Social engineering is one of the most difficult cybersecurity threats to protect against. By definition, it targets human fallibility — flaws in human reasoning. Cybercriminals may work full-time figuring out how to trick people and sharing best practices, but employees at your organization have other jobs to do. There’s a knowledge imbalance between the digital con artists and their would-be victims. That’s why cons work.
One way to inoculate staff against falling prey to this kind of manipulation is through education and training. Security awareness training often avoids bogging employees down with security jargon, which sounds like a good idea. Nontechnical employees and executives normally shouldn’t have to become security experts. But in the realm of social engineering protection, knowing the jargon is one of the most powerful tools we have to educate staff.
The reason is that the definitions of these terms contain within them the methods. To know the words is to expect the attacks — or recognize them when they occur. It’s time to integrate the learning and memorization of social engineering jargon into every security training session. By learning these words cold, employees will also learn to avoid falling prey to social engineering attacks.
Social Engineering Vocab to Add to Your Next Security Training
Here is the basic vocabulary that everyone in your organization should know.
An umbrella term for any fraudulent attempt to get information by acting like a trusted person or organization in any electronic communications medium, usually email.
When the attempt happens via text message, it’s called smishing. Smishing can be effective because some users are more trusting on SMS compared to email.
Vishing is when an attacker uses a phone call to trick victims into giving up sensitive information such as passwords. Perpetrators of this crime typically use Voice over Internet Protocol (VoIP) calls and misrepresent themselves as employees of a bank or other organization.
This basic attack spams large numbers of people with generic messages that link to a large number of different fraudulent URLs in the hope of tricking a small percentage of the recipients into giving up sensitive information. If some of the URLs are shut down, others still remain.
Rather than spamming large numbers of generic messages, spear phishing campaigns send small numbers of customized messages containing recognizable or relevant content to a small number of people. It requires some knowledge of the target for customization. The most obvious version of this is to send emails to people in a company, and make the email appear as if it came from another person in the same company. The more specific and targeted the attack, the more effective it can be.
Sitting somewhere between generic bulk and specific spear attacks is the snowshoe attack, whereby small, semitargeted emails are sent in batches small enough to fall below the threshold that triggers spam filters, but large enough to enable mass emailing. Snowshoe attacks use a large number of sender IP addresses, with a low number of emails per IP address. The term snowshoe refers to a spamming technique, regardless of whether it’s a phishing attack or just unwanted advertising.
Instead of flying under the radar to avoid triggering spam filters, hailstorm attacks try to beat spam filters to the punch, launching a large number of emails at once to catch spam filters off guard — essentially finishing the sending before the filters have time to respond.
With this technique, a legitimate email — from, say, a financial institution or government entity — is copied almost verbatim, complete with graphics, but usually with the links changed to malicious URLs.
Whaling attacks target top employees, such as CEOs, CFOs or CIOs. This kind of attack can be appealing to cybercriminals because more information is publicly available about these high-profile targets, and they tend to have more access to sensitive information at a company.
The simple idea behind tabnabbing is that by spoofing and directing users to fake sites, they’ll enter usernames and passwords, which can then be used by the perpetrators to log into the real sites. It’s called tabnabbing because it exploits the tendency of users to have many tabs open. By opening a new tab on a malicious site that displays only a username and password form, the user may assume that one of their legitimate tabs simply timed out, and may enter the credentials to log back in.
As stated above, users tend to have multiple tabs open while using their browsers. Pop-up messages appear, and could theoretically come from any of the open tabs. Cybercriminals can in some instances use this confluence of circumstances to launch a pop-up from one tab that appears to be from another. For example, let’s say a user has a dozen tabs open — one is a gaming site, another is a bank website. Malicious code on the gaming site could detect the banking site and launch a pop-up that spoofs the banking site, asking for, among other things, login credentials. This attack could work in a less targeted way even without knowledge of the specific site in the other tab. A generic pop-up could trick enough users to be worthwhile to malicious actors.
Similar to tabnabbing, reverse tabnabbing is where a legitimate page open in a tab is replaced with a fraudulent version in the same tab. That fake page times out, requiring the username and password, which is then stolen.
This practice involves forging an email header to make an email appear to come from a legitimate or friendly source. This technique may also be used to evade spam filters or as part of an identity theft scheme.
Website forgery involves either a fake, but legitimate looking, website, or a fraudulent replica of a legitimate site to trick users into giving up sensitive information.
This is an umbrella term that covers any attempt to hide URLs or trick users into falsely believing that a fraudulent URL is legitimate.
Users can’t detect a suspicious URL if they can’t see it. That’s why phishers often hide URLs by sending HTML emails, where the URL is activated by the hyperlink (hyperlinks with the right words link to the wrong websites). Malicious URLs can also be hidden using URL shorteners or PDF files.
Cybercriminals have long registered URLs that are similar to popular URLs owned by major brands in the hopes that someone will misspell the desired URL and land on theirs. Labels associated with this simple idea include URL hijacking, fake URLs, cybersquatting and brandjacking. URLs with subtle typos are also used in phishing attacks because victims may not notice the misspelling and click with confidence.
Domain names can use multiple alphabets. Some letters in different alphabets look identical. A homograph attack is one that exploits this fact to create a fraudulent URL that looks perfectly legitimate. For example, by using a lowercase Cyrillic letter “A” instead of a lowercase “A” from the English alphabet, a URL appears as if it’s all English, but is viewed by the domain name system as a different URL. Financial institutions with the letter “A” in their names, such as Bank of America or PayPal, are frequent subjects of homograph attacks.
Know the Names, Prevent the Attacks
Due to the prevalence of phishing and other social engineering attacks, it’s vital to stay one step ahead of scammers with advanced security tools and/or managed security services.
Training is the other necessary component. When training employees about cybersecurity, by all means try to avoid jargon and speak in plain language so everyone can understand. But when it comes to social engineering training, make sure every employee learns the names of specific attacks. Yes, raise awareness with phishing simulations and other smart exercises — but also teach the vocab. To know the names is to know the attacks, and to know the attacks is to recognize them when you’re the target.