BSI flags persistent social engineering attack techniques

Social engineering techniques are becoming increasingly sophisticated, with phishing attempts the most prevalent type, followed by malware and web hack, according to analysis conducted by BSI.

Adam Hall, of BSI’s cyber, risk and advisory team, explains: “Social engineering has escalated over the last few months and continues to rise day by day.

“Our advice is to always think before you click, if it sounds too good to be true, it probably is. Be aware of current phishing campaigns and the tone of an email and be particularly aware when it requests username and passwords or when it uses impersonal phrases. Always check if the senders’ address and the URL link match the company- roll the mouse over the link to see what the website is. If you have any doubt about the legitimacy of an email or any of the above technique scenarios we have highlighted, do not give out any information or open the email. Contact the individual directly by phone (using the advertised company phone number) to check for authenticity and report it to your IT department or relevant authority.”

Understanding and being aware of the social engineering techniques attackers use is vital, the group says, in a timely recap of the seven most common techniques currently being deployed.


Seven deadly sins: Top threats (Source: BSI)

Phishing - this is the most prolific form of social engineering and is becoming increasingly sophisticated. It is a fraudulent attempt, whereby the attacker endeavors to steal personal or sensitive information by pertaining to be a well-known or trusted contact of the victim such as a colleague, bank, utility company or government department.

Spear phishing - this is where an attacker targets a specific individual of value within a business sector, company or department and will research the target extensively to maximize their chances of success. Research can include obtaining specific knowledge about the individual and its organisation through research, social media profiles or using other publicly available information.

Whaling attack - this is seen as a ‘big fish capture’ with the email designed to masquerade as a ‘critical’ business email containing highly confidential information. It is sent to upper management, claiming to be from a legitimate authority. This sophisticated phishing attack is used to steal confidential information, personal data, access credentials and specific high value economic or commercial information.

Smishing (SMS phishing) - potentially the most financially damaging attack type, this popular technique carried out on mobile phones, is where a scammer sends a text message purporting to be from reputable companies that encourages the victim to pay money out or click on suspicious links.

Voice phishing (vishing) - scammers use this phone social engineering technique to gain access to personal and financial information by pretending to be a co-worker, bank official, a person of authority or trusted individual. Typically asking to confirm identity information, this technique is used to steal credit card information and relates to identity theft.

Business Email Compromise (BEC) / Email Account Compromise (EAC) - attackers identify and research a target organisation, send spear phishing emails or calls to a victim and convince them to perform legitimate business transaction.

Baiting (or physical baiting) - this is a wide scale attack using online adverts, websites or even memory sticks left in visible places. The adverts can include offers too good to be true or have urgent warnings. Once the victim clicks through or opens the memory stick a pop up will appear tricking the user into giving personal information or giving a link to click that can result in a malware download.

    Share Story:

Recent Stories


Financial institutions were early adopters of cyber security and insurance. Are they still on top of the game?
Managing huge amounts of sensitive data online makes financial institutions a prime target for hackers. As such, the sector was an early cohort for insurers in creating cyber cover. Since then, the market has evolved almost beyond recognition. It continues to challenge itself to this day, complying with rigorous regulatory demands and implementing avant-garde enhancements to keep abreast of the ever-changing risks. Published June 2021

Manufacturing: An industry at risk amid great technological change
Of the many sectors of business, manufacturing companies are among the most at risk from cyber threats. How has the sector evolved to make it so vulnerable and what does the task of managing cyber exposure in a manufacturing company look like? CIR’s latest podcast with Tokio Marine HCC sought to answer all these questions and more. Published April 2021

Advertisement