Hacking the human – the rise of social engineering and the threat to cyber security
‘Please verify your account information’, ‘send payment to X’, ‘your request for help’, ‘you are a winner’, ‘I need an update on X’, ‘urgent help needed’, ‘take this survey’, ‘donate now’ – these, among many others, are often the ‘bait’ that hackers use to acquire the information to infiltrate a computer system, gain control and generally wreak havoc.
Hackers are increasingly turning to social engineering to exploit systems and make money. Social engineering, also known as ‘hacking the human’, is the art of manipulating people so they give up confidential information such as passwords or bank information. Armed with this information, hackers can take over financial or other accounts, or access a computer to secretly install malicious software that will give them even more access to sensitive and financially lucrative information.
When the unscrupulous want to get information, using social engineering can be the simplest way in. It is often easier to exploit a person’s natural inclination to trust than it is to discover ways to hack software. Tricking someone into giving them their password through social engineering tactics (such as getting them to log into an online portal on a phishing site) is less time-consuming and more successful than trying to hack their password (unless the password is really weak).
What is social engineering?
Social engineering uses manipulation to exploit human error with malicious actors posing as a legitimate person – often a friend, colleague or other ‘trusted’ party like a bank, popular company, school or institution – to trick victims into giving away private information. Unlike relying on traditional security weaknesses to gain access to devices or networks (brute force attacks), social engineering techniques target people. The goal of the social attacks is to cause security mistakes and the disclosure of sensitive information by gaining trust and then using the information the person has provided to the hacker’s advantage. The most successful attacks count on an understanding of what happens when fear is used as a tool, or a false sense urgency is introduced – as these are times when rash decisions can be made.
Attacks can come from anywhere, in combinations of traditional mail, email, links, phone calls, SMS messages, social media pages and more.
According to Verizon’s annual Data Breach Investigations Report, social engineering attacks including phishing and pretexting are responsible for 93% of successful data breaches. And Webroot data indicates that financial institutions represent the vast majority of impersonated companies.
Over the years, social engineering attacks have grown increasingly sophisticated. Not only are fake websites and emails becoming more realistic, tricking victims into clicking on links, but it has become one of the most common ways for malicious actors to get past an organisation’s initial defences to cause further harm and disruption.
Forbes notes that social engineering attacks are a component of practically every modern cyberattack today and cited examples including Samsung, Microsoft, The Ritz and Morgan Stanley as being among the high-profile companies breached by means of social engineering. The magazine said that billions had been lost through countless combinations of:
- credential stealing
- purchasing and exchanging cookies and credentials in public forums
- targeting privileged employees including support, executive and technical staff
- privilege escalation
- phishing in emails, links and pages
- impersonation, and
- fake messages and pop-ups.
Criminals are finding such success with social engineering that it is considered one of the biggest cyber threats for 2023. A survey of security professionals by CS Hub found 75% considered social engineering to be the ‘most dangerous’ threat and claims data from Risk Placement Services found there were significantly more fraudulent payments and social engineering fraud (50%) than ransomware (16%) between January and August 2022 among SMEs. The average wire fraud type of claim was between $200,000 and $300,000, the company noted. Global claims data from Corvus showed fraudulent funds transfer (which sees hackers using social engineering to trick employees, vendors or individuals into transferring funds into the wrong account) accounted for 28% of cyber insurance claims in 2022.
A comprehensive security strategy is critical
Businesses need to have strategies in place to reduce the risk of an employee falling victim to this growing threat and unintentionally opening the door to the organisation’s computer system – leaving the business vulnerable to data breaches and fraud.
Cyber security experts (advice from whom when engaged by your business could be invaluable) say strategies should include technical controls and monitoring such as:
- using multifactor authentication to prevent unauthorised access to accounts
- ensuring data is encrypted
- deploying email security with anti-phishing, sandbox and additional prevention capabilities
- mandating strong password management
- adopting a Zero Trust policy
- paying attention to data access design in everything from SharePoint to messaging systems
- setting spam filters to high
- installing malware and antivirus to devices to reduce the chance of them being infected
- setting the operating system to automatically update
- using anti-phishing tools on web browsers or security software
- having strict protocols in relation to financial matters such as paying invoices, providing account information etc., including verifying authenticity of requests, clear delegated authorities and authorisation procedures
- fostering an environment where cyber security is understood and prioritised, including in workplaces where remote working takes place (precautions that would typically be undertaken in a more formal office setting are not always observed when the workforce is remote)
- conducting regular security audits to identify any weak points in the business’ defence systems, and
- having policies and procedures in place so that if an attack does occur, it can be contained quickly and prevent damage.
Addressing the threat from within
While human vulnerability poses the greatest risk to a business succumbing to a socially engineered cyber incident, employees are also the first line of defence. Educating and training employees on how to identify and respond to social engineering threats is a wise investment.
Regular communication campaigns and on-going training sessions can be used to provide information on:
- how to identify a social engineering scam – for example:
– phishing (sending emails or other messages purporting to be from a trusted source to induce an individual to reveal personal information, such as passwords and credit card numbers)
– spear phishing (more targeted phishing that often includes information known to be of interest to the target)
– vishing (voice phishing)
– smishing (text message phishing)
– pretexting (using a compelling story or pretext)
– baiting (using a false promise to pique the victim’s interest), and
– scareware (bombarding the victim with false alarms and fictitious threats) - the latest tactics being used by hackers, including running simulations
- the threat posed by social media (risks from oversharing information on personal social channels), and
- security best practices such as (but not limited to):
– avoid clicking on email links and attachments from unknown senders
– never hand over personal information by phone, email or SMS
– don’t be afraid to communicate with someone on multiple platforms to verify their identity
– be sceptical about requests that convey a sense of urgency or use high-pressure tactics
– be suspicious of any unsolicited messages including those from contacts if you aren’t expecting an email with a link or attachment (email hijacking is rampant and once a hacker has control of an account, they prey on the trust of the person’s contacts), and
– research the facts and verify requests (using a search engine to find a company’s website or using a phone directory to find their contact number).
Protect your business with cyber insurance
Embracing good cyber security measures and best practice employee training is essential – but it is not infallible. Cyber insurance can provide a financial safety net in the event that the business falls victim to a cyberattack. Talk to your EBM Account Manager about risk management and cyber cover.