Danger of Social Engineering Attacks
Social engineering or social hacking is an attack-type where cyber-attacks/ data breaches are orchestrated by cybercriminals using a wide array of methods that exploit human nature and trust, rather fully relying on technology. Having breached human trust and confidence, cybercriminals gain access to confidential information, digital/ physical business resources/ infrastructure, or get the user (employee/ client/ customer) to download malware, send money or perform actions that are dangerous.
In the article, the dangers of social engineering and prevention methods will be explored in depth.
Why is social engineering dangerous?
The core of social engineering is human trust and confidence. Ample time and resources are spent by attackers to research about the victim. Key insights (potential entry points, weak protocols, etc.) are gathered and a combination of words and actions along with technology (emails, voice calls, etc.) is leveraged to deceive the victim into trusting them before proceeding with the attack.
Social engineering is so dangerous because of the element of human error by legitimate users and not necessarily a flaw in software or operating systems. So, it is important to know how/ in what ways human beings are manipulated by social engineers to accomplish their goals to effectively protect against these.
1. Phishing and Spear Phishing
90% of all cyber-attacks are initiated by phishing. Delivered through email (often bulk email campaigns), chat, digital ads, website, and social media, among others, the messages in phishing attacks impersonate real/ legitimate systems and organizations such as banks, NGOs, major corporations, legitimate charities or even one’s employer.
The messages are crafted to instill a sense of urgency or fear that coax the user to do as the attacker pleases (give access to confidential information, download malware, wire money, etc.). For instance, the attacker could pose as the CEO of the company and send out emails to employees urging them to take some action that would divulge login credentials to the attacker.
While phishing usually is orchestrated as a bulk campaign, personalization and individual targeting are achieved through spear-phishing. It is one of the key weapons in the arsenal of nearly 70% of hackers in the US, who are known to regularly use the method to initiate hacking. This is despite the larger amount of time and effort required to pull off spear-phishing.
For instance, the attacker may pose as a banker and demand credit card details of the victim claiming that the card is about to be blocked or that the victim can avail additional benefits.
As the name suggests, the victim’s interest/ curiosity/ greed is piqued by offering them something they are looking for and enticing them to download malware on their devices or divulge personal information.
This method is often used by social engineers on peer sharing sites, movies, or music download sites or even physically through a company-branded flash drives left on a desk. Baiting can also be delivered in the form of too-good-believe online deals, spurious emails offering free coupons, etc.
3. Confidence Tricks and Pretexting
This social engineering type is orchestrated by crafting clever and seemingly genuine communication (emails/ phone calls/ direct). Here, critical information is extracted from the victim by the attacker impersonating a colleague/ right-to-know authority figure and developing trust.
For instance, the attacker could call the victim claiming to be X from the IT department and collect login information on the pretext of conducting an audit.
4. Piggybacking/ Tailgating
Here, the physical access to business assets is obtained by the attacker/ unauthorized person by following an authorized person into a restricted area. For instance, the attacker could bypass physical security by asking an employee to hold the door because he/ she has forgotten their ID. The victim could be requested to lend their PC/ laptop for a few minutes during which the attacker could install malware.
Effective ways to prevent social engineering attacks
1.For the employees and customers,
- Employees, irrespective of position and role, and customers need to be regularly and consistently educated about social engineering and its dangers.
- They must be made aware of the red flags to look for.
- They must be instructed to think before they click/ open emails and links and exercise extreme caution while accepting offers, howsoever enticing.
2.From the organizational end,
- Multi-factor authentication must be enforced
- All hardware and software must be updated.
- Automatic locking of all devices on campus must be enforced when idle for over 5 minutes.
- No-sharing of devices rule must be imposed and implemented.
- With the help of an intelligent web vulnerability scanner, all systems, networks, devices, and servers must be regularly scanned to identify vulnerabilities and security misconfigurations.
- Overall security posture must be fortified with the help of a comprehensive, managed security solution such as AppTrana that includes an intuitive web application firewall and the expertise of certified security professionals.
The ease with which they can be tricked makes social engineering attacks the most dangerous. 63.8% of all businesses have been victims of one or the other form of social engineering. So, every type of business, irrespective of size, nature, or domain of operation is at risk of social engineering attacks, highlighting that ongoing education and awareness are necessary to prevent these attacks.