A cyber criminal’s arsenal includes a powerful tool known as social engineering. Threat actors utilise psychological tricks to deceive unwary people into giving them their passwords, personal information, or money. Attacks involving social engineering are most frequently used to establish a foothold and move laterally through networks.
As part of this post, we discuss the dangers of social engineering and how to avoid them. This article covers common social engineering techniques used by cybercriminals, uncovers real-world social engineering-based attack paths, and explains how organizations can reduce the threat.
Techniques prevalent in social engineering attacks
There are several types of social engineering attacks. Cyber-attacks targeting enterprises most frequently include these types of threats:
Phishing
Phishing is a common social engineering technique. Cybercriminals send emails that seem to be from reputable businesses, like banks or online retailers.
Whenever your e-commerce company sends you an email on a Friday evening at 4 PM, just before you leave for the weekend, asking you to click a link to process your refund, check some unusual activity, or open a link.
Please see the attachment. Here are some excellent examples of common phishing tricks.
There is a possibility that the email contains a link to what looks like a real website. The cybercriminals can then access the account when the user enters their login details.
An Example of a Real-World Attack
Cyber-attacks hit millions of Americans personally in May 2021, when ransomware attacked Colonial Pipeline. When the company’s network was compromised during that cyber-attack, all operations had to be halted. In Colonial Pipeline’s case, cybercriminals breached the network through phishing campaigns that led to the theft of an employee’s login credentials, enabling them to launch their ransomware attack internally.
Baiting
In addition to social engineering, baiting can also be used. Cybercriminals abandon USB drives or other storage devices in public areas, like a parking lot. When the device is found and plugged into a computer, it triggers specific actions targeted at the organization’s systems. This will cause them to be infected with malware that, perhaps, will eventually allow attackers to gain access. This will allow the attacker to launch a destructive attack.
Real-World Attack Example
Cybercriminals are committing attacks known as “BadUSB” attacks, the Federal Bureau of Investigation (FBI) recently warned. The US Department of Health and Human Services is impersonated by malicious USB thumb drives that are transmitted through the US Postal Service and United Parcel Service and claim to be COVID-19 infection notifications.
Whaling / Business Email Compromise (BEC)
Whaling is the term for phishing attempts that are directed towards high-profile personnel inside an organisation, such as the C-suite, VP, etc. In contrast, business email compromise (BEC) attempts to make company executives seem impersonal in order to coerce a regular user into taking certain actions. Planning and research of typical behavioural patterns are necessary for both whaling and BEC, which have the potential to produce outcomes that are significantly greater in value.
Using the phone is another method of social engineering. Vishing is what we call this. The caller attempts to deceive the customer into disclosing personal information, including credit card or social security numbers, by posing as an official executive of an organisation (BEC).
Real-World Attack Example
A UK-based company’s CEO received a phone call from someone posing as the company’s CEO, asking the victim to transfer $243,000 to a supplier. Cybercriminals were able to mimic the chief executive’s voice by utilizing Artificial Intelligence. Taking this into consideration, it’s clear that vishing has evolved, and defenders need to consider more than just random scam calls.
Protection Against Social Engineering
It’s always a delicate balance between people, processes, and technology when it comes to cyber security. An art of psychological manipulation, social engineering is all about manipulating people.
Social engineering attacks are frequently carried out unknowingly without any malice intended. People are increasingly being lured into sharing confidential information via social engineering attacks to lure them into clicking certain links.
Therefore, organizations must start by fostering security-aware cultures by investing in end-user cyber awareness. After an organization has implemented a formal end-user awareness program, the next focus will be on processes. Social engineering attacks must be reported to security teams by employees.
These attack methods, which frequently target email, identity, and endpoints, require technology that assists security teams in protecting against, detecting, and responding to them. In reality, a thorough cyber security programme that recognises the risk associated with social engineering allows for all of this to be accomplished.
Defense Begins with Awareness and Training
A security team must be trained to recognize suspicious emails and not click on links or open attachments. When an employee receives an email that looks suspicious, they should report it to the security team immediately.
Threat actors may use tactics such as calling to impersonate a supplier, colleague, or manager and asking for personal or organizational information. Preventing a serious breach can be achieved by teaching employees how to identify a phishing attack and how to report it.
A similar attack has been executed using unidentified USB drives found in public places, in corporate parking lots, and elsewhere. It’s important to make sure employees understand not to plug in unknown devices, and instead to turn them over to the IT or Security teams. It is also possible to mitigate this kind of behaviour through device control.
These preventative steps aid in laying the groundwork for resilience against phishing attempts. But, this could go a step further by instilling a feeling of accountability in the staff members and empowering them to exercise their best judgement online. Helping them comprehend and put into practice the phrase “If you see anything, say something,” as they are the organization’s eyes and ears on the ground and are equally crucial for securing the organisation and its goal.
Ensure that consumers may report suspicious activities with confidence and transparency.
Companies should have policies and procedures in place to handle suspicious emails, phone calls, and other communications. Giving staff members a straightforward procedure for reporting social engineering attempts so that they can be looked into and thwarted before any harm is done is a crucial aspect of corporate security. damage is done.
To avoid any delays or reluctance to report suspicious activities, cybersecurity teams should provide clear and simple instructions, and a corporation should have a policy of Stop and Report if in doubt the staff should frequently hear the message. Assure the personnel that they won’t suffer consequences for failing to act promptly or for reporting something they believe to be suspicious, even if it turns out that it wasn’t harmful in the end. Promoting a culture of digital empowerment is crucial.
Doing phishing simulation exercises is crucial to determining how well-prepared the business is for phishing attacks, which is why testing resilience against them is equally crucial. When assessing an employee’s resistance to phishing emails, phishing simulators are a useful tool, but the same method won’t work if the employee clicks on the phishing link on purpose.
The usage of simulation exams should only occur once you have demonstrated a certain level of maturity in educating your workforce about cyber security, and simulation testing shouldn’t be used to humiliate any employees who might fail them. Training should come after the test in order to close the loop.
Leverage Technology To Counter Social Engineering
Organizations can assess a number of security measures from a technological standpoint to lessen the danger of social engineering-based assaults:
Multi-Factor-Authentication (MFA): MFA implementation can lessen the potential of social engineering-based attacks, even though MFA bypass methods like getting an employee to give their one-time password exists.
Additional Authentication: When a high-level executive is impersonated in business email compromise attacks (BEC), it is advisable to confirm the information using an offline technique, such as a voice call in response to an email indicating a time-sensitive situation, before taking any action. The executives must be open to double-checking and authentication in order for this strategy to be effective.
Conditional Access (CA): Organizations can prevent default access to all corporate resources without any prior condition checking by implementing CA, which will ensure that only trusted identities on healthy endpoints can obtain temporary access to corporate resources and services as necessary.
Identity Risk Assessment (AD Assessment): Being able to detect security misconfiguration in real-time, assess the risk level of identities, and take corrective action is essential because the user’s identity is frequently the focal point of an attack.
Identity Threat Detection and Response (ITDR): Organizations are searching for methods to identify and respond to identity-based attacks as they rise, and ITDR technology is crucial in this process.
Endpoint Detection and Response (EDR): The majority of cyberattacks take place on endpoints, and this is still true when social engineering is involved, thus it is crucial to be able to recognise these threats and respond to them automatically or with a single click. EDR technology is also crucial in this situation…
Conclusion
Globally, social engineering poses a severe threat to both consumers and businesses. By increasing our awareness of these attacks, having robust procedures in place, and the right tools, as defenders, we have the opportunity to reduce the exposure and risk to these attacks significantly.
