Social engineering is a term used to describe manipulating a target to trick it into revealing sensitive information or taking specific actions. The purpose of such techniques is to obtain information from the target that allows hackers to commit cyber attacks or other criminal acts such as credit card fraud. It is one of the most effective weapons available to hackers and cybercriminals and is the most common feature of phishing attacks that cost many businesses.
Here are some common examples of social engineering that hackers use to foster phishing attacks:
Email pretending to be sent by an email provider a few days before the planned release of a software update. The email would encourage a person to click on a link to validate their email account details. Once clicked, the link would direct the person to a bogus but authentic looking website where the person would disclose confidential user account details, such as username and password;
An email which appears to come from the tax authorities shortly before the closure of the tax reporting period. The email encourages the recipient to click on a link to a site which is in fact designed to harvest the person`s data; or
An email purporting to be from the recipient’s HR department a few days before the announcement of corporate results and associated pay rise and bonus payments. The email contains an attachment called “bonus_pool_2020.xls” but is actually a malicious file which when clicked on, installs malware designed to compromise the person’s email system and give the attacker full read/write access to an account. Once an employee`s business email account has been compromised, it can be used to compromise other email accounts within an organisation. If the original victim was someone in a managerial position, most employees should not doubt the authenticity of the email sent by their boss (more precisely, via their boss’s email account). It tends to be validated to make further compromises easier.
Attackers can gain access to and control of key employee email accounts to recognize payment cycles, understand billing due dates, and redirect payments. Access to sensitive or sensitive data such as fraud and personal or intellectual property is also a common target, but there are many possibilities.
The risk is so high that some observers estimate that over 80% of all security incidents are due to this type of attack.
Looking to the future, many security professionals may see more social engineering-based attacks as technical controls evolve, become more effective, easier to implement, and are more likely to succeed. I predict that there will be.
Increase the chances of a successful social engineering exploit
A successful social engineer attacker (or actually a successful scammer) is a small piece of real information so that each communication is likely to resonate with the victim and make the tactics or assumptions of the message realistic. Often try to abuse.
In the email example above, the attacker would have known when to update the software, when to close the tax return window, or when to pay bonuses or publish company results. Each message to the victim could have been timed to match the actual event and look more authentic.
Today, real information about organizations and individuals is often available online, such as on company websites, investor information pages, and social media platforms. These sources make it easier for attackers to design more realistic messages and make each message more likely to look real to the recipient. Used daily online, such as LinkedIn, Facebook, and Google search engines,
tools provide social engineers looking for real information with a wealth of options for disguising attacks as realistic communication.
The social media platform tells you when someone’s birthday is, when there is an important event in their life, or when the company makes a major change, or implements a new tool or application. Will give you. For example,
Google Search has an entire subculture dedicated to using Google Advanced Operators. This is basically the use of advanced search syntax, which is freely available within the Google search engine and identifies very specific information that is unlikely to be found in the common search strings used by most people. Helps to do. Very useful for investigators, but equally useful for hackers.
Additionally, because it is easy to send out literally millions of emails at once, the attacker only needs a very small percentage of recipients to be tricked into thinking the message was genuine for the attack to be successful.
What can organisations do to reduce susceptibility to social engineering? Awareness and training together with regular reinforcement of key messages is vital. Initiatives that have been effective in some organisations include:
Raising awareness of good cyber security habits and behaviours – consider having regular cyber security weeks where there is a crossorganisation focus on the threat;
Providing real life examples of social engineering attacks so employees can start to recognise the patterns – make the examples personal and rolefocused where possible;
Implementing clear, well documented policies and procedures which set out the expected behaviours and acceptable use of corporate IT assets – this is crucial with regards to the opening of links or attachments contained in emails;
Making staff aware of the risk that genuine information about them or their employer could be publicly available and hence cyber criminals may also have access to it – provide some real life examples to illustrate the dangers;
Conclusion
Social engineering is a modern equivalent of the old-fashioned trust trick, and despite powerful and often sophisticated technical controls, exploiting human behavioral flaws is the most successful cyberattack. Often we provide criminals with an easy way.
Impacts range from business email breaches to damage to regulatory and legal implications.
If employees know what to look for and can find potential social engineering attacks, their chances of success are greatly reduced. Bringing the
topic to life and making employees aware of the danger by providing real-world examples is a useful first step.
Contact one of the contributors listed below for more information on implementing systems and controls for resilience of cyber and business email breaches.