Social EngineeringOrhan Sari
Social engineering attacks have many different tactics and can be initiated by a number of means targeting humans. Social engineering techniques vary, however, we will discuss the five most common forms of social engineering attacks.
1.What is a Social Engineering Attack?
A Social Engineering Attack is a method of obtaining confidential information by psychologically manipulating and/or deceiving people and artificial intelligence to pursue a certain course of action or way of thinking.
Think of it as a confidence trick which makes you give up private information by deception for the potential purposes of fraud to gain access to systems and/or to change your thinking and way of behaviors which may or may not be in your best interests. Your personal data and information and systems, thoughts, and behaviors are the eventual targets of this type of attack for the end-user.
Most cybersecurity attacks are opportunists, but social engineering attacks differ in the sense they can wait for the right moment to strike such as waiting for keywords relating to a major corporate takeover for example.
2. Psychology of Social Engineering Attacks
Social Engineering attacks come from studying patterns of behavior and using these patterns against people. When we get a call from a trusted organization such as our bank, internet provider or favorite e-commerce site with a message of help bringing news of a time-sensitive special offer or playing on fear such as the Covid-19 pandemic then our first line of defense is down.
As a result, we react in the way the social engineering protagonist wants and so are more ready to accept the message that they want us to listen to or read. This leads to vital, personal, and sensitive information given away more easily and being used against us in cyber attacks such as phishing.
3.Types of Social Engineering Attacks
Through impersonation, Social Engineering Attacks take place daily via different means such as by email, phone, social media as well as physically such illegal entry to buildings and obtaining sensitive documents from a company’s trash. The delivery of the message may not be the same, but they all aim to use human nature against you to their advantage through provoking different feelings of fear, intrigue, excitement, trust leading to potentially damaging changes in behaviors and habits. Common types are as follows:
Quid Pro Quo
4. Techniques of Social Engineering Attacks
Phishing is a key example of the type of social engineering attack techniques strongly favored by criminals. Attacks take place through a variety of forms such as social media, email, and messaging services. By tricking the target into clicking on a malicious link contained in a professional, genuine-looking popular website with a highly time-sensitive special offer or an email designed to get attention through a personalized, intriguing, scaremongering and fear-inducing subject lines, the criminal can quickly deceive and via this identity theft steal passwords and other prized sensitive, personal data and details required to carry out potentially successful cyberattacks and scams.
Phishing has evolved over time to become the bigger beast Whaling, another popular method of social engineering attacks, which uses sophisticated techniques to compromise larger organisations such as large multinational corporations and government organisations the so-called big fish targets hence the use of the term whaling.
Other social engineering attack techniques are Watering Holes where hackers insert pieces of code into sites of companies and public bodies to trick users into revealing their personal data which is then stolen and used illegally.
5. Real-Life Examples of Social Engineering Attacks
5.1. Twitter’s slack security
The recent Twitter hack is a classic example of a social engineering attack. The hacker(s) were able to gain access to the company’s Slack channel and through careful monitoring had access to confidential information were able to reset passwords, and send out tweets promoting their own cryptocurrency scam.
5.2. Premier League club’s near own goal
An English Premier League club nearly scored an own goal of over a million pounds with a recent security breach. Cyber criminals were able to gain access to a director’s email account with the view to hijacking a transfer and get away with a million pounds. Luckily for the club, the attempted scan was thwarted only by the timely intervention of a bank who alerted the club. The club did indeed escape the phishing net.
5.3. Toyota parts with cash in scam
A major supplier of Toyota auto parts was a victim of a huge scam costing over 4 billion yen after cyberattacks were able to convince an employee who had access to financial transactions to alter the information of an electronic funds transfer.
Business Email Compromise or BEC cyber attacks like this successful one are becoming increasingly common and have cost business worldwide over $5.3 million in the last six years alone.
6. How to protect your organisation against social engineering attacks
A good way to think about how you can protect you and your business is looking at behavior and actions in public spaces such as malls and using mass transit systems. In these environments, you are particularly aware of what and who is around you and less willing to trust those around you.
Take this same approach to the online world and be cautious of who contacts you and asks for confidential information and personal details such as your banking account or pin codes. The same awareness you have offline, you will need to have as well in online and social media environments.
6.1. Employ Phishing Simulation Tools – Keepnet Anti-Phishing tools
To help stop the attacks and attempted scams that affected Twitter, the Premier League club and Toyota is to employ phishing simulation tools such as the Keepnet Anti-Phishing Tools.
This industry-leading Phishing simulation allows you to test the cyber awareness and resilience of your company by sending colleagues benign and quantify that human vulnerability safely and proactively by sending simulated phishing email attacks to your team. You can see how they react to these ‘attacks’ and their subsequent actions.
6.2. Train your users with improved social engineering awareness training
After you have employed a phishing simulation tool like Keepnet’s Anti-Phishing Tool, you will want to take action on any actions your colleagues have taken which have highlighted weaknesses and thus increased the risk of a successful phishing attack and data breach.
The Keepnet Awareness Educator will allow you to build upon what you have discovered from the results of the phishing simulation campaigns. This platform can be added to your phishing simulator and will direct users to e-learning courses to improve their awareness of genuine phishing attacks. This will lead to an enhanced security posture and improved cyber hygiene.
Gamification is becoming increasingly popular in the fight against cyber crime as it helps to increase employee engagement with these crucial anti-phishing tools for example.
The Ninjio Keepnet platform successfully uses gamification to deliver improved cyber awareness and further improve your company’s security.
Training videos with high-end Hollywood production values will improve your colleagues’ and teams’ awareness of cyber threats so they will themselves become an extra layer of security defending their company or organisation. This will decrease the risk of an attack leading to a major data breach.
6.3. Threat Intelligence or Threat Sharing
Rather than wait to be a victim of a phishing attack, you can take preemptive measures to improve your cyber security posture and hygiene. Through the adoption of early warning systems such as Keepnet™’s Threat Sharing platform, you can introduce a system to provide inbox level incident responding, investigation and response to react with maximum agility and so reduce response time. No longer will users have to directly experience a malicious attack themselves
As soon as an incident occurs, the user reports this to their communities with whom this intelligence is then shared and triggers investigations through the Threat Sharing Community platform.
Use of such a threat sharing system will allow threat intelligence to be strengthened and expanded through a collective leveraging of knowledge in a network of communities built upon trust, reputations, shared goals, and a willingness to protect their companies and the industries they work in.