Types of social engineering attacks

Dumpster Diving

Dumpster diving itself is technically not a form of social engineering as there is no human interaction between the engineer and the target while collecting information. However, it is definitely worth looking at as it can be used to determine which type of social engineering attack to use on a target. Dumpster diving is defined as sifting through, or “diving”, through the rubbish of an individual or a company in order to acquire potentially valuable information. Information that a dumpster diver may be looking for includes names, phone numbers, email addresses, physical addresses, credit card numbers and other personal information.

Things to keep in mind when disposing of potentially sensitive information:

- What is being put out in the rubbish?

- Was that shredded document completely shredded? – Perhaps the pieces can be put back together?

- Who might have access to it?

Which one of the following two should be kept in mind when disposing of potentially sensitive information?

Choose 2 answers

---

---

---

---

---

Submit

Shoulder Surfing

Shoulder surfing consists of spying on the target to see what they are typing or doing on their device, this can be done either without the target knowing you are observing or even with them realising. Similar to dumpster diving shoulder surfing itself is not an actual form of a social engineering attack but this technique is often used after other types of attacks are used in order to gain the targets trust and make them feel at ease around the engineer. This technique simply wouldn’t be effective if trust wasn’t already established between the engineer and the target as the target would be wary and most likely ask why the attacker is onlooking their device, this is why it is vital trust is already formed between the attacker and victim. Once the target drops their guard and feels assured that the engineer is trustworthy the engineer just needs to look out for things like usernames, passwords etc. This attack usually goes under the radar of the victim as they wouldn’t suspect the engineer to be malicious due to the build-up of trust between the two. A more advanced form of shoulder surfing is if a hacker can view their targets' computer or keyboard via a webcam or nearby CCTV. Students should be vigilant when on their devices in lectures, library and even on the public transport during daily commutes as you never know who might be looking over your shoulder.

Which of the following two are a more advanced form of shoulder surfing?

Choose 2 answers

---

---

---

---

---

Submit

Tailgating

Tailgating is a form of social engineering attack that looks to gain physical access to a restricted area which is usually done by exploiting the good nature of authorised users until they get to the desired location whether that be access to a company’s office building or a staff room in a shop. Tailgating is a very popular attack which makes it a huge security concern for businesses today.

Due to most restricted areas having some form of security in place such as security guard, keypads, authentication card or biometrics the engineer must manipulate a user with these credentials into giving them access to the restricted area.

Once the attacker gets access to the restricted area the attacker can cause a vast amount of damage to the target via data breaches, data tampering, data theft, malware attacks etc.

One way a tailgating attack can be carried out is through pretending to be a delivery driver. All it takes to carry this method out is some high vis clothing, a baseball cap and some empty cardboard boxes. These items of clothing should help impersonate a delivery driver and the cardboard boxes can give you an excuse to ask employees to hold the door open for you. Other methods include waiting about outside the premises until an authorised user opens the door and the attacker rushes in before the door closes or also pretending to receptionists that they have lost their authentication card, all these methods are easy to carry out and if the company doesn’t have good security measures and policies in place they can be very effective. Students should be wary about who may be lurking around when entering labs and rooms that require you to enter a code or scan student ID's.

Once the attacker gets access to the restricted area through tailgating vast amounts of damage can be caused. Which of the following is not an example of how an attacker can do damage?

Choose 1 answer

---

---

---

---

---

Submit

Phishing

Phishing is perhaps the most widely used social engineering attack, this form of attack capitalises on the friendliness of the victim as well as scarcity. This method usually involves obtaining information from the target with the use of the Internet by impersonating a legit business or posing as a person of authority. The medium most commonly used to carry out this attack is email however it can also be done through any social media platform, phone calls and texts. Once a medium has been selected the attacker may use spoofed emails or profiles to fool the targets into thinking they are actually being contacted by legit companies or individuals. As well as using bogus contact information convincing bogus websites can be created and professionally constructed and formatted emails can be written, these can make even the most switched-on individuals fall victim to social engineering.

One notorious phishing scam that lots of people still fall for is one relating to a Nigerian person of high authority who claims that a large amount of money is available to the target and that all they have to do to claim this money is provide some information. Information the attacker usually looks for is some form of personally identifiable information which can be anything from name and address to credit card information.

Spear Phishing

Spear phishing is a form of phishing attack where the target has been well researched and the attacker poses as a person the target trusts such as a family member, co-worker, or friend. The goal of this attack remains the same as an ordinary phishing attack, the only difference is that the instead of the attacker spamming phishing emails to random individuals using bots the attacker will carefully research the target using platforms like social media to gather intel that can help ensure a successful phishing attack.

Whaling

Whaling is exactly the same as spear phishing with regards to researching the target in the detail and impersonating a trusted source, however, instead of targeting a person of little significance, the attacker tends to target a manager or CEO of a company who has all the information that the attacker desires. These attacks tend to be very slow and methodical as they require a lot of profiling of the target so that it is possible to attack at the right time.

Vishing

Another form of phishing attack is vishing. Vishing is carried out through the use of VoIP or mobile phones, the attacker configures a program to call numbers in a given region, once answered the target will hear a pre-recorded automated message stating for example that their bank account has had suspected fraudulent activity and will then be instructed to call another phone number. Once the target phones the provided number another automated message is played instructing the target to enter their credit card information via their mobile phone’s keypad. This attack can be very effective as it seems legit and requires little to no work for the attacker.

Seasonal Phishing Attacks

Student Awards Agency Scotland (SAAS) phishing scam emails are very popular at the start of each academic year targeting new and continuing students. Fake emails pretending to be from the Student Loans Company (SLC) notify students that their account has been suspended due to incomplete information. These email may contain web links which leads to fake websites used to gain personal details.If you are unsure about recent emails received by SAAS or would like to know more please visit https://www.saas.gov.uk/files/376/saas-fraud-policy.pdf. The graphic displays some of SAAS's advice.

Police are warning of a new phishing text message scam telling people that they are ‘eligible’ for the COVID-19 vaccination. The scam message reads: “we have identified that you are eligible to apply for your vaccine.” It also links to a convincing but fake NHS page which then asks for bank details. If you receive a text or email that asks you to click on a link or for you to provide information, such as your name, credit card or bank details, it's a likely to be a scam. Protect yourself by following this advice:

- Do not open attachments or click on links in emails or texts from numbers you don’t know

- Never give out your personal information, banking details or passwords in response to an email, text or phone call without verifying that the caller is who they say they are

- Block any numbers you find suspicious

- Always go to a website directly by typing out the address yourself when logging into an account - do not click on links

- Check for spelling mistakes in messages and emails

Scams can come in many forms and this one is just the latest attempt by fraudsters to exploit the pandemic for financial gain. The only genuine website you will be asked to visit regarding test and trace is https://contact-tracing.phe.gov.uk.

Which of the following describes a vishing attack?

Choose 1 answer

---

---

---

---

---

Submit

Reverse Social Engineering

Reverse social engineering works in a way that the target appears to come to the attacker for help rather than the attacker approaching the target. This type of attack can be extremely hard to execute as it requires a lot of planning and patience. This type of attack tends to begin with the sabotage stage, the attacker will usually attempt to tamper with the targets device or give the appearance that something isn’t working as it should. The attacker will then move onto the next stage which is advertising, the attacker will leave contact information or name drop someone who can apparently fix the issue the target is having, this can be done through pop-ups or business cards etc. Once the advertising stage is complete if done correctly the target will get in touch with the attacker’s bogus contact, once this has occurred the attacker moves onto the final stage which is the assisting stage. The assisting stage consists of the attacker helping the target with their issue while gaining the information they require.

An example of a reverse social engineering attack would be the attacker first sabotaging a computer network and then impersonating a technician to assist and solve the problem for the target. This approach is often successful because the victim will give up information such as login info more easily, this is due to the fact that if you are contacted by someone and they ask you your password, you will be hesitant to give it however if you call a technician and he requests your password, you are more likely to give it.

What are the 3 stages of a reverse social engineering attack?

Choose 3 answers

---

---

---

---

---

Submit

Feel you've learned enough? Try the quiz below!