Over time, as cybersecurity solutions have become more effective, low-effort, high-volume cyberattacks are no longer successful for bad actors. In 2021, Microsoft was able to block over 9.6 billion malware threats and more than 35.7 billion phishing emails.
This increase in effectiveness is in part due to the advancements in AI technology used within modern cybersecurity solutions. This allows them to stop zero-day exploits and reduce the chance of businesses falling victim to a variety of attacks.
However, as these low-effort attacks are no longer viable for cybercriminals, some have shifted their focus away from targeting technology to hacking humans. These are known as social engineering attacks.
In this blog, we will explore some key social engineering tactics, find out what is at risk if your business falls victim to one of these attacks, and what steps you can take to reduce your cyber risk.
What is Social Engineering?
Social engineering attacks are a broad category of cyberattacks that include some form of psychological manipulation to trick employees into sharing confidential or sensitive information. These attacks rely on human interaction and can be conducted via email, phone call, SMS, instant messaging or in-person communication.
Whilst a well-crafted social engineering attack does take time and expertise, they are a common method for cybercriminals, as it is easier to exploit vulnerabilities within humans than in software. For example, it is much easier to trick an employee into sharing their password, rather than brute forcing a password. Did you know that an 8-character password has over six quadrillion possible combinations?
Social Engineering Tactics
The first stage of any social engineering attack is investigation. In order to craft an attack, the bad actor needs to have an understanding of the target organisation and employee. This stage is also known as open-source intelligence (OSINT) gathering, as the collection of data is gathered from publicly available sources. Some of these sources include public social media accounts, Google Maps images of office spaces, company websites and viewing EXIF data from images.
Once the bad actor has researched their target, the next stage begins, the hook. This is when the cybercriminal engages the target and starts manipulating them into forming a relationship or trusting them. A common method to develop this trust is reciprocity, whereby the bad actor gives the target some information or does a favour for them, knowing that in the future the victim will be more likely to reciprocate and share sensitive information.
Once the cybercriminal has been able to expand their foothold, they can execute the attack. This may include a phishing attack, credential theft, planting of malware or physically entering an office space. Depending on how effective the investigation and hook were, the target may not even realise they are under attack.
If this is the case, the final stage is to exit. This is where the cybercriminal removes traces of malware, covers their tracks and ends their relationship with the target individual.
Real World Examples
To illustrate the potential fallout from a social engineering attack, and some of the common forms of attack, we have 3 recent examples.
How to Protect Your Business
It can be difficult to protect your business against complex social engineering attacks, especially as security solutions cannot supply 100% protection against many of the tactics used in these attacks.
With phishing emails being the most common form of social engineering attack, businesses should look for a holistic email security solution. This will block potential phishing emails, protect against malicious URLs, perform file analysis on attachments, and enable DMARC.
However, email security and phishing prevention will not stop vishing attacks, in-person attacks, or phishing attacks not carried out via corporate email. In order to safeguard against these attacks, businesses need to have a strong cybersecurity education and awareness training program. This will ensure that employees are aware of common social engineer attack methods, and how to detect and report them.
Finally, it goes without saying that all businesses should have multifactor authentication enabled. This simple control can stop 99.9% of account compromise attacks and does not take long to enable. With MFA, even if an employee shares their password with a bad actor, they will not be able to log in without the additional authentication method.