Roughly 98% of cyber-attacks rely on social engineering.
Whilst social engineering itself isn’t a cyber-attack, it helps cyber-criminals gain the trust of potential victims, which encourages them to lower their guard and take unsafe action, such as clicking links or opening malicious attachments. Most data breach incidents will target the human element to gain access to sensitive information.
One of the greatest dangers of social engineering is that only one user needs to be fooled to provide enough information to trigger an attack that has the potential to bring down an entire organisation.
Over time social engineering attacks have become more sophisticated, with fake websites and emails looking realistic enough to fool victims into giving out sensitive data that can be used for identity theft.
There are now several ways cyber-criminals will try and use social engineering to fool your users.
Types of Social Engineering Attacks
Phishing – Phishing scams are the most common social engineering-based cyber-attacks. Typically, they take the form of an email that looks like it has come from a reputable source, usually with a malicious link or attachment. Cyber-attackers can use phishing attacks to:
- Trick victims into giving away credit card information or other personal data.
- Obtain employee login details or other details that can be used in an advanced attack.
- Advanced Persistent Threats and ransomware often start with phishing attempts.
Watering Hole Attack – This is a very targeted type of social engineering attack. Attackers will set a trap by compromising a website that is likely to be visited by a particular group of people, for example, industry websites that are frequently visited by employees of a certain sector. The aim is to catch out any individual from the target group. Once that individual’s data or device has been compromised, the attackers can carry out further attacks.
Business Email Compromise – Business email compromise attacks are a form of fraud, where the attacker poses as a high-level executive within the business and attempts to trick the recipient into sending them money.
This happened last year in Rio, our communication manager Jade received an email that appeared to be from Colm, the managing director. It was a very inconspicuous email, asking if Jade had time to run an errand for Colm, and being new to the business she immediately replied she was. After waiting for a reply, she decided the best thing to do was call Colm to find out what he needed, only to discover Colm didn’t need a favour at all. The attacker behind the email was posing as Colm hoping to fool Jade into spending a substantial amount of money on iTunes vouchers, send them the details and then provide personal data to be reimbursed.
USB Baiting – While it sounds like something out of a Hollywood movie, it happens more often than you might realise. USB baiting involves cyber-criminals installing malware onto a USB stick and then leaving it somewhere strategic in the hopes someone will find it and plug it into a corporate environment, unwittingly releasing malicious code into the organisation.
How Can I Protect Myself and My Organisation
Businesses can mitigate the risks of social engineering attacks in several ways.
- User Awareness Training – Consistent training tailored for your organisation is highly recommended. This can include simulated phishing attacks or scenario demonstrations such as USB baiting. It’s important for users to have a clear understanding of the scenarios they may face.
- Strong Password and Device Policies – Guidelines such as the number and type of characters that each password must include, how often a password must be changed and a simple rule that passwords must never be shared with anyone, along with guidelines on what is and is not allowed to be plugged into user devices, will help secure information assets.
- Multi-Factor Authentication – Authentication for high-risk network services such as VPNs should always use MFA, along with user email or cloud accounts. This will help to reduce the risk of unauthorised access to accounts and systems, even if passwords are compromised.
- Email Security with Anti-Phishing Defences – Multiple layers of email defences can help to minimise the risk of phishing attacks. It’s also important your users understand the need to report any suspicious emails they receive.