Social engineering attacks are successful because they exploit human nature while skirting typical cyber security defences.

These attacks are particularly insidious because they are stealthy and are often well established before becoming apparent.

Threat actors do their homework. They target people who are less likely to check before taking the requested action. In other words, they target people who are easier to manipulate.

Are you an easy target? If you receive an email from a leader in your organization asking you to complete a task quickly, would you take the time to scan the message for signs of a social engineering attack? And would you feel comfortable following up to confirm the authenticity of the request before taking any other action?

The threat actor is looking to collect enough information to infiltrate an organization's network or your financial accounts.

To be successful, the cyber threat actor merely needs to get the individual to do what is requested of them. Unfortunately, because these attacks rely on our curiosity, insecurity or trust to gain access, they tend to be very successful.

Knowing how threat actors can use you to gain access to information and systems is critical.

Tactics and techniques used in social engineering attacks include:

• Pre-texting - Crafting a scenario, or pretext, to increase the likelihood that the target will engage in the desired behaviour
• Phishing - Simulating a legitimate email communication that lures individuals into providing information, with email as the attack vector
• Smishing - A form of phishing, with SMS/text messaging as the attack vector
• Vishing - A form of phishing, using voice phone calls as the attack vector
• Spear-phishing or targeted phishing - Specifically targeting a useful or high-value individual with a phishing attack
• Water-holing - Gathering information about regularly visited websites and finding vulnerabilities within these websites that can be used to launch malware against individuals who visit, thereby providing a pathway into organizational systems
• Baiting - Using media storage devices that contain malware to infect systems, such as leaving malicious USB thumb drives near the target organization’s office

There are ways to detect these types of attack. Here are some common indicators:

• The communication is from an unknown user, organization, or domain name
• The communication seemingly comes from someone within an organization, but with a non-organizational domain name. For example, your director is emailing you from an @gmail account
• The correspondence expresses an unusual level of urgency
• The content contains errors such as misspelled names, misused organizational terms or titles, or misrepresented or misplaced logos
• The communication is unsolicited and asks you to do something
• The tone, content or wording is inconsistent with what would be expected
• The email has attachments with unusual file names or links with an unusual URL. Roll over: Uniform Resource Locator – commonly referred to as a web address, a URL is the specific location of a networked piece of technology on a network, such as a computer, router, or database
• The offer seems too good to be true
• The request is driven by a motivation such as financial benefit or another benefit

You should always be vigilant and watch for these indicators. However just because a communication has one of these indicators doesn’t mean that it is an attack.

If you are suspicious, confirm the request with the sender prior to taking any action requested in the message. If you don’t recognize the sender or their email address doesn’t match their name, report the message.

Follow the steps for responding to a social engineering attack.

Additionally, follow your organization’s protocol for reporting phishing attacks.

If you think that you may have been the victim of phishing, follow these steps in this section: What to do if you’re a victim.

The threat actor uses imitation to disguise themselves as a member of your organization or another organization you know. They will do so through an organizational email account that has been compromised and that they now control. They may also do so by using an email address that is almost identical to the organizational email address of someone that you work with regularly.

The intention of the communication is to get you to provide information, send files or provide access to systems or software. These messages normally arrive through text, email or phone.

You can detect a business email compromise using the same indicators as other social engineering attacks.

In detecting these attacks, your critical thinking and knowledge of organizational norms are crucial. They can help you determine if the communication is legitimate or a potential attack.

For example:

• Has the communication gone through correct distribution channels and copy appropriate individuals?
• Has the communication come directly from a senior leader? Is this unusual?
• Is the communication from a third party urgently requesting you provide information through an online form or pay something immediately?
• Does the communication request you send files to a personal email?

Take a moment to reflect. Would you feel comfortable checking with the sender of a suspicious communication before acting? This may be uncomfortable, especially if you don’t know the person well.

Unlike phishing, which involves mass mailing, spear phishing is small-scale and well targeted. Before initiating the attack, the threat actor will research a targeted individual. The attack is then curated to be effective against the specific target. For example, the threat actor may send an email disguised as a regular vendor requesting payment for a late invoice.

Like phishing, the spear phishing email will prompt you to act. The action will provide the threat actor with information or access to your systems or accounts.

You can detect spear phishing using the same indicators as other social engineering attacks. It requires extra vigilance to catch spear phishing attempts due to way they are tailored.

Phishing kits are packages created by cyber criminals and sold to other criminals with everything needed to enact a phishing attack. They can include phishing email templates, and temporary websites for gathering data from targets.

Phishing-as-a-service is a business model used by cyber criminals in which users have monthly subscriptions to a phishing service. Organizations can hire cyber criminals to execute phishing attacks on their behalf.

Link-less phishing is a style of phishing that directs you to a malicious website without clicking on a link. The threat actor attaches the malicious website as an HTML file to a phishing email. Like other types of phishing, the email will prompt you to open the attachment.

Unlike a typical link, the attachment will not direct you to a website. Instead, clicking on the file will open a window that appears to be a local file. The window will prompt you to share information. For example, it may ask you to log in to access the document.

You can detect linkless phishing using the same indicators as other social engineering attacks. You should also be wary of HTML attachments.