The Emergence of Social Engineering: Defending Against A Smarter Enemy

The pandemic and its resulting impacts on the economy and workplaces have truly changed the way that businesses operate. The extended global lockdown forced millions of companies into finally accepting the need for a digital ecosystem of services and software solutions that will enable them to move nearly every part of their business online. From general sales and advertising info to customer queries and their personal information and even more sensitive information about accounting and banking, everything is stored and accessed from the cloud these days, so much so that we produced nearly 2.5 quintillion bytes of data each day during the height of the lockdowns.

 

These trends have not reversed even after the end of the pandemic, with millions of people happily shifting their shopping online. Moreover, this doesn't even consider the hundreds of thousands of employees that are still working from home and will most likely continue that way in the unforeseen future. Just in America alone, 58% of the workers have some sort of partial work schedule that they adhere to, with nearly 85% admitting they wouldn’t mind going for full-time remote employment. While these changes are certainly great for people looking to avoid daily commutes, they also open up thousands of new avenues that can be exploited by hackers, who wish to bypass the security of your systems and access vital information about the business, which can then be held ransom, or even sold on the open market. This is a very profitable business for criminals, who manage to steal more than $6 trillion each year through their persistent hacking attempts.

 

While the threat of hacking is not a new one, in recent years, these cyber attacks have become more commonplace as well as more sophisticated, with one of the most concerning developments being the rise of social engineering attacks. Social engineering involves the manipulation of human beings, using psychology to extract sensitive information or induce actions that jeopardise an organisation's security. This is different from regular hacking attempts, which rely on machine errors and loopholes that can be exploited to gain access to secure systems and servers. Regular hacking attempts are easier to prevent since the data is already hosted in a secure location, with very few points of failure that malicious actors can exploit. In contrast, your employees and their personal networks are far more vulnerable to social engineering hacks, as they rely on general human error and carelessness to create new avenues of entry.

 

Despite such attacks costing businesses an average of $4 million per successful attempt, many businesses still overlook the critical aspect of training their employees to recognise and counter social engineering tactics. In this article, we will delve into learning what these tactics are and effective strategies for businesses to train their workforce in mitigating them.

 

Understanding Social Engineering

 

Social engineering constitutes a form of cyber attack that exploits the human element of security. Instead of relying on technical vulnerabilities or exploits, social engineers employ psychological strategies to deceive individuals into divulging confidential data or performing actions that compromise their employer's security. Here are the most basic types of social engineering attacks and a few examples of how they are used against unsuspecting workers.

 

Pretexting: In a pretexting attack, the attacker creates a false scenario or pretext to manipulate individuals into revealing sensitive information. For instance, an attacker may pose as a trusted colleague or IT personnel and request login credentials or confidential data under the guise of a legitimate reason. By establishing a fabricated story or situation, the attacker gains the victim's trust and persuades them to disclose valuable information.

 

Example: An attacker contacts an employee pretending to be from the company's IT department, claiming there is a critical security update. The attacker convinces the employee to provide their login credentials to apply the update, thus compromising their account.

 

Phishing: Phishing attacks involve deceptive emails, messages, or websites designed to trick individuals into divulging sensitive information. Attackers often impersonate reputable organisations or individuals, such as banks, social media platforms, or government agencies, to deceive recipients. They typically employ urgent or enticing language to persuade victims to click on malicious links, provide personal data, or download malware-infected attachments.

 

Example: An employee receives an email appearing to be from their bank, urgently requesting them to verify their account details by clicking on a link. The link leads to a fraudulent website designed to capture the employee's login credentials.

 

Baiting: Baiting attacks entice individuals with something appealing or valuable to manipulate them into compromising security. Attackers may leave physical devices, such as USB drives or DVDs, in public areas or near an organisation's premises. The devices are labelled with enticing descriptions or promises, luring unsuspecting individuals to connect them to their systems, unknowingly installing malware or granting unauthorised access.

 

Example: An attacker leaves a USB drive labelled "Employee Bonuses" in a company's parking lot. An employee, curious about the contents, plugs it into their computer, unknowingly infecting their system with malware.

 

Impersonation: Impersonation attacks involve the attacker posing as someone else to deceive individuals and gain unauthorised access. The attacker may impersonate executives, supervisors, or trusted personnel within an organisation to manipulate employees into disclosing sensitive information or performing actions that compromise security.

 

Example: An attacker poses as a senior executive and sends an email to an unaware employee requesting urgent access to sensitive company data. Believing it to be a legitimate request, the employee unknowingly shares confidential information with the attacker.

 

Tailgating: Tailgating, or piggybacking, takes advantage of people's natural inclination to be helpful or polite. In this attack, the attacker follows an authorised individual into a restricted area without proper authentication. By exploiting the individual's willingness to assist others, the attacker gains physical access to secure areas where they can carry out unauthorised activities or gather sensitive information.

 

Example: An attacker approaches an employee outside a secure entrance and requests assistance in entering the building, claiming to have forgotten their access card. The employee, unaware of the attacker's intentions, holds the door open, granting the attacker unauthorised entry.

 

Reverse Social Engineering: In reverse social engineering attacks, the attacker tricks individuals into believing they are initiating contact with the attacker. They create a scenario where they appear to seek assistance, technical support, or verification from the victim. By manipulating the victim into providing information or performing specific actions, the attacker gains unauthorised access or manipulates the victim into compromising security.

 

Example: An attacker posts a fake job listing online and waits for individuals to apply. Once an applicant expresses interest, the attacker contacts them, claiming to be from the company and requesting a "test" that involves sharing sensitive information or completing certain tasks, ultimately compromising the applicant's security.

 

Pharming: Pharming attacks redirect users to fraudulent websites without their knowledge. Attackers manipulate DNS settings or exploit vulnerabilities in routers, switches, or DNS servers to redirect legitimate website traffic to malicious sites. This enables them to collect sensitive information, such as login credentials, financial data, and other sensitive info from unsuspecting users.

 

Example: An attacker compromises a DNS server and redirects users who type in a legitimate banking website's URL to a fake website that looks identical. When users enter their login credentials, the attacker captures their information, potentially leading to identity theft or unauthorised access to their accounts.

Conclusion

 

The prominence of such social engineering represents a burgeoning threat across businesses of all sizes. While technical cybersecurity measures, such as firewalls and antivirus software, remain indispensable, training employees to recognise and counter social engineering attempts is equally vital. They must be able to understand the distinctions between social engineering attacks and regular hacking attempts, which can empower businesses to take proactive measures. By addressing the human vulnerabilities targeted by social engineering and fostering a culture of security awareness, organisations can bolster their defences and mitigate the risks posed by these deceptive tactics.

 

Businesses can accomplish this by implementing a comprehensive training program, utilising real-world examples, conducting phishing simulations, fostering a culture of security, and regularly updating security policies. To learn about how to do all that and more, read up on our follow-up feature about the imperative of employee training against social engineering attacks.