June 25, 2019
It turns out you don’t always have to be good at manipulating code to hack into secure systems. Being good at manipulating people can deliver the same results.
This is known as social engineering – the process of influencing people or tricking them into divulging confidential information.
Social engineering is certainly the most successful tactic employed, used in 98% of cyber attacks.
While cyber security technologies continue to innovate, there remains a weak link in the cyber security chain: HUMAN BEHAVIOUR.
Of course, some do it more successfully than others. Emails from people claiming to be the widow/orphan of a Nigerian millionaire whose cash can only be accessed overseas are much easier to ignore than emails from your boss asking you to take urgent action.
What are the common types of social engineering?
Phishing is the most common method of social engineering. The victim receives an email asking them to visit a website, open an attachment, or reset their password. Confidential data will then be stolen and used to access the victim’s account, or malware downloaded to their machine, giving the attacker free reign to carry our ransomware attacks, or other malicious actions.
Spear phishing emails
Spear phishing emails use the same techniques as phishing but in a more sophisticated, more targeted way. Attackers impersonate individuals or entities that are known to the victim. With the extent of information available on social media, it is easy enough for attackers to pinpoint likely things that will get the victim to take action.
If you post on Facebook about running a 5k in aid of Cancer Research, your attacker will know that posing as a cancer charity might get a reaction from you.
And for this reason, spear phishing attacks are often highly effective – well worth a hacker investing time in.
Whaling attacks take spear phishing to another level. They target C-suite executives with highly personalised emails attempting to gain access to sensitive information or persuade the victim to make money transfers. One example of this would be an attacker impersonating the CEO and convincing other members of staff to make a wire transfer.
Tailgating, also known as piggybacking, is the act of following a legitimate entrant into a secure place. They could do this by asking you to hold the door to enter without a security pass, for example. Once inside, they have direct access to your security systems.
Baiting is the act of reeling in a victim with something enticing. It could be an emailed file that looks like it contains something interesting – like employees pay records – or a link to download free music or films. Another example is people picking up USBs that are purposefully left to be found, which then infect the careless users’ computer, spreading infection throughout the network.
Attackers come up with a convincing pretext for requesting secure information – for example, by establishing authority by impersonating someone that is known to the victim. Again, with the amount of information available on social media, this is relatively easy to do.
No one is immune from types of social engineering attacks. The thing we have in common – our humanity – is what makes us all vulnerable and what makes us all a target.
Most people have a default position of trust, which, when combined with the level of detail, attackers can glean from our online presence; giving cyber criminals the power they need to pull off these attacks.
Often, there is a sense of urgency attached to these scams that can disorientate victims, who will respond as requested and only afterwards consider whether they have been scammed.
The best defence? Security Awareness Training
The best protection against these cyber crimes is training and education.
Training employees to think before they click, to understand the risks and potential consequences and know how to spot phishing emails will help prevent these attacks from being successful.
Instigating policies regarding financial transfers, for example, such as getting multiple sign-offs and requiring in-person confirmation rather than just receiving instructions by email will also help avoid these risks.
As our digital world continues to grow, there is more risk than ever – and with so much personal and sensitive information online, there are all the ingredients ready for cyber criminals to carry out successful attacks.
- 6 steps to a successful cyber security improvement programme
- Types of penetration test: What’s the difference?
- Cyber Essentials vs Cyber Essentials PLUS: What’s the difference?
- INFOGRAPHIC: SOC team roles and responsibilities
- INFOGRAPHIC: Malware examples: What are the different types?
About Comtact Ltd.
Comtact Ltd. is a government-approved Cyber Security and IT Managed Service Provider, supporting clients 24/7 from our ISO27001-accredited UK Security Operations Centre (SOC).
Located at the heart of a high security, controlled-access Tier 3 data centre, Comtact’s state-of-the-art UK Cyber Defence Centre (SOC) targets, hunts & disrupts hacker behaviour, as part of a multi-layered security defence, to help secure some of the UK’s leading organisations.