The biggest and most underacknowledged threat to data security is a phenomenon called social engineering. This use of human emotional-manipulation has increased cybercriminals’ access to sensitive data. In fact, 12 people every second fall victim to cyber-crime, according to Microsoft. And in 2016, 43% of documented breaches involved social engineering attacks, as reported in the 2017 Verizon DBIR.
While the most common forms of social engineering techniques involve email solicitations, some attackers use infinitely more sophisticated tactics. Cybercriminals routinely contact organizations members through phone, social media, and text messaging to deceive employees into revealing details that will allow the criminals access to the secure networks. Below are the latest social engineering tactics:
It’s lunchtime at the office and you’re finally able to catch up on emails. You don’t have much time because you have a meeting at 1 p.m. The usual emails appear: internal team members, solicitations, the documents you’ve been waiting on to move your new project forward. You see a notification from your bank citing “Urgent Please Login to Account.” You want to resolve the issue, so you click into the email and follow it into the banking portal.
Only this is a spoofed portal, and you’ve now given your banking credentials away to an unknown source. But you are blissfully unaware this happened because after entering your credentials a screen appears that states “The Issue Has Been Resolved” with your banking logo next to it. You assume that this is your bank’s legitimate portal. This social engineering tactic is called phishing. Fraudulently using emails to gain access to personal information.
You are walking to your car after a long day at the office, as you approach your car door, you notice a USB drive on the asphalt. You go home and plug it into your computer, how else will you know who the device belongs to? Your computer has now been infected with malware. This tactic is called baiting, and it offers either a physical or digital download which then corrupts your IT system.
You are the CFO of the company. You receive an email from your boss, the CEO, with the subject line “Wire Transfer $10,000 dollars to X account.” This isn’t entirely out of the norm, there are dozens of transfers in a given week, and you don’t want to upset the head of the organization. You make the transfer. Only, it turns out that the CEO’s email was spoofed and the money went to an unknown bank account. You’ve just lost the organization $10,000 in minutes. This is called the CEO fraud, which is the imitation of the CEO’s email address to trick employees into providing highly confidential information or access to systems.
It’s 1 p.m. at the office, you start to develop a headache and that report is due by end of day. Ibuprofen isn’t cutting it so you log on to a site that gives health information. You’re prompted by a chat that asks for some personal information. Your head is still throbbing and you reluctantly enter the information. The chat box closes, little did you know that the representative was really a man-in-the-middle social engineering attacker. Man-in-the-middle attacks involve intercepting communication between two systems. It’s not limited to just chat boxes, it can be email, and even Wi-Fi attacks.
There’s a man in dress clothes carrying two boxes stacked on one another. He’s walking towards the office building door while you’re exiting, you are holding nothing. Naturally, you hold open the door and he responds with a smile and a nod. Nothing unusual right? Wrong, the man you opened the door for has obtained credentials from a friend to access your organizations systems, you have just granted him physical access to the building where he will find a computer to login and obtain valuable information. Tailgating is when an outsider poses as an insider, gaining access to information systems and confidential data.
Prevent Social Engineering with Behavioral Analytics and Training
Organizations can implement behavioral analytics to recognize which employees pose the greatest threat to the business. They can be identified as a malicious insider or a careless user, who is susceptible to these social engineering tactics. Once identified, they can be governed, trained, and if needed, sanctioned.
These types of attacks are exploiting none other than the natural human psychology. So, like any habit, the best way to create change in one’s behavior is through training. Extensive organizational training through Learning Management Systems (LMS) should be implemented to help thwart such cyber-attacks. Organizations can move towards a culture where security protocols blend seamlessly with day to day tasks. As the cybercriminals continue to evolve in their tactics, you can ensure your organization will be ahead of the curve.