Social engineering attacks seek to exploit humans to gain access to data, information, networks and even money. There has been a rapid increase in social engineering attacks over the years because while technology has become harder to crack, the human vulnerability to manipulation has remained the same. And this is something criminals are taking advantage of.
According to a report by KnowBe4, 97% of malware now seeks to target users, rather than the technical elements of an organisation. So instead of trying to find and exploit a weak spot in an organisations network or security infrastructure, cyber criminals know that the people in a business are often the gateway to getting what they want – and ultimately plan their attacks around this.
We spoke to PCS cyber security expert Steve Shields to get his thoughts on the increase in social engineering attacks and how businesses can support their users to avoid falling victim …
PCS Professional Services Director
WHY increase in SOCIAL ENGINEERING ATTACKS?
“Social engineering attacks have become more popular because it is easier to target humans who have little training, understanding or knowledge of cyber tactics than it is to target complex systems or software. It’s thought that only around 27% of businesses provide social engineering awareness training for their employees.
And since social engineering is a human-based attack – this is a major problem. It’s also one of the reasons criminals are now using this tactic as the basis of their attacks.
Proofpoint’s 2019 Human Factor report shows that cyber attackers exploit human flaws in around 99% of attacks using a variety of social engineering techniques. They are an easy way of increasing attack success rates without having to do a fat lot.”
SOCIAL MEDIA FOR CREDIBILITY
“With social engineering attacks, the need for the final click of an attack to be executed by a person has become more important. Adding credibility to an attack can influence whether this happens or not.
The more information criminals can gather about a specific employee or the business itself the more realistic their social engineering attacks become. This then makes it more likely to trick their target and achieve their goals. Just like a military campaign the reconnaissance information collected increases the chances of victory.
One way this has been done in recent years is utilising social media. Social media platforms hold a wealth of data about individuals that when collectively put together, draws a more detailed picture of potential targets for criminals to exploit.
Just like the more traditional criminal who carries a hammer, screwdriver and a glass cutter in his kit bag, social media is a tool in the cyber criminal’s kit bag. This information gathered by the criminals via these platforms makes it easier for them to execute sophisticated attacks that look extremely legitimate and therefore, more successful.”
THE SOCIAL MEDIA EXAMPLE
“One of my favourite sayings is – If its free then you are the product. In this case, your data is the product. And what criminals can do with that data is alarming, often using the detail they come across on social media to manipulate you into giving up much more than you bargained for. Here’s how easy it can be …”
“A top executive was attending a trade show overseas. A social media group was created for all attendees to engage with each other, but the criminals also joined this group.
The criminals hijacked the executive’s email. They established who the executive’s PA was through the social media platform and sent them an email advising the executive had lost their credit cards and obtained a preloaded replacement card. The criminals asked the PA to load some money onto the card for a meeting with a possible new customer.
To add credibility, they mentioned the customer’s name and the time of the meeting as obtained from the social media group. But the PA was unaware this was the criminal’s card. In true social engineering style, they sent the email when they knew the executive was in another meeting and could not be questioned.”
“This is a classic case of how cyber criminals can use the smallest details they obtain from social media in order to get exactly what they want. It doesn’t cost them a lot of time, effort or money but can be extremely rewarding, particularly if this goes unnoticed, like it could in this case, for a number of months.”
“I don’t think Covid-19 has affected how the threat of social engineering attacks have evolved, but it has become a catalyst that has allowed these types of attacks to thrive during a very difficult time. This is evident in the huge 600% increase in phishing attacks, the main method of social engineering, and other coronavirus-related scams since the start of the Covid-19 pandemic.
However, as with most cybercrime if Covid-19 hadn’t of presented an opportunity to take advantage of victims, it would have been something else. Always remember, cyber criminals by default have no morals and are often ruthless in their approach.
What Covid-19 has influenced is the emotions of targets. Heightened anxiety, fear, worry and financial implications because of the pandemic have caused people to be more susceptible to social engineering attacks to click something they normally wouldn’t.”
3 things you can do to avoid becoming a victim
1. Restrict Access on Social Media
“Social media will always be a tool for the criminals. By default, social media shares everything with everyone but there are settings that allow you to restrict who can see what. Review these settings and limit who has access to your personal data, details, and updates.
In a society that is measured by the number of friends you have, it’s also worth reviewing your friends or connections to ensure you don’t have the same friend more than once, and never accept requests off people you don’t know.
Do everything you can to make sure your personal information isn’t available, and ensure you’re not using easily guessed information as passwords, security answer questions, or password reminders.”
2. Ensure Technology Is Robust & Up To Date
“Ensure you have technology in place that supports your business to detect, block and prevent malicious activity on your network and end devices as the first layer of protection for your business, network and users. This should filter out a good chunk of known malicious IP addresses before they ever reach your users.
Have trusted device software in place to protect your users when they are off the network, especially given the increase in remote working and users increased susceptibility to social engineering when not in the office.
For all software and technology, ensure it is always running on the latest version and that updates are performed regularly to avoid any vulnerabilities that cyber criminals could take advantage of.”
3. Educate Users
“Education is the key to helping prevent social engineering attacks. Provide a comprehensive security awareness training program that seeks to change staff behaviour whilst raising their knowledge and awareness of cyber threats and the techniques used to deploy them. This should be updated frequently and completed at regular intervals throughout the year.
Remember though, this is not just about helping staff to avoid clicking on links. Empower people to question things that look or feel suspicious and to question out of the blue requests from their managers.
Better to question genuine messages than ignore malicious ones. After all – your users are your last defence.”
“The most worrying aspect of social engineering is that just one click can end up costing a business £1,000’s, even £10,000’s and more. However, there are steps your business can take to ensure it doesn’t fall victim. Get professional advice and make sure your staff are well aware of the increase in social engineering attacks, methods used and the damage they cause.”
Speak to PCS Experts Who Can Help!
Preventing social engineering attacks is more than just a one step approach. It takes a variety of elements working together in order to ensure you are fully protected. Speak to the cyber security experts at PCS who can advise you on what will work best for your business. Call us on 0333 150 6780, email or fill out the contact form below and a member of the team will be in touch.