Types of Social Engineering
Phishing: A cybercriminal tricks a user into doing the u2018wrong thingu2019, such as clicking a bad link that will download malware or take the user to a malicious website. Phishing can be done via social media, text message, email, or by phone. Often mass malicious emails are sent to many people requesting sensitive information, purporting to be from an online shopping site, government department, or bank with the goal of obtaining your login credentials.
Spear Phishing: A malicious email is sent to a specific person, organisation, or business. This more targeted version of phishing is intended to look like it is from a trustworthy person. Typically spear phishing follows target research where the goal is theft of sensitive data. These emails may appear to be sent from an email address the user knows, contain information the recipient would be aware of, or impersonate a trusted brand or person in the organisation. Emails often convey a sense of urgency in the subject line, motivate the user to act, and direct the user to click on links or download attachments.
Whaling: A highly targeted phishing attack that appears to be a legitimate email and is sent to a senior executive. These more sophisticated emails often contain personalised information, have a solid understanding of business language, encourage an action, or request additional details that help the criminal engage in further attacks.
Smishing: Phishing that exploits SMS, or text messages. The malicious message appears on your phone in an attempt to appear from a genuine source. They may mimic real NHS messages.
Vishing: A phone call that asks you for sensitive information, such as banking details, by telling you your account has been compromised, there is suspicious activity, or that you are in legal trouble.
Water-holing: These attacks take advantage of trust that users have in websites they visit regularly. The attack often compromises a specific group of users by infecting one or more websites they are known to visit. The goal is usually to gain access to an organisationu2019s computer network by infecting one or more usersu2019 computers with malware.
