These days, “hacking” might as well be synonymous with “social engineering attacks”. When it comes to unsavory parties gaining access to you and your business’ data, this is the way bad actors get in.
In recent years, we’ve seen gargantuan “hacks” involving billions of dollars in losses for companies as big as Twitter, but did you know that 98% of cyberattacks involve some level of social engineering?
In other words, if you or your employees get hacked, it’s practically impossible that social engineering didn’t have some level of involvement. That also means that you or your employees could have also prevented the hack.
For businesses and individuals in 2023, social engineering is unequivocally how hackers gain access to your data – putting your entire operation at risk.
So what is social engineering? How do hackers use it to gain access to your data? And what can you do about it? Let’s find out.
What Is A Social Engineering Attack?
At its core, a social engineering attack exploits human psychology rather than technical hacking techniques. It’s about manipulating individuals into breaking security procedures, often by creating a sense of trust by understanding how humans receive information.
In essence, a malevolent actor can use proven human psychology to “break in” to the average human’s thought process – and use sociologically normative behaviors linked to those thought processes to allow them access to data they should not have.
This manifests itself in many ways. The most common ways are ones you’re probably familiar with: an email from your “bank”, or a text message from “UPS” saying you need to come pick up a package or verify a delivery. In these cases, the bad actors are preying on both our tendency to trust institutions and our innate curiosity and need to verify information.
More complex heists can take the form of sweepstakes wins that you didn’t enter, sales with discounts that seem impossible (and always are), and even multiple-year relationships in a form of social engineering called catfishing! There’s even the old classic “Nigerian Prince” scam, where an exiled royal has received an inheritance – and needs your help to get it.
Unsurprisingly, you do not suddenly become a billionaire when you give these people access to your information.
How Attackers Pick Their Targets
Scammers and hackers in 2023 are a fairly sharp bunch that constantly evolve and find new ways to infiltrate systems. They’re always testing their strategies, 24/7, improving their ability to sneak in and get your stuff. Like rats, they are experts at finding a way into your home, and even if you snuff them out, they can quickly come back.
But here’s the thing – hackers and scammers are generally lazy. They want to do the least amount of work possible. That’s why they only use techniques that work – and these techniques rarely change (because human brains change very little from generation to generation). Hackers always follow the path of least resistance.
They’ll always try to identify the weakest link in the chain. Choose not to be that link by knowing who they’re looking for and why. Assume everyone who contacts you online is fake until proven real.
- Available Data: Attackers often start by scouring the internet for publicly available information, and they’ll usually use any piece of information they can to convince you to give them access to data. This could be from social media profiles, company websites, or even public records. For instance, an attacker might learn about an employee’s recent work trip from their LinkedIn post and use this information to craft a convincing phishing email. Usually, these operations are less sophisticated and involve sending blanket emails to many different contacts.
- Organizational Structure: In general, attackers are more likely to target those lower on the totem pole, as new hires are always new-risk targets, due to their general lack of familiarity with the organization’s IT and cybersecurity systems. According to a report by PurpleSec, 60% of IT professionals said recent hires are particularly vulnerable to social engineering tactics, so hackers always target these new lambs. However, that doesn’t mean that the C-Suite isn’t susceptible, too – given their unrivaled access to company-wide data, they’re often the victims of targeted cyberattacks. In fact, 42% of businesses have seen cyberattacks against C-Suite-level individuals (and their families!).
- Wide Nets: Hackers always cast wide nets, and then narrow their focus once they’ve found a nice area where the fish are biting. In many cases, this means they will try to get you with the same attack several times, often with some small changes or updates. You see this in newsletters and email scams most frequently.
- Laser Targeting: That said, many social engineering attacks are extremely targeted. A lot of this depends on how much public information about their target is available (which is why c-suite attacks are growing). Attacks like catfishing and spear phishing attacks are predicated on acquiring robust knowledge about a person. In many cases, scammers target the same person over and over and over again, with different attacks, trying different codes and combinations to get the lock to open.
The Most Common Forms of Social Engineering Attacks
- Phishing: The most common social engineering attack – you definitely have seen this yourself, or you may know someone who has fallen victim to it. Phishing involves dispatching deceptive emails or messages to entice victims into divulging sensitive information or clicking on malicious links that usually look legit. For instance, an attacker might mimic a bank’s email, warning the recipient of a security breach and urging them to reset their password through a provided link, which leads to a fake website.
- Vishing: Here, attackers employ voice calls to deceive their victims – with the growth of low-cost, high-quality AI software, it’s just a matter of time before vishing becomes the most popular form of social engineering. In most cases, the attackers might spoof caller IDs. An example could be a scammer pretending to be from the IRS, claiming the victim owes back taxes and threatening legal action unless payment is made immediately. It could be worse – the attacker could have more information on the victim, and use it to make the call more convincing, pretending to be a family member or other loved one.
- Smishing: If you’re reading this, you’ve been smished before. You know this method – it’s the fake SMS messages that dupe people into clicking on malicious links or sharing personal data. A common smishing tactic is alerting the recipient of a “prize” they’ve won, with a link to claim it. Shipping information for a package you don’t remember is another. Never click links from numbers you don’t know.
- Pretexting: Attackers fabricate a scenario, like a survey or an IT issue, to extract information from their targets. This usually takes the form of messages or emails to your work email, from an email that looks like your IT provider. For instance, an attacker might pose as an IT specialist from your office, asking for your login credentials. Usually this is used in combination with other techniques.
- Baiting: This involves offering something enticing, like free software, to lure victims. However, the software is often malicious. A classic example is a pop-up ad promoting a free antivirus scan. When the user clicks on it, malware is installed on their device. This is a bit of a blast from the past in the era of Windows 365 and enterprise-level cloud security but is still a thing to be aware of.
- Tailgating: Becoming less common by the day but important to note is tailgating. This is some Ocean’s Eleven-level madness in which attackers gain physical access to restricted areas by closely following authorized personnel, often unbeknownst to them. It’s literally exactly what it sounds like, and yes, it does sound like something from a spy movie.
Real-World Examples of Social Engineering Attacks
Social engineering attacks have been crushing businesses of all sizes these days, even up to the big wig multinationals with billions of dollars on the balance sheet.
To illustrate how crucial it is to make sure you’re being mindful of who is contacting you on the internet, here are some of the biggest social engineering attacks, and the impacts they made.
- The $75 Million Whaling Attack: One of the most successful social engineering attacks targeted Belgian bank Crelan. Cybercriminals used a technique called “whaling” – a type of spear-phishing that targets high-level executives. Posing as legitimate entities, they managed to deceive the bank’s CEO and siphoned off a staggering $75 million.
- Twitter’s Vishing Scandal: In July 2020, Twitter was hit by an apocalyptic security breach when 130 accounts, including those of prominent personalities like Barack Obama, Joe Biden, and Kanye West, were compromised. The attackers used a “phone spear phishing” technique, known as vishing, to deceive Twitter employees into revealing account credentials. This incident not only tarnished Twitter’s reputation, but its stock plummeted 7% the next day before incurring further losses.
- Delivery Company Smishing Scam: September 2020 saw the rise of a widespread smishing (SMS phishing) attack that led to DHL hosting a permanent Fraud Awareness page on its website to discourage people from falling prey to it. Victims received fraudulent text messages, seemingly from renowned delivery companies like DHL, UPS, or FedEx, urging them to click a link and “claim ownership” of an undelivered package. You still see these scams running today – because they’re extremely effective. Again, never click links in texts from numbers you don’t know.
Strengthening Your Business’s Defenses
To bolster your defenses against social engineering attacks, consider the following enhanced measures:
- Employee Training: They’ll kick, they’ll scream, but in the end, you’ll save thousands, if not millions of dollars down the road by simply ensuring your team is educated and trained in basic cybersecurity. Create a robust cybersecurity plan for your team, and distill it into a discrete protocol that your team can follow. By doing this, you discourage the possibility of employees wandering off the path and ending up in the arms of a hacker.
- Robust Multi-Factor Authentication (MFA): MFA can practically kill any social engineering attempt, as it requires multiple points of failure for bad actors to gain access. Every social engineering strategy relies on piercing only one weak point, so adding multiple layers of protection is a massive boon to protection. If you and your business have an active and maintained MFA system for your employees, you’re golden. Even if an attacker obtains login credentials, they’ll need another form of verification to access the account, preventing any information from being accessed.
- Email Security Protocols: Implementing protocols like Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication (DMARC) can significantly reduce the risk of phishing emails reaching your employees. These are all essentially encryption or verification tools that can authenticate inbound emails to your organization.
Regular Updates and Patching: In an extremely simple measure, you can always ensure that all software, including security tools, are regularly updated. Most updates are actually performance or security updates, so this makes sure that you close any potential vulnerabilities that attackers might exploit.
Only You Can Prevent Cyber Attacks!
Considering that 98% of cyber-attacks are actually social engineering attacks, the cold reality is that you are in control of your company’s cybersecurity.
Sure, no one wants to do cybersecurity training. No one wants to set up an MFA. Nobody wants to update their computer. Too bad! You have to do it.
When it comes to protecting your company’s valuable innards from dangerous cyberthugs (and the millions of dollars in revenue that represents), you have to do what you have to do and make sure your employees are taking the steps to protect your company.
Take responsibility for your company’s cybersecurity. Lead the charge and establish clear, direct, simple cybersecurity protocols your employees can follow. You’ll thank yourself later.