Our news feeds and timelines seem to feature stories of businesses being taken down by a data breach or cyber-attack on a daily basis. But did you know that social engineering plays a crucial role in virtually every attack? And that your biggest vulnerabilities are often your employees?
Social engineering skyrocketed by 500% in just one-quarter in 2018. Many of these attacks heavily rely on tricking victims clicking on infected links. Traditional cybersecurity solutions trust everything on the network, leaving the web browser a prime target too. These are just a few reasons why many businesses are adopting a zero-trust approach to protecting their network.
What is social engineering?
Unsurprisingly, Juniper Research predicts that the cost of global data breaches and cybercrime incidents will rise to $2.1 trillion in 2019. To put this figure into perspective, that’s an increase of almost four times the estimated cost in 2015. But this is just the tip of the proverbial iceberg, and social engineering attacks are a multi-faceted threat.
Cybercriminals have a long list of tricks up their sleeve to trick users into divulging information. In simple terms, social engineering is a technique used to play on human weaknesses by using our emotional reactions to their advantage.
Techniques include scaring a victim into clicking on a link to unlock their account or playing on our desire to help others. But the end goal is to fool users into a trap by convincing them to act first and think later.
Types of social engineering attacks
Sophisticated hackers have a wide variety of techniques that are solely aimed at manipulating users into clicking malicious links or downloading files that can infect an entire network. Most people reading this will have seen a fake email pretending to be from their bank or PayPal account. But, there is an increasing number of users that are being tricked into downloading malware through visually compelling fake update prompts.
Arkose Labs recently analyzed over 1.2 billion transactions across multiple industries and discovered that social engineering frauds were rife. The social media sites that we regularly use have also become lucrative targets for an attacker looking for quick monetization.
The report revealed that 53% of logins on social media sites are fraudulent. An incredible 25% of all new social media account applications are fraudulent too.
Human weaknesses such as curiosity, naivety, fear, and greed are a few aspects of the human condition that attackers love to exploit.
By pretending to be a well-known company, bank, or online retailer such as Amazon, hackers will often try to scare users into clicking on a link. The threat of a financial penalty or blocking of your account due to suspicious activity is usually enough for fearful users to be tricked into clicking on the infected link or download.
Cybercriminals will always target our greatest fears around being hacked. Those are just a few reasons why many people are still falling for these realistic messages. But there are many ways to improve your knowledge and educate your staff to prevent phishing from affecting your business.
2. Spear phishing
Spear phishing is another attack method that typically uses email as the delivery method. In an attempt to gain trust, it will often be personalized and directed towards a specific individual, department, organization, or business.
The most common spear phishing attacks will begin with hackers monitoring the social media updates of a CEO on LinkedIn or Twitter. Information shared online enables attackers to know when a business leader is away on a business trip or at a conference with limited access to their email.
It then becomes relatively easy to locate the finance manager online, and the companies email domain can usually be found on the company website. When armed with all this information, an attacker can email the finance manager by pretending to be the CEO asking for quick approval to an urgent invoice or simply click on a link. The outcome will involve losing money the infection of the machine or even the entire network.
If the concept of clicking links and attachments in vague emails in 2019 is a foolish concept to you, don’t get too smug just yet. By fusing old-fashioned technology such as the telephone and online phishing, there is another threat called vishing or voice vishing as it’s better known.
Attackers often use a fake caller ID that gives the appearance that they are calling from a local area code or business that you know. By pretending to know more about you, attackers will often ask you a few questions to clear a security check. However, it’s merely a trick to fool you into sharing your credit card details, birthdates, mother’s maiden name or account sign-in details.
The methods used in the attack, but once again, the outcome is to trigger an emotional reaction where you act first and think later.
4. Shoulder surfing
Shoulder surfing simply involves observing what potential victims are doing on their devices in a bid to steal your secure logins or pin numbers at an ATM.
The next time you find yourself in a crowded public place, take a look around. What did you see? Whether you are on public transport, the mall, a concert, or even a restaurant, you will quickly observe that most people are face down in the smartphones. Welcome to the mobile-first digital world.
However, while we are communicating, sharing, or transferring money to a friend to pay our half of the bill, could someone be looking over your shoulder? Believe it or not, attackers have also been known to take shoulder surfing to extreme lengths by using binoculars or other vision-enhancing devices to steal your information from a safe distance.
Avoiding social engineering attacks requires you to be vigilant offline and offline. But in this case, you quite literally need eyes in the back of your head.
Another type of physical social engineering attack is tailgating. When a criminal lacks the required authentication to a restricted area, they will try and use the kindness of employees to gain physical access to their targeted site.
It is relatively easy for an attacker to impersonate a delivery person and walk in behind a staff member who has authorized access. They might even hold the door open for them. Tailgating relies on the kindness of strangers and human desire to help each other.
Despite the installation of expensive security solutions to curb tailgating, human error is a weakness that criminals will desperately attempt to exploit at every stage of their attack.
If something is too good to be true, it usually is. But this is something that many users forget when their curious instincts unwittingly invite cybercriminals into their business or home. There are several forms of baiting cyberattack methods that will target our attraction to getting a bargain or desire to get something for nothing.
Attack methods could involve enticing and attractive ads for free products or downloads by clicking on a link that takes them to a malicious website. Users will also be tricked into downloading a malware-infected application that will infect a company network.
Infected flash drives can also be dropped in a variety of strategic areas such as the staff car park, reception, toilets, offices, or canteen with an enticing label like “Salary Info” or “Strictly Confidential.” All it takes is for one employee to plug it into their computer to infect a corporate network. This simple yet effective method as fooled the U.S. Department of Defense and even closed an entire hospital.
Another human weakness is trust, especially towards those in positions of authority. Pretexting involves an attacker impersonating people to create a lie that builds trust with the intended victim to put them at ease and share information they normally would not.
The scam could be a criminal pretending to be a policeman, doctor, or the fraud department at their local bank. A carefully selected series of questions will quickly follow, designed to trick the victim into revealing information during a fake security check.
In a corporate environment, these techniques of manipulation will often begin by impersonating a client who invents a scenario that requires an employee to divulge sensitive information.
8. Contact spamming
Email hacking and contact spamming is another technique that exploits how we trust our friends and colleagues. For the most part, we have learned to become a little more wary of every email suggesting if you don’t click on a link your Microsoft, eBay, PayPal, or Amazon account will be closed. But, if we receive an email from a friend, we are much more likely to click on a malware-infected link or download.
For this reason alone, cybercriminals will try to hack email accounts, and once they have gained access, they will begin to spam contact lists. Examples in Facebook Messenger saying check out this video of you are largely unconvincing. But personalized messaging from a corporate email account can make them much harder to detect.
How to protect yourself from social engineering
Remember, every attacker is using social engineering techniques with the sole aim of getting you to act first and think later. Admirable human traits such as kindness, empathy, trust, and curiosity are all areas that criminals see as weaknesses that they can exploit.
However, by simply thinking logically, many of these cyber traps can be safely avoided. Here are a few warning signs to look out for that could keep your personal and business information secure.
- Think before you click every link and download
- Be wary of compelling stories with an urgent call to action
- Use multifactor authentication to protect your online accounts
- Remember, if it’s too good to be true, it probably is
- If you find a USB flash drive, don’t plug it in – report it
- Educate your employees on all of the above risks
Protecting yourself and your communications with a VPN
Advances in social engineering techniques are making it easier for attackers to identify you. Our reliance on public wi-fi also puts us all at an increased risk. If cybercriminals can link your online details to your passwords, they can also intercept your communications.
In a mobile-first digital world where connected living means we are always online, a secure VPN solution can deliver anonymity by masking your identity and location.
Social engineering prevention is made much easier by using a VPN that makes it difficult for attackers to know exactly who you are.
Staying protected and anonymous while online should give you peace of mind and enable you to browse the internet without degrading your experience. Social engineering now plays a part in virtually all cyber-attacks. Maybe it’s time you turned the tables on your attackers and tricking them by hiding your exact location from them.