Social engineering is the art of manipulating you into giving up personal or private information. It's also a very common type of cyberattack levied against small and medium-sized businesses (SMB’s), making it critical that you understand both what it is and how it’s being used to trick victims (your employees) into handing over confidential data that can disrupt your business.
How Cybercriminals Are Using Social Engineering
Typically, social engineering tactics utilize emails to accomplish their malicious goals, but text messages, social media postings and even voice mail methods are also now in the mix.
Regardless of the medium, the hallmark of a social engineering scam is that the communication invokes extreme emotion. It might be fear, or it might be excitement, but the common denominator is that the message is attempting to create an extreme sense of urgency.
The recipient is being urged to ACT NOW, or face some very dire consequences.
It’s basic psychology really…the point is to get the recipient to abandon reason, and instead react emotionally and quickly, without thinking through any unintended consequences or verifying the claim. And unfortunately, it often works.
You’ve no doubt seen old versions of this, where the appeal is from a Nigerian prince who can make you a millionaire, or a friendly individual who just wants to get together and chat and exchange photos. Hopefully we all instantly see those for what they are and just delete them. But like all cyber threats, social engineering has come a very, very long way.
The Dangers of Modern Social Engineering
Because business leaders are more aware of the cyber risks that exist, and because prevention methods are being more widely adopted by SMB’s (though still with a long way to go!), cybercriminals have been forced to adapt their methods in order to stay in business.
Unfortunately for us, they’re pretty adept at staying one step ahead too. Take as just one example, the adaptions that have been made to get around anti-virus software.
One thing that hackers can continue to count on and exploit – even when the cybersecurity community is blocking (or at least catching up to) them in other areas - is human nature. As a result, those special social engineering tactics that are used to take advantage of us human beings continue to prove successful. Which means they too will continue to evolve and improve.
Another reason they are so popular with cybercriminals is that when they work, the victim is actually doing the hard work for them. It’s one heck of a lot easier to be let in the front door (metaphorically speaking) of your business network than it is to break in using a crowbar (hacked password) and the cover of night.
What does social engineering look like today?
Below is a review of the most common categories with the world of social engineering. Remember as you review these that they are not limited to just email anymore – these types of attacks can target you via email, text, social media or as you’ll see below, telephone.
The lion’s share of data breaches are the result of successful phishing attacks, why is why this has become of the most popular forms of social engineering.
In short, phishing is when cybercriminals use emails (or texts or social media messages) that appear to be from legitimate sources (but are not). The intent behind the message – whatever form it takes – is to trick the recipient into providing confidential information, which is generally done by prompting him to click on a link or open an attachment.
That click will either result in downloading malware (more often than not, that malware is in the form of ransomware), or take you to a spoofed site where any personal or confidential data that you enter will be given directly to the cybercriminals behind it.
Today’s very sophisticated messages will usually appear to be coming from a credible source, like your bank, the credit card company, an online service provider, or even a well-known retailer. They can be very difficult to spot from a “look” perspective…but the results of not spotting one can be disastrous for your business.
How they can be spotted is again through recognizing that sense of urgency that gets created within the messaging. If the reader is being urged to act now or miss out of a once-in-a-lifetime opportunity, or face very serious consequences, that is a bright red flag that this is a scam.
Other things to remember are that if a message seems too good to be true, then it most definitely is. It should also be noted that legit organizations don’t email or call you to ask you for your password – they already have that information.
Spear phishing is phishing’s evil older (and wiser) cousin.
Spear phishing emails are targeted specifically at individuals within an organization whom the hacker believes could have valuable information. They are very often targeted at the CEO or CFO of a company, and/or they may appear to be FROM your company’s CFO or CEO. The spoofed email is often virtually undetectable as a fake.
For this reason, we always recommend that companies establish strong SOP’s around any requests for financial transactions. Have a policy that prohibits any financial transactions (wire transfers, etc.) from being made solely on the basis of an email. Instead require that they be verified – by phone – directly with the source of the request.
Vishing (voice phishing)
Vishing is basically the same as phishing, but via phone or even voice mail.
The hacker behind this scam will find out a little bit of information about the target and then call them and using that information, attempt to trick them into providing more information that gives the criminal enough to access his or her accounts.
They will often be disguised as Tech or Customer Support for a well-known service provider or organization. Their angle is to establish trust using the information that they DO have (your name or your birthdate), in the hopes that you will let down your guard and provide more personal details like your login credentials or SSN.
Here we can point out that Caller ID is very easy to spoof, so that is not a reliable way to verify who is actually calling you. And learning your birthday is also pretty easy, thanks to social media. When the big day comes around and 300 of your closest friends wish you a happy 43rd, then it’s not that hard to see how cybercriminals can glean that data point with a quick review of your social feeds.
With baiting, cybercriminals are dangling in front of you something that they think you really, really want, and won’t be able to resist clicking on.
This style of attack is often found on sharing sites where users who have a common interest will gather. For example, sites where peers can share music or discuss movies are popular targets for baiting.
It is applied more broadly on general sites or through email by offering those aforementioned “too-good-to-be-true” deals.
Why? Because people have FOMO and just can't resist trying to get something for nothing.
But instead of a dream vacation (or free computer, or first-look at the new celebrity scandal video), clicking on that link is actually going to turn into a nightmare.
How Can You Avoid Falling Victim to Social Engineering Attacks?
One of the best defenses against social engineering is education.
Educate your end-users on the topic. If you ask “what is social engineering?” and no one knows (or they kinda, sorta know, but not really), then the chances of one of your staff clicking on a bad link are probably pretty high.
Hold regular trainings to review the red flags of an attack, share specific examples, and if possible, work with your IT provider to run tests and learn who does (and doesn’t) fall for the tricks. Stay current on active scams that are circulating and proactively warn your users. (This blog is a GREAT way to stay informed...we regularly publish alerts and warnings. You can sign up here.)
Human nature being what it is, an uneducated end-user may very well unintentionally take down your network, all because she thought her bank account was about to be frozen, she was due a refund from PayPal or she really wanted to go to Maui for free.
Strong endpoint security is also a must. Make sure that you have anti-virus and anti-spam software installed (and that it’s up-to-date), firewalls, and administrative protocols dictating who has access to what. Following the principle of least privilege is always recommended. Good overall network security is a great counter to cyber-attacks, as it will keep out known virus signatures and block most of the malicious emails.
Be cautious about what you post on social media. We have written more extensively about this (you can read that article here), but suffice to say that there are consequences to sharing so much of your personal life on the web. Think carefully about any unintended impact of something before you post it.
Think before you click. If you take one thing from this article, let that be it.
THINK BEFORE YOU CLICK.
If you feel yourself responding emotionally to an email message, take a deep breath and think before reacting. If you are truly concerned that your Netflix account has been suspended, contact the company directly and verify the claim. Or at the very least, stop and do a search using (in a fresh browser window) the subject line of the email and see if it pops up as a known scam.
Always stay in control of where you land on the internet. Using the example cited above, if you think your Netflix account credentials have been suspended and need to be updated – because an email told you so – don’t click the link in said email.
Instead, if you want to check it out, navigate directly to the known/trusted site in a fresh browser window.
And finally…always back up your data.
In the same way that cybercriminals count on human nature to continue their scams, you should count on the fact that human error – one way or another – will one day result in data loss. Whether it’s the result of a bad click, damaged equipment or even intentional malice, having sound, modern data backups and a disaster recovery plan is your only absolute guarantee against social engineering (and disaster in general).
Last week we ran a series of posts dedicated to all of the various reasons that data backups are your company's best friend. Check them out here.
Want more great technology updates, news and other industry information delivered directly to your inbox? Subscribe to the blog and each week you'll get new useful tech news you can use!