Social engineering attacks are becoming more prevalent and sophisticated in their execution. Large, prominent companies are being targeted. Even with the most advanced technological protection, humans are always the weakest link.
In 2020 alone, some extremely high-profile companies have fallen victim to cyber-attacks that involve social engineering. In July, Twitter recorded a security breach whereby attackers gained access to their internal systems. The attackers proceeded to send tweets asking for Bitcoin donations from influential accounts such as Donald Trump and Kim Kardashian.
In November, the international web hosting and services provider GoDaddy was attacked using social engineering methods. Attackers were able to gain control over several domains relating to cryptocurrency.
Incidents of cyber-attacks have increased during the pandemic, but there’s something particularly alarming about social engineering. It’s sinister because it targets human fallibility – we’re all just too prone to slip-ups and mistakes.
Social engineering is not limited to cyber-attacks either, it could be used to gain entrance to a restricted building or even for theft of physical goods.
What is social engineering?
Social engineering uses the same principles as old-fashioned con artists. The attacker will try to convince the target into willingly handing over sensitive information or granting them access by using psychological tricks.
Phishing is a classic example of social engineering, it relies on fear, anxiety or curiosity; completely natural feelings for people to experience. Social engineering feels more malicious than a faceless hacker looking exploits in computer code, these attackers are looking for weaknesses in us. It feels like a personal attack on our very nature.
Humans are not perfect. We never will be. Social engineering relies of the fact that humans are emotional, susceptible to making mistakes, creatures of habit and, in most cases, naturally trusting of others.
Secure firewalls, password policies, security procedures, email protection and encryption cannot protect your business against social engineering attacks.
For a cybercriminal dealing with sophisticated technology, it’s easier to hack a person than it is to hack 256-bit encryption.
It must be much easier when you’ve been given the password, right?
Methods used in Social Engineering
Phishing emails aim to get you to click on a malicious link by telling you something like “your password has expired – please set up a new password here…” It will lead you to a login page or form where you’ll submit your personal details. These pages will be styled to look like official login pages for banks and online stores, but they’re really sending data to hackers instead.
Phishing is a lot more sophisticated than those old PayPal emails in broken English. In fact, there are at least six different types of phishing attack to look out for!
Spear Phishing was reportedly used against Twitter in their summer 2020 security breach. This is a personal attack targeting specific individuals within a company that includes digital surveillance. Attackers gain information by carefully monitoring information on LinkedIn and other social media to get a better picture of how your employees are operating.
There’s also whaling (pretending to be the CEO or other senior executive), smishing (phishing via SMS or text message) and vishing (phishing via VoIP services). As if phishing wasn’t enough to worry about!
Everyone’s got that one friend on Facebook who is always getting “hacked” which results in their account sending messages to all their friends saying “Hey, is this you in the photo?” accompanied by a dubious-looking link.
Or, getting those text messages claiming to be from HMRC saying you’ve got a tax refund waiting.
This is baiting. It’s incredibly similar to phishing, but relies on the curious side of human nature, rather than playing off fear and anxiety. People will be curious to know about photos from old friends or unexpected income from the taxman, so they’re more likely to click on the link and fall into the phisher’s net.
Baiting could also involve false competitions with prizes that don’t exist or fake employee consultation surveys created by imposters designed to harvest data.
This involves an attacker following a legitimate employee into a restricted area. For example, a friendly member of staff holding the door open for the person behind them, potentially causing a security breach.
Security experts have even been able to gain access to restricted buildings simply by putting their arm in a sling, relying on people’s natural instinct to hold doors open for them.
Scareware and False Threats
Have you ever been browsing the web when an intrusive pop-up tells you a virus has been detected on your computer with a handy button leading you to instructions on how to fix it?
These false alerts are placed on websites by scammers to try to get unsuspecting visitors to download a pretend “virus scanner” to scan their computer for viruses that probably don’t exist.
When someone clicks through and downloads it, the software is likely to be malicious, designed to infect the user’s computer, harvest data or invade the user’s privacy in another way.
Building Trust with Targets
Phishing and baiting are usually short-term attacks, but this is a long-term game for attackers – the long con.
Serious attackers will spend considerable time researching their targets, watching staff and even building a positive rapport with employees so they have they’ll have their guard down.
Social Media Research
It’s shocking how much a Company’s social media account can reveal… employees are too willing to share their routines online. An attacker could easily build a picture of your team’s daily routine based on individual social media habits.
At 9:30am there’s a team meeting on Zoom, a member of your team has posted an update on Instagram with the caption “Daily meeting time”
That may seem innocent enough, but that’s valuable information to someone planning a social engineering attack.
Distracting the target
It may seem like an old trick, but it works. There are so many distractions in our daily lives and social engineers just love to take advantage of that.
Social engineering works by catching the right person at the right time (or wrong time, depending on how you look at it). If someone is distracted, they’re easier to trick and manipulate.
For example, buzzing to enter a building whilst the security guard is having a break and receptionist is on the phone, so lets them in but there’s no one greet the visitor as they’re distracted by their phone call. Attackers will choose moments of distraction like this on purpose.
The Effects of Social Engineering Attacks
All forms of security breaches can damage an organisation’s reputation. Reports of hacks and data breaches in the media mean negative PR for your company. Customers and investors may ultimately lose trust and potentially harm your profits too.
Social Engineering attacks pose a significant risk to organisations of all sizes. If your organisation is targeted, the risks include
- Risk to company profits
- Risk to staff wellbeing
- Negative publicity
- Media scrutiny
- Lack of trust from consumers
- Loss of investments
- Possible police investigations
Individual employees involved in these types of attacks are often emotionally distressed as a result. Targets of social engineering are made to feel as if they have a weakness or failure to notice the threat. People will often blame themselves for enabling the exploit to take place.
It’s natural that people may feel guilty, ashamed, or even stupid for falling victim to such an attack. Remember – social engineering is an act of professional deception and not a reflection on the targeted individual.
Who Defends Against Social Engineering?
There’s no single individual or team responsible for protecting against social engineering attacks. It’s everyone’s responsibility to be aware of these attacks. You need to make it your business to stay up to date with the risks.
All staff have a responsibility to prevent cyber-attacks and remain hyper vigilant towards social engineering in its many forms.
Protect your business from Social Engineering Attacks
To protect your business from social engineering attacks, communication and training is key.
Regular training – staff, volunteers and contractors should have regular and ongoing training so they’re kept up to date with the latest corporate security risks, both online and offline.
Clear communication – clear communication from CISOs and IT departments to employees, presented in an engaging way so that staff pay close attention to these matters
Security audits – auditing your current systems, processes and procedures can highlight any potential weak areas that malicious hackers could exploit
Multifactor authentication – having an additional step besides passwords to access systems is a huge step towards better security. One-time-passwords and authentication apps provide a secure way for users to login without having to remember long and complex passwords.
Seek expert advice – We can mitigate or reduce cyber based attacks. Understanding the toolkit that cyber criminals have at their disposal is vastly important and can be used to assist in defence against certain attacks, including social engineering attacks against companies.
If you feel your organisation would benefit from a review of your cyber security strategy or you would like assistance on a particular project then do not hesitate to contact a member of our team.