Social Engineering and phishing attacks

8 Types of Social Engineering Not Using E-Mail

Social Engineering Isn’t Just Malicious E-Mails

When someone mentions hacking, ransomware, or maybe even social engineering, the first thing most people think of is e-mail.  Malicious e-mails, or phishing, is by far the most prevalent method of attack by social engineers.  Over the years, hardware and software have been developed to thwart these type of attacks.  It is a never ending battle.  Hackers always seem to be one step ahead of information security professionals.  While it is very important to have as much knowledge as possible regarding phishing attacks, it is equally important to know about the other type of social engineering attacks that do not involve e-mail.

Non E-Mail Social Engineering Methods

  • Pretexting – This is an attempt to extract information by impersonating a person you may trust.  It can be done in person or over the phone and they most likely already have some information about you and use it to gain your trust.
  • Vishing – Also called voice phishing.  It is just like phishing, but instead done over the phone.
  • Baiting – A social engineer will intentionally leave behind physical media, such as a USB drive, possibly with an authentic looking company logo or a label with some sort of report name.  The hope is an employee will pick it up and insert into a PC, possibly installing malware.
  • Smishing – This is the newest one.  Hackers send SMS messages and attempt to acquire personal information or send the user to a website with malware.
  • Shoulder surfing – Just like it sounds.  A person hovers over your should to obtain your personal information, such as a password, or a PIN at an ATM.
  • Tailgating – An attacker will seek entry to a restricted area by closely following behind someone with legitimate access.
  • Water holing – A hacker identifies a website or websites that a user or a group of users often visit, aka watering hole.  The hack then probes the target website for weaknesses to inject code that infects a visitor’s system with malware.
  • Dumpster diving – Exactly how it sounds.  A hacker goes through the garbage to try to find sensitive information.

It can be a scary world.  Most companies and people think it will never happen to them…until it does.  There is news about another data breach just about every day.  It starts from something that seems so harmless, then turns into a disaster.  Comprehensive Security Awareness Training should cover every type of social engineering, not just phishing.  Some companies may find that their employees need extra training on phishing or phishing simulations. Also see our new gamified phishing awareness training.

Our suite of security awareness training programs include: