They say nothing is certain in life except death and taxes. Unfortunately, you could also add human error to that list.
As organisations adopt ever-more sophisticated technologies to prevent cyber-crime, criminals are learning that deceiving the people within the organisation is one of the most effective ways to bypass security controls.
In this blog we’ll explore the phenomenon known as Social Engineering, how it is being used to initiate a range of cyber-attacks, and what you can do to ensure confidential information isn’t revealed that undermines your organisation’s security.
What is social engineering? Why is it effective?
Social Engineering is the attempt by cyber-criminals to deceive your people into revealing confidential information that paves the way for them to initiate a cyber-attack against your organisation.
Network and application defences are now stronger than ever. Organisations are embracing new technologies and methodologies that make it significantly harder for cyber-criminals to breach their environments.
However, one of the side effects of improved defences is that criminals are hunting for new attack vectors. What they’ve discovered is that it is possible to deceive the people in an organisation into revealing confidential information, such as login credentials, that open the doors to your systems.
Wherever there are humans, there will be human error. It’s this simple fact that cyber-attackers are seeking to take advantage of. It’s the reason engaging in Social Engineering is proving to be so effective.
What does a social engineering attack look like?
Until relatively recently, deceiving people into revealing confidential information was pretty straightforward. The same email would be sent to many potential targets. The attackers would then sit back and wait for a handful of naive recipients divulge the information that would open the way to launch an attack.
However, times have changed.
Many organisations have begun equipping their people with the skills to identify Social Engineering attempts. As a result, attackers have had to become significantly more sophisticated in order to successfully deceive people.
Nowadays, attackers carefully select their targets in advance. They strategise ways they can build trust with their target over time. This may involve conducting extensive open-source intelligence (OSINT) gathering, connecting with potential targets using social media and communicating with them multiple times to build trust, all before any attempt is made to obtain confidential information.
Types of social engineering attacks
Attackers use emails to trick recipients into either clicking on malicious links or opening malicious attachments. Typically, clicking on the link will direct the target to a fake website set up by the attacker. Once on the fake website, the target will be required to submit confidential information, such as online banking details or login credentials to other corporate systems. An alternative attack vector is when the target clicks a malicious link or attachment that initiates the installation of malicious software, or malware, on the target’s device.
Similar to phishing, but more targeted in nature. Spear phishing usually targets individuals within an organisation that have a high-level of privileged access to its systems, for example the CEO or CFO. Once login credentials are obtained, the attacker can then gain wide access to systems, facilitating extensive data breaches.
A tactic that takes advantage of people’s desire for rewards. People may be tempted to click on malicious links and enter confidential information if they believe they have won a prize.
This sees a group of individuals, usually from the same organisation, targeted when they visit a particular website that’s been infected with malware. All it takes is one device belonging to one individual from the group to become infected with the malware, and the attacker gains access to the organisation’s systems.
This attack vector uses voicemail as a vehicle to deceive individuals into thinking there is an urgent requirement for them to take specific actions, such as logging into a site to update their credentials.
Similar to phishing, however this method sees attackers use SMS messages as a way to infect mobile devices with malware. With many organisations now using mobile applications for work purposes, this can provide an ideal opportunity for an attacker to compromise its systems.
This highly targeted attack vector requires significant reconnaissance. It sees the attacker target a specific individual by impersonating a legitimate person or organisation with which the victim has had some genuine associations. Due to these prior genuine associations, and the fact that the attacker’s communications appear highly realistic, the victim is lulled into a false sense of trust and divulges confidential information.
Quid Pro Quo
Here, an attacker offers to provide a service for the target, such as IT services. In order for the victim to receive the promised services, they must access a fake website and enter certain confidential information. They may also be required to take certain actions, such as disabling anti-virus software.
It should be noted that not all Social Engineering is conducted virtually. It can also occur in the physical world. Tailgating sees an attacker gain access to an organisation’s premises by deception. They might enter behind an authorised individual, such as an employee. They may impersonate an individual with access rights, such as a cleaner or technician. Once inside, they can conduct reconnaissance, gain access to servers, or even plug USB sticks into computers.
Examples of social engineering attacks
One of the most common examples of a Social Engineering attack is Business Email Compromise (BEC) fraud. BEC involves an attacker attempting to deceive an organisation’s accounting personnel as a prelude to defrauding the organisation.
To successfully carry out a BEC fraud, an attacker will usually compromise the email account of a senior person within a target organisation, such as the CEO or CFO. Using information gleaned through Social Engineering techniques such as pretexting, the attacker accurately impersonates the owner of the compromised email account. This allows them to issue realistic instructions to the accounting team to pay large sums into the scammer’s bank account.
The recent case of Levitas Capital, an Australian hedge fund, demonstrates how effective Social Engineering attacks can be. The attack started with a phishing email containing a link to a fake Zoom meeting. Clicking the link installed malware, granting the attackers access to the corporate email system.
This allowed the attackers to obtain enough information about Levitas to issue realistic invoices. They were subsequently able to send emails approving the payment of the fake invoices by impersonating the fund’s founders.
You can prevent social engineering attacks
Train, train and train some more.
Ongoing training is the key to preventing Social Engineering attacks.
Preventing Social Engineering attacks depends upon people understanding that they are being targeted on a regular basis. Cyber-criminals are relentlessly seeking ways to deceive staff in organisations, using a wide range of tactics.
Everyone, from senior executives down, needs to learn to act with a high degree of caution anytime they are asked to click a link or open an attachment. Before they approve any payments or divulge any information, they need to slow down and verify that it is safe to do so.
In the attempt to take advantage of human error, your people need to understand that they are on the front line in this fight. They must have the essential skills to effectively defend your organisation against increasingly sophisticated Social Engineering attacks.
How can phishing simulations help prevent social engineering attacks?
Phishing simulations, such as those developed by Phriendly Phishing, help your staff develop and maintain the skills they need to defend your organisation from a range of Social Engineering attacks.
After progressing through multiple stages of awareness training, your team will be sent random ‘fake’ Social Engineering tests. Starting with obvious attempts at Social Engineering, the tests progress to become increasingly sophisticated. At every stage an organisation can monitor the effectiveness of the ongoing training in order to provide additional assistance to those members of your team who require it.
It’s important to understand that Social Engineering awareness is not a one-time training activity. It requires ongoing commitment to ensure your team develops the habit of always being on the lookout for potential Social Engineering attacks.