Attacks against enterprises and SMBs using social engineering are not only growing more frequent, but they're also increasingly more sophisticated. Enterprises must exercise due diligence in order to keep one step ahead of cybercriminals since they are coming up with even more clever ways to trick people into handing over valuable company data.
Social engineering is the term used for a broad range of malicious activities used by cybercriminals to trick users into making security mistakes or giving away sensitive information.
Any successful cyber-attack that employs social engineering preys on one basic human instinct: trust. According to the 2022 Verizon Data Breach Investigations Report, 82% of breaches involve the human element, whether that be through pretexting, phishing or use of stolen credentials.
All it takes is one email, phone call, or text message that appears to be coming from a recognized person or organization to fall through the cracks. After the deception works and the attack succeeds, the cybercriminals can expose sensitive information, use it to their benefit, or take control of corporate devices, systems and networks.
Suspicious links are so common online that most of us are uneasy about clicking on any links in almost any situation.
You may be thinking, “Surely this can’t still be happening.” Dilbert portrays it best:
Three billion fraudulent emails are sent out every day to try to compromise sensitive information. And, according to the 2021 edition of Terranova Security’s Phishing Benchmark Global Report, 19.8% of total participants click on the phishing email links.
It can be harder than you think. Try this quiz to see if you can tell what’s fake and what’s real.
Social engineering is so effective and dangerous because people make mistakes.
Successful social engineering scams rely on that knee-jerk human reaction to trust the sender and believe the message. Being busy, not paying close enough attention or complacency can lead to users being too trustful.
The best examples of social engineering are the ones that play all the right notes on a victim’s emotional scale. The social engineering attacks prey on human emotion whether that be fear, greed, curiosity or helpfulness.
Everyone within an organization must know what social engineering attacks look and/or sound like. Otherwise, the risk of data or system exposure through a malicious email link or attachment can increase significantly.
Let us take a closer look at the various forms that cybercriminals can use to package their social engineering attempts.
Phishing
Phishing encompasses a wide range of devious tactics, including deceptive emails, fake websites, and misleading text messages. They all have the same goal: to steal confidential data belonging to an individual or organization. Phishing attacks are typically successful when they appear to come from a well-known source, trusted acquaintance or organizational entities.
Pretexting
Pretexting is a social engineering technique where a false identity dupes a victim into giving up sensitive information. For instance, a cybercriminal may know that the targeted individual recently bought an item from Apple and pretends to be a company customer service representative to acquire credit card information or other confidential details.
Quid Pro Quo
Quid pro quo scams rely on an exchange of information to convince a victim to act. Often, they offer to provide a service in exchange for a benefit. A common tactic in this category is when a cybercriminal impersonates an IT support employee and call victims who recently opened a support ticket, promising to fix a virus-related issue if they are provided with login credentials.
Spear Phishing
Spear phishing is a cybercrime that deploys targeted attacks against individuals and businesses using relevant and well-crafted messages. Hackers will collect details about the targeted parties and, using email, use that information to appear familiar to the victim.. Though often used simply to steal user data, spear phishing can also be a means to install malware or ransomware onto someone’s device.
Vishing
Vishing uses phone calls or voicemail to convince victims that they need to act quickly. Typically, messages will dangle the threat of being subjected to legal action or a criminal attack, such as one urging the victim to reset their banking information because their account has been hacked.
Water-Holing
Water-holing targets a group of users and websites they frequent. The cybercriminal looks for a security vulnerability in one of these websites and then infects it with malware. Eventually, a member of the targeted group will be victimized by the malware. This specific social engineering technique is also very hard to detect.
Baiting
Baiting is both an online and physical social engineering attack that promises the victim something in exchange for an action. This can include plugging in a USB key or downloading an attachment to receive free movie downloads for life. The computer and the network can be targets of malicious software that captures login credentials or sends fake email messages.
Malware Removal
The promise of malware removal messages tricks victims into paying for a tool to remove viruses or other nefarious software from their devices. Depending on the scam, the criminal can steal the victim’s credit card information or install a different malware or ransomware program onto the computer or mobile device. Keep an eye out for malware emails – nearly 95% of payloads are delivered this way.
The reality is that people keep falling for these social engineering attacks. That why attackers keep doing them as they work! Their methods are constantly evolving so the ones we see today are sure to evolve. Hence the importance of continually educating your employees. Training and testing them should be a part of your cybersecurity plan.
Present partners with Terranova Security, a Gartner magic quadrant leader, to offer a high-quality customizable training program. Contact one of our cybersecurity experts to learn more!