SOCIAL ENGINEERING - WHAT IS IT, WHY DO WE FALL FOR IT AND HOW CAN YOU PROTECT YOUR ORGANISATION?
Think of it this way.
Social engineering is the conman of the cyberattack world.
In real terms, the phrase is used to describe the manipulation of individuals into divulging confidential information or performing actions that are not in their best interest.
Cybercriminals use various forms of social engineering to deceive people into giving up sensitive information, installing malware, or performing other actions that could compromise their security.
It is a non-technical strategy (non-technical because it does not rely on the exploitation of systems and/or software), instead it relies heavily on human interaction, basing its manipulative techniques on trust or fear, and through this hackers gain legitimate access to data, funds, personal and confidential information or whatever else they can use to exploit their victims.
What makes it so dangerous (and so easy for bad actors) is that social engineering does not have to target everyone in an organisation to be successful - it only takes one person to be duped to trigger a large-scale attack. For organisations such as universities, a social engineering attack on just one person could have terrible and widespread consequences.
And these attacks are definitely becoming more and more sophisticated...
The often heard mantra ‘don’t click on suspicious links!’ is not enough anymore - social engineering comes in many forms and is becoming difficult to detect. In fact, a 2022 poll by Comcast found 71% of people surveyed had heard of phishing, but only 39% said they would be able to explain what it is — that leaves a very high percentage of people who would either not be able to identify a phishing attack or know how to avoid one.
These attacks do not necessarily happen through one email or bad link. Phishing, for example, might take time as the hacker develops a ‘relationship’ with the victim, to become trusted and to gain as much information as possible. In terms of using fear as a tactic, victims are often scared into running malware disguised as a practical or safe installation.
In order to protect your organisation, your staff and, for universities, your students from these malicious and often traumatising attacks (and to alleviate the load for your cybersecurity team and CISO!) awareness of the most prevalent forms of social engineering is crucial as is an understanding of just how sophisticated these attacks are becoming.
Phishing
Phishing is a form of social engineering that involves sending fake emails, text messages, or other communication to trick people into revealing sensitive information. The statistics are astounding with phishing making up over 90% of social engineering attacks. They are usually successful because they exploit common human traits such as trust, curiosity, and fear. People are more likely to click on a link or download a file if it appears to be from a trusted source or if it promises to solve a problem or fulfill a desire. As mentioned, there are various forms of phishing attack to be alert to...
Spear phishing is a more targeted form of phishing that involves personalized messages sent to specific individuals. According to a report by Proofpoint, 88% of organizations worldwide experienced spear-phishing attacks in 2019. Spear phishing is successful because it uses information that the attacker has researched to make the message appear legitimate. This type of attack is particularly effective because it appears to come from someone the recipient knows, which increases the likelihood of the recipient taking action.
Vishing is a type of social engineering attack in which an attacker uses voice or telephone communication to trick a victim into divulging sensitive information, such as credit card numbers, social security numbers, or login credentials. The term "vishing" is a combination of "voice" and "phishing," which is a similar type of attack that uses email or messaging communication. In a vishing attack, the attacker typically poses as a trusted entity, such as a bank representative or a government official, and creates a sense of urgency or fear to convince the victim to provide personal information. For example, the attacker may claim that there is suspicious activity on the victim's account and that they need to confirm their identity to prevent fraud. Vishing attacks can be particularly effective because they exploit the trust that people have in telephone communication and the perceived authority of the attacker's persona. They can be difficult to detect and trace because they often use sophisticated techniques, such as caller ID spoofing or voice manipulation.
Smishing (SMSishing) is when the attacker uses text messages acting as someone of authority instructing the recipient to click on a link, send information or download malware.
Whaling is another form of spear phishing where senior executives are targetted. These messages convey a sense of urgency, usually to transfer funds quickly.
Other Forms of Social Engineering
Baiting is a social engineering technique that involves offering something in exchange for sensitive information. For example, attackers might offer a free gift card in exchange for a user's login credentials. Baiting is successful because it preys on people's desire for free things or their eagerness to help others.
Pretexting is a social engineering technique that involves creating a false scenario to obtain sensitive information. For example, attackers might pretend to be a company's IT support and request login credentials. Pretexting is successful because it preys on people's desire to be helpful and their tendency to trust authority figures.
Scareware is a type of social engineering attack that uses fear and urgency to trick victims into downloading malicious software or purchasing unnecessary or fake software. Scareware often takes the form of pop-up messages or alerts that appear to be from legitimate security software and claim that the victim's computer is infected with a virus or other malware. The scareware message typically urges the victim to take immediate action to remove the supposed threat, which often involves downloading or purchasing the attacker's software.
Piggybacking, also known as tailgating, is a social engineering technique in which an attacker gains unauthorized access to a secure area by following closely behind a person who has legitimate access. The attacker may pose as a delivery person or repair technician and ask the person to hold the door open for them. Once inside, the attacker may be able to steal sensitive information or plant malware on the victim's computer or network.
Waterholing is a social engineering technique in which an attacker targets a specific group of individuals by infecting a website that the group is known to visit regularly. The attacker compromises the website with malware, which then infects the computers of visitors to the website. Water holing attacks are effective because the attacker can compromise a large number of individuals with a single attack, and the victims may not be aware that their computer has been compromised.
Quid pro quo is a social engineering technique in which an attacker offers a victim something of value, such as a prize or a service, in exchange for information or access. For example, an attacker may pose as an IT support technician and offer to help a victim fix a computer problem in exchange for the victim's login credentials. The victim may be willing to provide the information in exchange for the promised benefit, without realizing that they are being tricked.
It is no longer a case of if it happens, but rather when and organisations need to take a proactive approach to staff security training rather than a reactive approach when an incident occurs.
תגובות