In today’s increasingly connected business world, cybersecurity threats are getting smarter. Computer encryption has never been more sophisticated or complex, so many hackers are turning to the organic element of the computer network: the users. This approach is called social engineering, and it is a very real threat to all levels of business.
Fortunately, one of the best ways to avoid the dangers of social engineering is awareness, so read on to find out how you can help your company avoid falling prey to social engineering.
Social engineering is the use of manipulation, deception, and coercion to gain access to information or resources that would otherwise be off-limits. It can be used to steal sensitive data, spread malware, or gain access to physical locations. Social engineering is a serious threat because it exploits the human weakness in any security system.
Social engineering is a serious threat to your company’s bottom line, and the amount of money that companies lose each year is only increasing. According to the FBI, between the years 2013 and 2016, businesses lost 1.6 billion dollars to social engineering scams; in 2021 alone, social engineering was responsible for 6.9 billion dollars of loss. The rise of remote work has made social engineering a greater threat, as there are now greater expectations of digital communication.
Social engineering encompasses four main steps: preparation, infiltration, exploitation, and disengagement.
Social engineering can be the precursor to attacks on companies of any size. Between 2013 and 2015, a hacker named Evaldas Rimasauskas and his team successfully cheated Google and Facebook out of over 100 million dollars. The team did this by setting up a fake company impersonating a computer manufacturer that worked with both large companies. They perpetuated the scam with phishing emails to specific employees, sending them invoices for goods and services that the manufacturer they were impersonating had legitimately provided. However, they directed the Google and Facebook employees to deposit money into fraudulent accounts.
The scammers then sent phishing emails to specific Google and Facebook employees, invoicing them for goods and services that the manufacturer had genuinely provided — but directing them to deposit money into their fraudulent accounts. Between 2013 and 2015, Rimasauskas and his associates cheated the two tech giants out of over $120 million. While Rimasauskas was eventually caught and is serving five years in jail for wire fraud, the losses were disruptive to the companies.
Some social engineering scams do not rely on specific employees receiving phishing emails; instead, they may rely on company-wide software insecurities. One such example relied on a security weakness in Microsoft 365. In April 2021, security researchers uncovered an email scam that tricked recipients into installing malware on their devices.
The victims of this scam only received one email; there was no ongoing scheme. Instead, the hackers impersonated the software the victims used every day. The email was blank with a subject line about a price revision; when opened, the email contained an attachment that looked like an Excel spreadsheet file (.xlsx). However, the “spreadsheet” was actually a disguised .html file.
When victims opened the spreadsheet, they found themselves directed to a website that contained malware that triggered a popup notification. Users were told that they had been logged out of Microsoft 365 and that they needed to re-enter their login credentials. Because getting logged out of software accidentally is an easy enough mistake to make, many users fell for the scam. However, instead of logging into Microsoft 365, they were unwittingly handing over their login credentials to the hackers running the scam.
There are numerous ways for social engineers to access your credentials and other sensitive data. It is estimated that social engineering is used in 95%-98% of targeted attacks on individuals and corporations. Three of the most common tacts are phishing, malware, and DDoS attacks.
The most pervasive way of implementing social engineering, hackers who use phishing create deceptive emails, websites, and text messages to steal sensitive personal or organizational information from unsuspecting victims. Despite how well-known phishing email techniques are, employees still click on those suspicious links at an alarming rate.
Webroot’s 2021 survey of over 4,000 office workers determined that nearly half (49%) admit to having clicked on a link from an unknown sender while at work. Further, nearly half (48%) of all respondents said their personal or financial data had been compromised by a phishing message, but more than a third (35%) of those didn't take the basic step of changing their passwords following a breach.
| Related Reading: Cybersecurity 101: Basics and Best Practices for Avoiding Phishing |
A category of attacks that includes ransomware, victims are sent an urgently worded message and tricked into installing malicious software or malware on their device or network. One popular tactic is telling the victim that malware has already been installed on their computer and that the sender will remove the software if they pay a fee.
Malware is annoying to deal with, but so long as you make regular backups and immediately isolate an infected machine from your network, these attacks are often less damaging to your bottom line than phishing.
A distributed denial-of-service (DDoS) attack is a malicious attempt to disrupt the normal traffic of a targeted server, service or network by overwhelming the target or its surrounding infrastructure with a flood of Internet traffic. A machine can become an unwitting accomplice to a DDoS attack if it’s been infected with malware, perhaps from an earlier phishing scam.
There are many ways to protect yourself from social engineering. Awareness is key to preventing these attacks.
Simply knowing what social engineering is can help you protect yourself. It’s also worthwhile to know that certain people are more vulnerable within your company than others.
While anybody can be a target of a phishing scam, corporations say that 60% of targets are new hires rather than long-term current staff members. These employees may make better targets because they are unfamiliar with the outside contractors and financial institutions the company works with. Additionally, high-privilege accounts are a common target, and 43% of administrators within IT operations have reported being a target of social engineering attacks.
Pay attention to what type of information different programs ask for. If you didn’t log out of a program and it asks you to re-enter your credentials, that could very well be a scam designed to capture your secure information. A good password management system and security suite can eliminate these problems before they begin.
Remember: If you don’t open the suspicious attachment, it can’t hurt you. Only open attachments from known sources, and inspect your files before opening them.
Don’t let your business fall victim to social engineering. Instead, take the time to educate your employees about what they can do to prevent social engineering, and take the time to learn about your organization’s vulnerabilities. A cybersecurity assessment takes only minutes to complete and will help uncover vulnerabilities you didn’t know about, as well as show you areas that could use additional support. If you take the time to invest in protecting your network, you will reduce the risk of a successful cyberattack.