Social Engineering
Social engineering is not a new phenomenon, but cyber criminals have succeeded in developing the practice of social engineering to become one of the most successful tools for navigating into business networks. Despite all of our efforts in protecting ourselves from social engineering attacks, it can be very difficult if you don't understand how it works - remember that it is much easier for a malicious actor to target people than to attack computers and firewalls.
What is social engineering?
Social engineering is the use of deception to get people to do something that they would not normally do, think of it as essentially a con job. This can be done over the phone, in person, or online.
Cyber criminals exploit human nature by using sophisticated social engineering techniques. They use these techniques to trick people into giving them information or doing something that they would not normally do.
One common social engineering technique which most people will be familiar with is phishing. Phishing is when a malicious attacker sends an email that looks like it is from a legitimate company or organisation, perhaps even internally. The email will usually ask the person to click on a link or open an attachment using some pretence. If the person does this, they will be typically taken to a fake website to harvest their credentials or their computer could be infected with malware.
Another common social engineering technique is known as pretexting. Pretexting is when a criminal creates a false story in order to get someone to give them information. For example, a criminal might call someone and pretend to be from their bank or their internal IT team. The attacker will then try to get the person to give them their account number or other personal information such as passwords.
Criminals also use social engineering techniques to steal people's identities. They can do this by collecting information about someone from various sources including social media and then using that information to impersonate the target. This method can be effective when followed by pretexting when the attacker assume the identity of someone with authority as the next stage in a well planned attack.
How can organisations protect themselves?
According to the FBI, cybercrime costs businesses an estimated $2.1 trillion globally each year. A large part of this cost is due to the fact that cyber criminals are becoming increasingly sophisticated in their methods. They are using ever more convincing social engineering methods to exploit human nature to trick people into giving them information or access to systems.
Think of social engineering as the art of manipulation. Cyber criminals use a range of well tested psychological techniques to convince people to give them information or access to systems. They exploit human nature by preying on our fears, desires, and trust.
A very common method for attackers is to work to exploit human nature by using scare tactics and urgency to reduce thinking time and induce panic and stop the victim from thinking too deeply about the message. They may send an email or text message that appears to be from a legitimate source, such as a hospital or government agency. The message will usually contain alarming information about a virus or other security threat with the aim of getting the victim to act immediately without thinking.
Why are so many people still vulnerable to social engineering?
Although cyber security has become more of a priority for individuals and organisations in recent years, social engineering attacks are still incredibly common. Why are so many people still vulnerable to these attacks?
Attackers take advantage of our natural tendencies to trust other people and to want to help others. For example, an attacker may pose as a technician in order to gain access to a victim's computer. Or, they may send an email that looks like it's from a friend or colleague, tricking the victim into clicking on a malicious link.
Another reason why social engineering attacks are still often successful is that many people don't know how to protect themselves. They may not be aware of the importance of keeping their passwords safe, or they may click on links without thinking twice about it.
Fortunately, there are a few simple things that people can do to protect themselves from social engineering attacks. One is to educate themselves about the basics of cyber security. This includes learning about common scams and how to spot them, there are many resources online to help with this. Additionally, people should be careful about who they give their personal information to and how much they post on social media and what links they click on.
If you think you've been the victim of a social engineering attack you must immediately report it to your Manager, IT department or designated security team in your business.
What do if you are targeted
If you think you might be a potential target of a cyber attack, there are several simple things you can do to protect yourself. First, be aware of the signs that you might be being targeted. These can include unexpected requests for personal information or passwords, strange emails or messages from unfamiliar people, and unusual activity on your social media accounts.
If you suspect you are being targeted, do not respond to any requests for personal information or passwords. Instead, contact your IT department or security team and let them know what is happening. They will be able to help determine if you are actually being targeted and take steps to protect your account.
You may also check your own personal accounts to see if they have been involved in a breach, you can do this at www.haveibeenpwned.com for free. This will tell you if any of your accounts and possibly passwords are out there for attackers to freely download. If you find your accounts have been compromised then you should at a minimum change your passwords and if possible enable multi factor authentication.
It is also important to use different passwords for different accounts. This will make it more difficult for cyber criminals to gain access to your accounts if they do manage to get your password.
Conclusion:
Individuals should take steps to learn for themselves and companies should invest in training employees on the dangers of social engineering and how to avoid being victimised. Companies also need to have systems in place to detect common attacks and to take steps to stop them. And finally, they need to be prepared and have solid and tested plans in place to respond to an attack quickly and efficiently to minimise the damage.
If you need help or advice related to this topic please get in touch with us here