A type of cyberattack called social engineering increasingly targets senior executives.

Social engineering is the art of manipulating, influencing, or deceiving you in order to gain control over your computer system. The hacker might use the phone, email, snail mail or direct contact to gain illegal access. Phishing, spear phishing, and CEO Fraud are all examples.

According to Verizon’s 2019 Data Breach Investigations Report and Barracuda’s 2019 A Year in Security, senior executives are 12 times more likely to be the target of social engineering incidents, and nine times more likely to be the target of social breaches than in previous years. This makes it more important than ever to include executives and their staff in security awareness programs.

10 Cyberattack Techniques Used By Social Engineers

1. Pretexting: An invented scenario is used to engage a potential victim to try and increase the chance that the victim will bite. It’s a false motive usually involving some real knowledge of the victim (e.g. date of birth, Social Security number, etc.) in an attempt to get even more information.

2. Phishing: The process of attempting to acquire sensitive information such as usernames, passwords, and credit card details by masquerading as a trustworthy entity using bulk email which tries to evade spam filters. Emails claiming to be from popular social web sites, banks, auction sites, or IT administrators are commonly used to lure the unsuspecting public.

3. Spear Phishing: In a spear phishing attack, threat actors use a deep knowledge of the potential victims to target them, and that approach allows them to tailor the attack. These emails are more convincing and harder to detect than regular phishing emails. The attacker knows exactly who and what they’re targeting. Unlike mass phishing emails which may be attempting to distribute ransomware or gather individual login credentials to make a quick buck, spear phishers are normally after confidential information, business secrets, etc.

4. CEO Fraud: A staff member will receive an email from an individual purporting to be the executive. The email will instruct staff to make a payment or otherwise compromise the organization and to communicate via email.

5. Water Hole: This technique takes advantage of websites people regularly visit and trust. The attacker will gather information about executives to find out what those websites are, then test those websites for vulnerabilities. Over time, one or more members of the targeted group will get infected and the attacker can gain access to the secure system.

6. Bait: Baiting means dangling something in front of a victim so that they take action. It can be through a peer-to-peer or social networking site in the form of a movie download or it can be a USB drive labeled “Q1 Payroll” left out in a public place for the victim to find. Once the device is used or malicious file is downloaded, the victim’s computer is infected allowing the criminal to take over the network.

7. Tailgate: A tailgater waits for an authorized user to open and pass through a secure entry and then follows right behind.

8. Quid Pro Quo: Attackers offer a benefit to the victim in exchange for information. A good example is hackers pretending to be IT support calling to say they have a quick fix and “you just need to disable your AV”. Anyone that falls for it gets malware installed instead.

9. Honeytrap: A trick that makes men interact with a fictitious attractive female online. From eponymous old spy tactics.

10. Rogue: A form of computer malware that deceives or misleads users into paying for the fake or simulated removal of malware.

BPI can guide your organization through developing cybersecurity awareness and training solutions that suit your staff and stay within budget. Let us help