Roughly 98% of cyber-attacks rely on social engineering.
Whilst social engineering itself isn’t a cyber-attack, it helps cyber-criminals gain the trust of potential victims. Thich encourages them to lower their guard and take unsafe action, such as clicking links or opening malicious attachments. Most data breach incidents will target the human element to gain access to sensitive information.
One of the greatest dangers of social engineering is that only one user needs to be fooled to provide enough information to trigger an attack.
Over time social engineering attacks have become more sophisticated. Cybercriminals use fake websites and emails that look realistic enough to fool victims into giving out sensitive data that can be used for identity theft.
There are now several ways cyber-criminals will try and use social engineering to fool your users.
Types of Social Engineering Attacks
Phishing
Phishing scams are the most common social engineering-based cyber-attacks. Typically, they take the form of an email that looks like it has come from a reputable source. This usually comes with a malicious link or attachment. Cyber-attackers can use phishing attacks to:
- Trick victims into giving away credit card information or other personal data.
- Obtain employee login details or other details that can be used in an advanced attack.
- Advanced Persistent Threats and ransomware often start with phishing attempts.
Watering Hole Attack
This is a very targeted type of social engineering attack. Attackers will set a trap by compromising a website that is likely to be visited by a particular group of people. This can include industry websites that are frequently visited by employees of a certain sector. The aim is to catch out any individual from the target group. Once that individual’s data or device has been compromised, the attackers can carry out further attacks.
Business Email Compromise – Business email compromise attacks are a form of fraud, where the attacker poses as a high-level executive within the business and attempts to trick the recipient into sending them money.
This happened last year in Rio, our communications manager Jade received an email that appeared to be from Colm, the managing director. It was a very inconspicuous email, asking if Jade had time to run an errand for Colm, and being new to the business she immediately replied she was. After waiting for a reply, she decided the best thing to do was call Colm to find out what he needed, only to discover Colm didn’t need a favour at all. The attacker was posing as Colm hoping to fool Jade into buying a large number of iTunes vouchers and send them the details. She would then need to provide personal information in order to be reimbursed.
USB Baiting – While it sounds like something out of a Hollywood movie, it happens more often than you might realise. USB baiting involves cyber-criminals installing malware onto a USB stick and then leaving it somewhere strategic in the hopes someone will find it and plug it into a corporate environment, unwittingly releasing malicious code into the organisation.
How Can I Protect Myself and My Organisation
Businesses can mitigate the risks of social engineering attacks in several ways.
- User Awareness Training
- Consistent training is highly recommended. This can include simulated phishing attacks or scenario demonstrations such as USB baiting. It’s important for users to have a clear understanding of the scenarios they may face.
- Strong Password and Device Policies.
- The number and type of characters that each password must include, how often a password must be changed and a simple rule that passwords must never be shared with anyone will help secure information assets.
- Set out rules around what can be connected to user devices.
- Multi-Factor Authentication
- Authentication for high-risk network services such as VPNs should always use MFA, along with user email or cloud accounts. This will help reduce the risk of unauthorised access, even if passwords are compromised.
- Email Security with Anti-Phishing Defences
- Multiple layers of email defences can help to minimise the risk of phishing attacks. It’s also important your users understand the need to report any suspicious emails they receive.