The Top Phishing and Social Engineering Techniques in Hacking

The top phishing and social engineering techniques in hacking
The top phishing and social engineering techniques in hacking

Today’s cyber attackers use a variety of tactics to trick employees into giving them access to sensitive data. These bad actors have watched and learned over time to identify the best ways to manipulate victims psychologically. Thanks to decades of experience, today’s attacks are advanced and tailored to the interests and concerns of people in 2022. Social engineering and phishing are tactics that have been around for a while, but they have evolved. 

What Are Social Engineering and Phishing?

Social engineering is an overarching term for any technique an attacker uses to manipulate people and get access to something restricted (i.e., sensitive data, servers at an in-person office, user credentials for an employee, etc.) 

Phishing falls under the “social engineering” category because it’s a form of psychological manipulation that uses an email, text, phone call, or malicious website to obtain information remotely. Usually, the bad actor poses as a trusted and familiar entity, then tricks the user into giving sensitive data to them based on this trust. Since so many companies are remote, the virtual nature of phishing makes it an ideal social engineering tactic for attackers to use. 

Bolstering your organization’s knowledge is the best first step in combatting cyber threats. By spreading awareness and encouraging understanding of the top phishing and social engineering techniques in hacking, teams can better protect themselves against cyber-risks.  

Types of Phishing Attacks

Phishing can be executed in several ways— through different channels, with various psychological tactics, and with multiple targets in mind. 

Spear phishing

Spear phishing means that the attacker is targeting a particular person/audience. The hacker takes the time to “get to know” the person: understanding which websites they regularly use, who inside their company might contact them most frequently, what types of projects they might be working on, etc. Then, they perform the attack by posing as a trusted website or a co-worker that the target knows. The attacker also takes steps to send a request that makes logical sense, based on the person’s job description and daily tasks, along with some contextual information to make the request more believable. 

“Whaling” is a type of spear-phishing that targets high-profile victims. Although more challenging, advanced attackers still attempt whaling because of the vast benefits they might reap from their efforts. After all, gaining access to a CEO’s user credentials could give a bad actor the “keys to the kingdom.”

Smishing/vishing

Smishing utilizes SMS (texts) rather than emails to perform a phishing attack. Often, smishing involves sending a link over a text message. When the victim clicks on this link, it directs them to a malicious website that can steal information from their phone within seconds. 

Similarly, vishing uses voice conversations over the phone to gain the victim’s trust, then convinces them to give the attacker some kind of sensitive information. Usually, smishing and vishing use personal details, as well as urgency to feign their legitimacy and increase the sense of pressure. Both techniques gain the victim’s trust and/or cause them to panic, making them more likely to share the requested sensitive data or click on the link without a second thought.

Business email compromise

Business email compromise (BEC) works best on companies that perform wire transfer payments regularly. Often, a hacker will use business email compromise to target organizations that do business with foreign entities. These third parties can be vendors, suppliers, or office locations in other countries. The attacker’s goal in most business email compromise attacks is to compromise a legitimate business email account, usually a manager’s user credentials, then use it to manipulate victims. They will often use this account to trick employees into conducting fund transfers straight into the attacker’s bank account. 

Phishing Techniques

To perform these types of phishing attacks, attackers use a few manipulative tactics. They put these tricks into play to gain trust and drive urgency. These tactics include:

CEO impersonation 

Attackers often impersonate a C-level executive to incite fear within the victim and cause them to react without strategically examining the email or text. After all, no one wants to get in trouble at their job by delaying a request from someone of importance. 

Using emotions 

Hackers tune into current events to send timely, emotionally charged messages. For example, they might use messaging related to the pandemic, a major company’s massive layoff, or anything else that encourages fear. 

Pretexting 

Pretexting is the made-up scenario in which the attacker spins to convince the victim to give up information. Bad actors usually don’t just send a malicious email without context. They will write a message about why they are sending the email and how it is imperative that the victim clicks on the link or performs the action as soon as possible. Usually, pretexting has elements of truth and fiction, making the situation more believable. 

Wide net phishing with common services

Attackers use trusted platforms such as Zoom, Slack, or TikTok to perform large-scale phishing schemes. They create a spoofed login page to one of these trusted and recognizable websites, then trick users into logging in onto this fake login site with their actual credentials. 

Awareness of the various types of phishing and social engineering tactics can bring up a deep concern, but with knowledge comes power. Security awareness is the first step to creating a more secure environment for your organization.

TL; DR

  • Bad actors have watched and learned over time to identify the best ways to manipulate victims psychologically, and thanks to decades of experience, today’s attacks are more sophisticated than ever.
  • Phishing can be executed in several ways— through different channels, with various psychological tactics, and with multiple targets in mind.
  • Attackers use manipulative tactics to gain trust and drive urgency to perform phishing attacks.
  • Security awareness is the first step to creating a more secure environment for your organization.

Resources & insights

The Ultimate Guide to Phishing & Social Engineering
Blog
The Ultimate Guide to Phishing & Social Engineering
When your staff is well-versed in the basics of phishing and social engineering, you can take your organization's cyber-risk mitigation to the next level.
Blog
A Complete Guide to the CEO Fraud Business Email Compromise Phenomenon
A complete guide to CEO fraud business email compromise phenomenon to stay ahead of evolving social engineering techniques.
Blog
What is Spear Phishing in Social Engineering?
Phishing attacks are more sophisticated, calculated, and difficult to identify than they were in the past. Staying vigilant and training your employees to respond to phishing and spear phishing cyberattacks can safeguard your organization against the damages caused by social engineering schemes.

Protect and defend with multiple layers of cybersecurity

Faster. Smarter. Stronger.

Explore layered
security

Learn more about Defendify’s three key layers and All-In-One cybersecurity.

How can we help?

Schedule time to talk to a cybersecurity expert to discuss your needs.

See how it works

See how Defendify’s platform, modules, and expertise work to improve security posture.