The Dangers of Social Engineering Attacks
Social engineering, also called social hacking, includes all methods of breaching security by exploiting human nature rather than technology. Let’s take a look at some common social engineering attacks and see what we can all do to stop them.
Social engineering, also called social hacking, includes all methods of breaching security by exploiting human nature rather than technology. Cybercriminals can use a wide array of social engineering tactics to obtain confidential information, gain access to physical and digital resources, install malware, or persuade their victims to perform dangerous actions. Let’s take a look at some common social engineering attacks and see what we can all do to stop them.
What is Social Hacking?
The idea behind the effectiveness of social engineering techniques is that people are the weakest link in any security system. Studies have shown that a third of all IT infrastructure incidents in companies are caused by phishing and other social engineering attacks. Up to 90% of businesses that have experienced data breaches on public cloud infrastructures say that some form of social engineering was involved in the breach. But why are these cyberattacks so successful?
Social hacking is social engineering applied to the field of cybersecurity. By using scams, confidence tricks, and personal information harvested from other sources, attackers can obtain vital sensitive information or manipulate the behavior of other people to suit their purpose. The truth is that it’s easier to hack people than machines. For example, why waste time and effort to steal, intercept or crack passwords when you can just call someone and ask for their login credentials? By skillfully manipulating people, attackers can bypass logical and physical security measures.
The Big One: Phishing
Phishing attacks are the bread and butter of cybercriminals, and in 2019 were involved in 32% of all data breaches. Phishing relies on sending victims fake information and hoping they take the bait (just as with fishing, hence the name). Bulk phishing emails are by far the most common delivery method but instant messages, social media posts, and other channels are also used. The most frequent goal of phishing attacks is to obtain sensitive data, for example login credentials or credit card information, but many other attack scenarios also exist, such as installing ransomware and other types of malware on the user’s machine or tricking victims into sending money.
Bulk phishing emails can mimic common messages such as delivery notifications, invoice submissions, or “you’ve GOT to see this” content shared with friends. Advance-fee scams form a separate category, including the notorious 419 scams. Cybercriminals are also quick to follow trending topics in their campaigns, exploiting product launches, political and sporting events, natural disasters, or even the COVID-19 pandemic to lure users into clicking a malicious link. Perversely, some attacks prey on computer security fears to trick users into installing malicious software disguised as anti-virus software or some other security program.
While the majority of phishing messages are sent as bulk mailings to harvested, stolen or automatically generated addresses, personalized phishing attacks also exist. Spear phishing (again named after the fishing method) relies on personalized communication to increase the chances of success. Using email addresses and personal information harvested from company websites or social networking sites (such as Facebook or LinkedIn), attackers can craft authentic-looking messages addressed to a specific person. Apart from spreading malware via innocent-looking attachments or links, spear phishing is also used to elicit fraudulent payments. Well-prepared spear phishing messages can look extremely convincing not just to spam filters but also to the recipients, and these attacks can be much more effective (and harmful) than mass phishing.
Scams and Confidence Tricks
Famed hacker Kevin Mitnick claimed that he obtained all the credentials for his attacks purely through social engineering, without actually breaking into any computer systems. In a large company, employees don’st know everyone, so a phone call from Frank in technical support performing some “routine” maintenance might be quite plausible. People also love to be helpful, and a well-spoken stranger’ss convincing plea for help with forgotten credentials will work more often than it should. Scammers can gather employee names, emails, and phone numbers based on publicly available information, data extracted in preparatory attacks (for example using LDAP injection), and other sources, such as discarded company documents (dumpster diving).
Social hacking extends traditional confidence tricks into the realm of cybersecurity. Scammers might impersonate a trusted person over the phone or in other communication to obtain sensitive data or persuade the victim to hand over money. If prepared beforehand to gain the victim’ss trust, this trick, called pretexting, can even be used in face-to-face meetings. As cybercrime moves with the times, there are also reports of criminals using AI-based voice synthesis to imitate the voices of company executives to authorize fraudulent payments.
Bypassing Physical Security
When thinking about cybersecurity, we tend to focus on the technical side: software, hardware, networking, web technologies, and so on. But once again, if an attacker can use social engineering tricks to bypass physical security and simply go into an office and gain physical access to a device, information security goes out of the window. The classic move here is tailgating, or “hold the door, please” – people want to be polite and helpful, even if it means letting an unknown colleague or technician into a protected area. An alternative take on this is “my smart card isn’st working again, could you use yours?”
Once the bad guys are in the building, they can try to access local devices to perform their attack. However, they can also be more subtle and use physical baiting by leaving innocent-looking USB drives loaded with malware. Chances are that someone will plug one of the USB sticks into a company machine (or private computer) just to see who lost it. That’ss enough to infect the computer or maybe even the whole office network with malware – usually ransomware.
How to Prevent Social Engineering Attacks
As the name implies, social hacking is all about exploiting human weaknesses rather than technical vulnerabilities, so education, not technology, is your main weapon. Security awareness training is vital for all staff in any organization. Regardless of position, everyone should be trained to recognize red flags in incoming messages and follow appropriate physical security procedures. Social hackers often combine information obtained through social engineering with data from other sources, so ensuring solid overall cybersecurity will make their job more difficult.
Here’ss a quick checklist to help you keep social attackers at bay:
- Trust no one: Every single person in the organization should be trained to initially suspect every message and access attempt. This includes training staff to recognize phishing attempts, think or consult before acting on seemingly urgent messages, and strictly follow physical security protocols.
- Check your security posture: Run regular internal and/or external audits to get a picture of your organization’s overall security posture, including cybersecurity, social engineering resilience, and physical security. Red teaming is the best way to get inside the mind of the attacker, and red team vs blue team exercises can give you a good idea of your weak points and defensive capabilities.
- Eliminate vulnerabilities: Keep your systems secure to make it harder for cybercriminals to get useful information for a social engineering attack. If your business uses web applications, use a high quality web application vulnerability scanner to eliminate vulnerabilities that can lead to information exposure.
- Keep a low profile: Enforce strong security for user accounts by defining suitable password policies and perhaps also requiring two-factor authentication. Make sure that both personal and business accounts are secured, and avoid revealing internal company information via social media and other public channels.