In today’s increasingly connected business world, cybersecurity threats are getting smarter. Computer encryption has never been more sophisticated or complex, so many hackers are turning to the organic element of the computer network: the users. This approach is called social engineering, and it is a very real threat to all levels of business.
Fortunately, one of the best ways to avoid the dangers of social engineering is awareness, so read on to find out how you can help your company avoid falling prey to social engineering.
What Is Social Engineering?
Social engineering is the use of manipulation, deception, and coercion to gain access to information or resources that would otherwise be off-limits. It can be used to steal sensitive data, spread malware, or gain access to physical locations. Social engineering is a serious threat because it exploits the human weakness in any security system.
Social engineering is a serious threat to your company’s bottom line, and the amount of money that companies lose each year is only increasing. According to the FBI, between the years 2013 and 2016, businesses lost 1.6 billion dollars to social engineering scams; in 2021 alone, social engineering was responsible for 6.9 billion dollars of loss. The rise of remote work has made social engineering a greater threat, as there are now greater expectations of digital communication.
How Does Social Engineering Work?
Social engineering encompasses four main steps: preparation, infiltration, exploitation, and disengagement.
- Preparation: The hacker gathers information about their victims, including where they can access them, such as on social media, email, text messages, and texting apps, or even in person. The information gathered in this step includes personal information that might lead the victim to believe that the hacker is who they claim to be in the next step.
- Infiltration: The hacker approaches their victims, usually impersonating a trustworthy source and using the information gathered about the victim to validate themselves. It’s estimated that 91% of cyberattacks start with an email message. Compromising business email accounts is vastly profitable for these scammers; in 2021, this vector alone led to $2.4 billion in commercial losses. Phone calls are also common but are more likely to be used in an attack on an individual rather than as a person representing an institution.
Most of the time, the hacker will attempt to impersonate financial institutions to get account data. According to Webroot data, financial institutions represent the vast majority of impersonated companies, and, according to Verizon's annual Data Breach Investigations Report, social engineering attacks, including phishing and pretexting, are responsible for 93% of successful data breaches.
- Exploitation: The hacker relies on persuasion and human nature to request information from their victims, such as account logins, payment methods, or contact information that they can use to commit their cyberattack. During this stage, the victim is unaware that they are being manipulated. Social engineering only works if the victim believes that the hacker is legitimately representing the institution they are impersonating. These hackers use sophisticated methods to convince the victim of their veracity.
- Disengagement: Once the hacker has the victim’s vital information, the communication stops immediately. The hacker commits a cyberattack using the information, leaving the victim to wonder what happened.
Examples of Social Engineering
Social engineering can be the precursor to attacks on companies of any size. Between 2013 and 2015, a hacker named Evaldas Rimasauskas and his team successfully cheated Google and Facebook out of over 100 million dollars. The team did this by setting up a fake company impersonating a computer manufacturer that worked with both large companies. They perpetuated the scam with phishing emails to specific employees, sending them invoices for goods and services that the manufacturer they were impersonating had legitimately provided. However, they directed the Google and Facebook employees to deposit money into fraudulent accounts.
The scammers then sent phishing emails to specific Google and Facebook employees, invoicing them for goods and services that the manufacturer had genuinely provided — but directing them to deposit money into their fraudulent accounts. Between 2013 and 2015, Rimasauskas and his associates cheated the two tech giants out of over $120 million. While Rimasauskas was eventually caught and is serving five years in jail for wire fraud, the losses were disruptive to the companies.
Some social engineering scams do not rely on specific employees receiving phishing emails; instead, they may rely on company-wide software insecurities. One such example relied on a security weakness in Microsoft 365. In April 2021, security researchers uncovered an email scam that tricked recipients into installing malware on their devices.
The victims of this scam only received one email; there was no ongoing scheme. Instead, the hackers impersonated the software the victims used every day. The email was blank with a subject line about a price revision; when opened, the email contained an attachment that looked like an Excel spreadsheet file (.xlsx). However, the “spreadsheet” was actually a disguised .html file.
When victims opened the spreadsheet, they found themselves directed to a website that contained malware that triggered a popup notification. Users were told that they had been logged out of Microsoft 365 and that they needed to re-enter their login credentials. Because getting logged out of software accidentally is an easy enough mistake to make, many users fell for the scam. However, instead of logging into Microsoft 365, they were unwittingly handing over their login credentials to the hackers running the scam.
The Dangers of Social Engineering
There are numerous ways for social engineers to access your credentials and other sensitive data. It is estimated that social engineering is used in 95%-98% of targeted attacks on individuals and corporations. Three of the most common tacts are phishing, malware, and DDoS attacks.
The most pervasive way of implementing social engineering, hackers who use phishing create deceptive emails, websites, and text messages to steal sensitive personal or organizational information from unsuspecting victims. Despite how well-known phishing email techniques are, employees still click on those suspicious links at an alarming rate.
Webroot’s 2021 survey of over 4,000 office workers determined that nearly half (49%) admit to having clicked on a link from an unknown sender while at work. Further, nearly half (48%) of all respondents said their personal or financial data had been compromised by a phishing message, but more than a third (35%) of those didn't take the basic step of changing their passwords following a breach.
|Related Reading: Cybersecurity 101: Basics and Best Practices for Avoiding Phishing|
A category of attacks that includes ransomware, victims are sent an urgently worded message and tricked into installing malicious software or malware on their device or network. One popular tactic is telling the victim that malware has already been installed on their computer and that the sender will remove the software if they pay a fee.
Malware is annoying to deal with, but so long as you make regular backups and immediately isolate an infected machine from your network, these attacks are often less damaging to your bottom line than phishing.
A distributed denial-of-service (DDoS) attack is a malicious attempt to disrupt the normal traffic of a targeted server, service or network by overwhelming the target or its surrounding infrastructure with a flood of Internet traffic. A machine can become an unwitting accomplice to a DDoS attack if it’s been infected with malware, perhaps from an earlier phishing scam.
How To Protect Yourself From Social Engineering
There are many ways to protect yourself from social engineering. Awareness is key to preventing these attacks.
Be Aware of the Dangers
Simply knowing what social engineering is can help you protect yourself. It’s also worthwhile to know that certain people are more vulnerable within your company than others.
While anybody can be a target of a phishing scam, corporations say that 60% of targets are new hires rather than long-term current staff members. These employees may make better targets because they are unfamiliar with the outside contractors and financial institutions the company works with. Additionally, high-privilege accounts are a common target, and 43% of administrators within IT operations have reported being a target of social engineering attacks.
Keep Your Personal Information Private
Pay attention to what type of information different programs ask for. If you didn’t log out of a program and it asks you to re-enter your credentials, that could very well be a scam designed to capture your secure information. A good password management system and security suite can eliminate these problems before they begin.
Don’t Click on Suspicious Links or Attachments
Remember: If you don’t open the suspicious attachment, it can’t hurt you. Only open attachments from known sources, and inspect your files before opening them.
Don’t let your business fall victim to social engineering. Instead, take the time to educate your employees about what they can do to prevent social engineering, and take the time to learn about your organization’s vulnerabilities. A cybersecurity assessment takes only minutes to complete and will help uncover vulnerabilities you didn’t know about, as well as show you areas that could use additional support. If you take the time to invest in protecting your network, you will reduce the risk of a successful cyberattack.