Different Types of Attacks 1 Phishing Phishing is a way to obtain information such as usernames, passwords, and credit card details by masquerading as a trustworthy brand or person in an electronic communication. The most common example of phishing scams is those that target online banking customers, where users receive emails that appear to be from their bank asking them to click on a link to review recent transactions. The link takes users to a site that looks legitimate but is actually controlled by the attacker. The user then enters their name and password into the phishing website, which collects the user's login credentials and gives them access to your account. This allows attackers to drain your balances, utilize your services (loans/mortgages), purchase goods on your credit card, etc. 2 Vishing Vishing is a type of phone fraud that uses social engineering to obtain sensitive data from individual customers. Vishing schemes can take many forms, but most commonly, they appear as a customer service representative demanding verification of personal information through an automated recording or interactive voice response system. In another common scenario, individuals receive calls from falsely claiming to represent financial institutions, law enforcement agencies, court clerks, and other entities. The imposters play audio recordings asking for immediate action on a pressing matter such as the expiration of a password or placing funds at risk by sending a payment to a "new" country where money is held up in customs. Or they pose as government agents letting you know that tax auditors need your help immediately to correct an issue or that agencies need to know who your clients are. They then ask for personal information directly or guide the victim through an IVR system to enter their data. 3 Baiting Baiting attacks use a false promise to pique a victim’s curiosity. Then, they lure users into a trap that steals their personal information and infects their computers with malware. An attacker will send an email promising the victim some reward for completing a task, but instead of receiving what they expected, victims are handed over to attackers. The baiting attack deceives the customer into installing malicious software or submitting confidential information that can compromise their privacy or damage their machine(s). Baiting attacks depend on human psychology because many people are too curious not to click on something they aren’t supposed to. Once users have unknowingly downloaded potentially malicious content onto their devices, attackers take advantage of this opportunity and hijack systems. 4 Quid pro quo The perpetrator calls random employees in an organization, offering some service or benefit for them in exchange for information or access. It is done until one of the victims agrees to provide it - this victim becomes an insider threat to its security. An insider could reveal sensitive data through physical channels (phone calls), which might pose a significant threat to an organization's information security. After this data leaks, it should be easily detected, but if attackers used social engineering methods like pretexting and quid pro quo, their actions would be indistinguishable from legitimate requests. Attackers can quickly collect enough information about an organization's people, processes, and systems - gaining inside knowledge that will allow them much easier access into target network/systems. 5 Pretexting Pretexting is often initiated by a perpetrator pretending to need sensitive information from a victim so as to perform a critical task. The success rate of this attack heavily depends on the ability of the attacker to build trust. The pretext generally casts the attacker in the role of someone in authority who has the right to access the information being sought, or who can use the information to help the victim. More advanced attacks sometimes try to trick their targets into doing something that abuses an organization’s digital and/or physical weaknesses. For example, an attacker might impersonate an external IT services auditor so that they can talk a target company’s physical security team into letting them into the building. Is this information useful to you? Feel free to like, share, and save if you find this post useful!