ
Frequently asked questions
Browse through our different sections and find the answer to your question.

Instead of cyber attacks or hackers, social engineering techniques exploit and manipulate people to get behind a firewall. These threats appear legitimate and might use spoofing to fake authentication and appear as a real, known source. Once compromised, they could download spyware onto your device, get into your bank account or steal confidential or sensitive information.

The most common social engineering tactic is phishing. This allows cybercriminals to infect computers at the workplace by pretending to be a known source, like your IT security team. Security awareness, penetration testing, data encryption, and acting on suspicious feelings are all good anti-phishing techniques.

Scammers use spyware, trojan sites, and network security vectors to commit cybercrimes. They steal passwords and impersonate trustworthy third parties to gain confidential data with social engineering.