The Top Phishing and Social Engineering Techniques in Hacking

Today’s cyber attackers use a variety of tactics to trick employees into giving them access to sensitive data. These bad actors have watched and learned over time to identify the best ways to manipulate victims psychologically. Thanks to decades of experience, today’s attacks are advanced and tailored to the interests and concerns of people today. Phishing and social engineering are tactics that have been around for a while, but they have evolved. 

What Are Phishing and Social Engineering?

Social engineering is an overarching term for any technique an attacker uses to manipulate people and get access to something restricted (i.e., sensitive data, servers at an in-person office, user credentials for an employee, etc.) 

Phishing falls under the “social engineering” category because it’s a form of psychological manipulation that uses an email, text, phone call, or malicious website to obtain information remotely. Usually, the bad actor poses as a trusted and familiar entity, then tricks the user into giving sensitive data to them based on this trust. Since so many companies are remote, the virtual nature of phishing makes it an ideal social engineering tactic for attackers to use. 

Bolstering your organization’s knowledge is the best first step in combatting cyber threats. By spreading awareness, strengthening phishing reflexes, and encouraging understanding of the top phishing and social engineering techniques in hacking, teams can better protect themselves against cyber-risks.  

Types of Phishing Attacks

Phishing can be executed in several ways— through different channels, with various psychological tactics, and with multiple targets in mind. 

Spear phishing

Spear phishing means that the attacker is targeting a particular person/audience. The hacker takes the time to “get to know” the person: understanding which websites they regularly use, who inside their company might contact them most frequently, what types of projects they might be working on, etc. Then, they perform the attack by posing as a trusted website or a co-worker that the target knows. The attacker also takes steps to send a request that makes logical sense, based on the person’s job description and daily tasks, along with some contextual information to make the request more believable. 

“Whaling” is a type of spear-phishing that targets high-profile victims. Although more challenging, advanced attackers still attempt whaling because of the vast benefits they might reap from their efforts. After all, gaining access to a CEO’s user credentials could give a bad actor the “keys to the kingdom.”

Smishing/vishing

Smishing utilizes SMS (texts) rather than emails to perform a phishing attack. Often, smishing involves sending a link over a text message. When the victim clicks on this link, it directs them to a malicious website that can steal information from their phone within seconds. 

Similarly, vishing uses voice conversations over the phone to gain the victim’s trust, then convinces them to give the attacker some kind of sensitive information. Usually, smishing and vishing use personal details, as well as urgency to feign their legitimacy and increase the sense of pressure. Both techniques gain the victim’s trust and/or cause them to panic, making them more likely to share the requested sensitive data or click on the link without a second thought.

Business email compromise

Business email compromise (BEC) works best on companies that perform wire transfer payments regularly. Often, a hacker will use business email compromise to target organizations that do business with foreign entities. These third parties can be vendors, suppliers, or office locations in other countries. The attacker’s goal in most business email compromise attacks is to compromise a legitimate business email account, usually a manager’s user credentials, then use it to manipulate victims. They will often use this account to trick employees into conducting fund transfers straight into the attacker’s bank account. 

Phishing Techniques

To perform these types of phishing attacks, attackers use a few manipulative tactics. They put these tricks into play to gain trust and drive urgency. These tactics include:

CEO impersonation 

Attackers often impersonate a C-level executive to incite fear within the victim and cause them to react without strategically examining the email or text. After all, no one wants to get in trouble at their job by delaying a request from someone of importance. 

Pretexting 

Pretexting is the made-up scenario in which the attacker spins to convince the victim to give up information. Bad actors usually don’t just send a malicious email without context. They will write a message about why they are sending the email and how it is imperative that the victim clicks on the link or performs the action as soon as possible. Usually, pretexting has elements of truth and fiction, making the situation more believable. 

Wide net phishing with common services

Attackers use trusted platforms such as Zoom, Slack, or TikTok to perform large-scale phishing schemes. They create a spoofed login page to one of these trusted and recognizable websites, then trick users into logging in onto this fake login site with their actual credentials. 

Awareness of the various types of phishing and social engineering tactics can bring up a deep concern, but with knowledge comes power. Security awareness is the first step to creating a more secure environment for your organization.

Using emotions 

Hackers tune into current events to send timely, emotionally charged messages. For example, they might use messaging related to the pandemic, a major company’s massive layoff, or anything else that encourages fear. 

We’re all human, and humans have emotions.
Learn the Emotions of a Social Engineering Attack so they don’t get the best of you.

More Resources to Combat Social Engineering

• Tool: Phishing Simulations
• Tool: Awareness Videos
• Infographic: The Emotions of Social Engineering
• Webinar: How to Spot a Phish: Tips to Spoil Advanced Phishing Attempts