One of the most common social engineering attacks is phishing. Phishing is an attempt to access sensitive information through electronic communication. This is familiar to most people in the form of the stereotypical “Nigerian prince” email. The email promises money in exchange for help, but in order to receive the money, the user must provide account information.
Those types of clichés are so well-known that they (probably) never work anymore. Instead of targeting individual email accounts, phishing attempts are now targeting corporations. There is not only more at stake, but there is also the chance that a person dedicated to providing good customer service will be especially responsive to a scammer or be overwhelmed with work to the point that they respond quickly without thinking.
When scammers realized phishing really worked, they got more sophisticated. By doing a little bit of investigation, they are often able to determine the job title, business role and other details of an individual. With that information in hand, they can conduct targeted attacks, which are known as spear phishing. By providing a plausible-sounding story with enough details, the spear phisher can trick a person into responding with confidential information or details that will help them access private networks. Specific attacks might impersonate a known individual such as the CEO (easily determined from most company websites) and ask for specific vital information in a hurry. After all, who ignores an urgent request from the CEO?
Some attempts work the other way around, targeting the c-level executives at a company with spear phishing. This is known as whaling. Disguised with a sense of urgency and often including details of business transactions or alleged issues with the company (all based on publicly available information), the whaling attack attempts to convince the target to do something like click on a link. The supposed urgency or seriousness of the situation compels the individual to ignore normal security precautions and common sense.
While spam and junk email filters do a good job of removing the most obvious generalized phishing attacks, spear phishing and whaling attacks often come in as normal emails with none of the telltale signs of a clumsy cyberattack.
The only real defense against these is security training and a healthy suspicion of all electronic communication. Several organizations have recently discovered the drastic consequences of falling for phishing or another social engineering attack.