Common Attacks and their effectiveness

Phishing

is the use of digital communications to trick people into revealing sensitive data or deploying malicious software. 

Business Email Compromise (BEC)

A threat actor sends an email message that seems to be from a known source to make a seemingly legitimate request for information, in order to obtain a financial advantage.

Spear phishing

A malicious email attack that targets a specific user or group of users. The email seems to originate from a trusted source.

Whaling

A form of spear phishing. Threat actors target company executives to gain access to sensitive data.

Vishing

The exploitation of electronic voice communication to obtain sensitive information or to impersonate a known source.

Smishing

The use of text messages to trick users, in order to obtain sensitive information or to impersonate a known source.

Malware

is software designed to harm devices or networks.

Viruses

Malicious code written to interfere with computer operations and cause damage to data and software.

Worms

Malware that can duplicate and spread itself across systems on its own.

Ransomware

A malicious attack where threat actors encrypt an organization's data and demand payment to restore access. 

Spyware

Malware that’s used to gather and sell information without consent.

Social engineering

is a manipulation technique that exploits human error to gain private information, access, or valuables.

Social media phishing

A threat actor collects detailed information about their target from social media sites. Then, they initiate an attack.

Watering hole attack

A threat actor attacks a website frequently visited by a specific group of users.

USB baiting

A threat actor strategically leaves a malware USB stick for an employee to find and install, to unknowingly infect a network. 

Physical social engineering

A threat actor impersonates an employee, customer, or vendor to obtain unauthorized access to a physical location.

Reasons why social engineering attacks are effective include

• Authority

• Intimidation

• Consensus/Social Proof

• Scarcity

• Familiarity

• Trust

• Urgency

Authority

Threat actors impersonate individuals with power. This is because people, in general, have been conditioned to respect and follow authority figures. 

Intimidation

Threat actors use bullying tactics. This includes persuading and intimidating victims into doing what they’re told. 

Consensus/Social proof

Because people sometimes do things that they believe many others are doing, threat actors use others’ trust to pretend they are legitimate.

Scarcity

A tactic used to imply that goods or services are in limited supply. 

Familiarity

Threat actors establish a fake emotional connection with users that can be exploited.  

Trust

Threat actors establish an emotional relationship with users that can be exploited over time. They use this relationship to develop trust and gain personal information.

Urgency

A threat actor persuades others to respond quickly and without questioning.