It’s long been acknowledged that human beings are the weakest link in any organisation’s cybersecurity. Education and training campaigns by employers, government agencies, and other professionals have raised awareness of social engineering tactics, and regularly remind users to be alert, but as with any form of cyber attack, the methods used by cyber criminals to lure their victims in are also evolving, using the latest technologies to fool people into giving up money, data, or access.

What is social engineering?

Social engineering are scams that manipulate people into revealing sensitive information to cyber criminals, or providing them with access to a system or network, to use in a cyber attack.

Social engineering scams are built on using the way the people think and act. They often use familiar technologies and combine them with emotions, to manipulate people into acting without thinking.

Social engineering tactics may also exploit people’s lack of knowledge about the value of their information, or the amount of information needed to provide a service.

One of the most prolific social engineering tactics is phishing (see below), but attackers are constantly updating their methods. Below is a list of some of the tactics on the rise in 2021.

Tactic 1: Phishing emails

Phishing is one of the most prolific social engineering tactics, accounting for up to 70% of all cyber attacks. It has been around a long time, and continues to be used simply because it is cheap to carry out, and still relatively successful, especially during the early days of the Covid-19 pandemic when people were concerned about money and confused about what was going on around them.

Phishing emails are emails sent by scammers who want to trick you into pressing a button, downloading a file, or clicking on a link that will enable them to download malware onto your device. The emails will often use official branding and wording to confuse victims, and often play on their emotions with lines such as “don’t miss out”, “act now”, and more.

What can you do about phishing emails?

While phishing emails are getting more sophisticated, there are still often many tell-tale signs that the email is a scam.

When you receive a suspicious looking email, look for poor spelling or grammar, content errors that don’t quite add up, excessive requests for information, nonsensical sender email addresses made up of a string of numbers and letters, hidden domain names, and shortened links.

In addition, never share sensitive information over email to someone you don’t know.

Tactic 2: Smishing

Smishing can be defined as phishing via SMS or text message. These scam messages are designed to entice users into giving up personal information, or downloading a piece of malicious software to their phone via a link or document sent in the message.

While smishing has been around for a while, smishing social engineering tactics are growing as people become accustomed to doing more and more actions on their phone, including using text messages for security verification purposes. In addition, people are just not as aware of smishing social engineering tactics as they are of phishing, so the returns are greater for scammers.

Smishing is also evolving to messaging apps such as WhatsApp. A smishing attack earlier this year spread a worm to Android phones through a link to a fake app sent from user to user in spam text messages.

What can you do about smishing attacks?

Number one is slow down. People are often quick to tap on links in text messages before they have read the message or thought about what they are doing. Slow down, think about the contents of the message, and try to verify the sender.

Some smishing attacks lead to an app, often outside an official app store. Never download an app from anywhere other than an official app store which will have some security protection.

Tactic 3: Malicious QR codes

QR codes are increasingly being used by businesses for any number of purposes including payments, account authentication, and more. The Covid-19 pandemic also increased the use of QR codes as businesses looked for touchless technologies, for example in places of paper menus in restaurants, diners can scan a QR code and download the menu to their smartphone.

As a result, malicious QR codes have become social engineering tactics as scammers send QR codes within phishing emails and smishing texts in place of links to redirect users to their malicious downloads or sites. Malicious QR codes are also used in clickjacking schemes, where QR codes are placed in public places offering more information for visitors, but in reality the QR code leads to a malicious site.

Avoid getting caught out by a malicious QR code:

As with phishing or smishing, don’t scan a QR code within an email if you don’t know and trust the sender. If you see a physical QR code sticker, check that it is the original QR code, and not a sticker that has been stuck on top. Use a QR scanner that checks or displays the link before it follows it.

Tactic 4: Deepfake videos

Deepfake videos are faked videos or audio recordings that look and sound totally genuine. The name deepfake comes from the use of deep learning artificial intelligence to create videos that are so realistic most viewers will never notice that it is a fake. One of the most famous examples of a deepfake video is a public service announcement by Barack Obama.

Deepfake videos are being used in social engineering scams whereby a ‘trusted figure’ is used to trick people into providing or transferring money to malicious actors, including most famously a deepfake audio clip that convinced a company CEO to transfer money to his parent organisation.

What can you do about malicious deepfake videos?

Cybersecurity training and knowledge is one of the best ways to combat deepfake videos.

Knowledge of good cybersecurity practices will help you ask the relevant questions to assess the situation. For example: Does what you are hearing and seeing make sense? Is it the usual way things work, or does it look unusual? Can you verify the instructions with another source before following them?

Tactic 5: Browser push notifications

Another oldie but a goodie, browser push notifications or popups asking for approval before performing an action have been around for a long, long time.

However they are still being used as social engineering tactics by scammers because they are effective when people skip reading the notification and simply click yes to get to their destination. Once the user clicks the approve button, the notification will divert them to their malicious site, spam them with phishing emails, or download malware through the link.

What can you do about browser push notifications?

This is one form of social engineering that can be avoided through a technical solution. Effective, up to date network security including an antivirus package and browser protection should be able to block many of the push notifications in the first place, or block the malicious site or download if a user does click yes.

In addition training to remind users to slow down and check what the push notification is asking for will also reduce the success of these scams.

Tactic 6: Targeted professional user forums

A new form of social engineering uncovered by Google is targeting the security research community, potentially with the aim of getting insights from the actual people working on vulnerability research and development at different companies. This targeted form of social engineering uses a fake research blog claiming to have successfully identified several exploits, and multiple Twitter profiles to attract their target audience.

After establishing initial communications they then ask the researcher to collaborate on vulnerability research. If the researcher agrees, the attackers send malware through a Visual Studio Project and accompanying DLL.

The research blog itself also contains malicious links within articles.

This targeted form of social engineering is new, but could impact on any group of professionals with any form of target in future.

Avoid getting caught out in a user forum

The case study from Google demonstrates that even people in the field can be caught out. However once again training and knowledge are your friend.

Never provide professional or company information in an open forum. If you do decide to collaborate with another person, verify their identity before accepting any downloads from them or sending them any personal or corporate information. In the Google example above, the suspects are from North Korea, so a simple phone call could help verify their authenticity.

Social engineering tactics are here to stay

Wherever there are humans with money, information, or access to provide, there are social engineering tactics. The enduring nature of phishing emails, and the evolution of social engineering using new technologies demonstrates just how profitable these scams are for the scammers.

While technological solutions can be used to mitigate against some of these methods, at the end of the day, the greatest tool against social engineering is training and education. Supporting people to recognise the signs and avoid falling into the traps, is the best way to prevent the exposure of networks and organisations to scammers.

Stay safe

Cookie	Duration	Description
_GRECAPTCHA	5 months 27 days	This cookie is set by Google. In addition to certain standard Google cookies, reCAPTCHA sets a necessary cookie (_GRECAPTCHA) when executed for the purpose of providing its risk analysis.
cookielawinfo-checkbox-advertisement	1 year	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Advertisement".
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
elementor	never	This cookie is used by the website's WordPress theme. It allows the website owner to implement or change the website's content in real-time.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
_ga	2 years	This cookie is installed by Google Analytics. The cookie is used to calculate visitor, session, campaign data and keep track of site usage for the site's analytics report. The cookies store information anonymously and assign a randomly generated number to identify unique visitors.
_gat_UA-176747747-1	1 minute	This is a pattern type cookie set by Google Analytics, where the pattern element on the name contains the unique identity number of the account or website it relates to. It appears to be a variation of the _gat cookie which is used to limit the amount of data recorded by Google on high traffic volume websites.
_gid	1 day	This cookie is installed by Google Analytics. The cookie is used to store information of how visitors use a website and helps in creating an analytics report of how the website is doing. The data collected including the number visitors, the source where they have come from, and the pages visted in an anonymous form.
CONSENT	16 years 5 months	These cookies are set via embedded youtube-videos. They register anonymous statistical data on for example how many times the video is displayed and what settings are used for playback.No sensitive data is collected unless you log in to your google account, in that case your choices are linked with your account, for example if you click “like” on a video.

Cookie	Duration	Description
IDE	1 year 24 days	Used by Google DoubleClick and stores information about how the user uses the website and any other advertisement before visiting the website. This is used to present users with ads that are relevant to them according to the user profile.
test_cookie	15 minutes	This cookie is set by doubleclick.net. The purpose of the cookie is to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	This cookie is set by Youtube. Used to track the information of the embedded YouTube videos on a website.
YSC	session	This cookies is set by Youtube and is used to track the views of embedded videos.

6 social engineering tactics in action in 2021 and what to do about them

What is social engineering?

Tactic 1: Phishing emails

Tactic 2: Smishing

Tactic 3: Malicious QR codes

Tactic 4: Deepfake videos

Tactic 5: Browser push notifications

Tactic 6: Targeted professional user forums

Social engineering tactics are here to stay

Recent Posts

How to build a cybersecurity strategy for startups

ISO 27001 vs SOC 2 – Which is better for your organisation?

Encryption of data in use: A new standard in data protection

What is HIPAA Compliance for Startups?

Benefits of ISO 27001: Why you need a cybersecurity framework

Are you the weakest link? How to prevent software supply chain attacks

Services

Location & Contact Details

Stay Connected