Cybercrime is one of the biggest threats to businesses in 2019. Attacks continue to evolve, with new threats surfacing every year. Some of the most common (and often unexpected) attacks on businesses are socially engineered, rather than attacks which involve technical skills to carry out.
Social engineering is the art of gaining sensitive information by relying on human error, rather than vulnerabilities in software or operating systems. The process takes advantage of the fact that humans are driven by decision making and plays on their natural reactions to different situations.
Act first, think later?
Social engineering can involve research to gather background information such as points of entry and weak security protocols. It can also be as simple as misleading someone to divulge information or spoofing a company’s website to request personal information. Many people act first and think later, and this is where various social engineering techniques play on human behaviour.
It is something that comes up in every cyber security strategy, but people are often the weakest links when it comes to security. Or is it the awareness training that is the problem?
Some popular social engineering attack techniques to watch out for:
This type of social engineering aims to bait a victim into doing something that will reveal sensitive information. An example would be a hacker placing a USB stick with a company logo or labelled ‘confidential’ in a public space, and then someone picking it up and using it. This is a commonly used technique to inject Malware onto company networks. Online types of baiting involve ads which entice people to click on malicious sites or to download a malware-infected application.
Pretexting is the process of gaining information by impersonating co-workers, banks or someone in a position of authority. The hackers establish trust with the victim through carefully planned lies and then gain sensitive information from them. The hacker impersonates a chosen company or person and asks questions that confirm the victim’s identity, such as names, addresses, passwords, bank account details etc. These types of attacks are becoming increasingly sophisticated, especially due to the amount of information that people share online about themselves.
Phishing is one of the most popular social engineering attack types, which are email and text message campaigns that create a sense of fear or urgency to the victim. Phishing attacks get victims to reveal sensitive information, click on links, or open attachments in emails which contain malware. A lot of spoofing occurs where messages are sent with near-identical branding, but the messages contain malicious links.
These spoofed messages are common for companies such as PayPal and eBay and state that accounts have been compromised or passwords need to be changed. Hovering over the link in emails (without clicking) and checking the email address of the sender is the best way to check that the email is valid.
Spear phishing is a more targeted version of phishing, where an attacker chooses specific individuals or businesses to attack. They can tailor messages to appear to be from a colleague or manager, instructing them to carry out a task or download an attachment. These types of attacks deceive employees as they are often signed off in the same way as the real sender would, and this is where it is so important to have trained and intuitive staff that are able to recognise this kind of attack.
Scareware involves victims being bombarded with false alarms and threats. Users then think that their system is being infected with malware, and they are scared into installing software that is infected with malware to protect themselves. Scareware is also known as fraudware or rogue scanner software. Instances of scareware can be pop up banners saying that your computer is at risk, or bogus warnings via spam email.
Many other forms of social engineering are being carried out by cyber criminals every year as they try and outwit businesses to gain access to valuable information. Find out in our next blog how your business can prepare for these types of attacks. Is training key? Or are people always going to be the weakest link?