The biggest and most underacknowledged threat to data security is a phenomenon called “social engineering.” This use of human emotional-manipulation has increased cybercriminals’ access to sensitive data. In fact, 12 people every second fall victim to cyber-crime, according to Microsoft. And in 2016, 43 percent of documented breaches involved social engineering attacks, as reported in the 2017 Verizon DBIR. Knowing the social engineering tactics that are most often deployed by criminals can help you mitigate this risk and secure your human attack surface.
While the most common forms of social engineering techniques involve email solicitations, some attackers use more sophisticated tactics. Cybercriminals routinely contact members of an organization through phone, social media, and text messaging to deceive employees into revealing details that will allow the criminals access to the secure networks. So what are the most common social engineering tactics? Here are the top five.
It’s lunchtime at the office, and you’re finally able to catch up on emails. You don’t have much time because you have a meeting at 1 p.m. The usual emails appear: internal team members, solicitations, the documents you’ve been waiting on to move your new project forward. You see a notification from your bank citing “Urgent: Please Login to Account.” You want to resolve the issue, so you click on the email and follow it into the banking portal.
Only this is a spoofed portal, and you’ve now given your banking credentials to an unknown source. You are blissfully unaware this happened, because after entering your credentials, a screen appears that states “The Issue Has Been Resolved,” with your banking logo next to it. You assume that this is your bank’s legitimate portal. This social engineering tactic of using fraudulent emails to gain access to personal information is called phishing.
You are walking to your car after a long day at the office. As you approach your car door, you notice a USB drive on the asphalt. You go home and plug it into your computer — how else will you know who the device belongs to? And your computer has now been infected with malware. This tactic is called baiting, and it offers either a physical or digital download, which then corrupts your IT system.
#3: CEO Fraud
You are the CFO of the company. You receive an email from your boss, the CEO, with the subject line “Wire Transfer $10,000 dollars to X account.” This isn’t entirely out of the norm — there are dozens of transfers in a given week, and you don’t want to upset the head of the organization. You make the transfer, only it turns out that the CEO’s email was spoofed and the money went to an unknown bank account. You’ve just lost the organization $10,000 in minutes. This is called the CEO fraud: The imitation of the CEO’s email address to trick employees into providing highly confidential information or access to systems.
It’s 2 p.m. at the office; you start to develop a headache and that report is due by the end of the day. Ibuprofen isn’t cutting it, so you log into a site that gives health information. You’re prompted by a chat that asks for some personal information. Your head is still throbbing, and you reluctantly enter the information. The chat box closes — and little did you know that the representative was really a man-in-the-middle social engineering attacker. Man-in-the-middle attacks involve intercepting communication between two systems. It’s not limited to just chat boxes — it can be email, or even Wi-Fi, attacks.
There’s a man in dress clothes carrying two boxes stacked on one another. He’s walking toward the office building door while you’re exiting, and you are holding nothing. Naturally, you hold open the door, and he responds with a smile and a nod. Nothing unusual, right? Wrong — the man you opened the door for obtained credentials from a friend to access your organization’s systems, and you have just granted him physical access to the building where he will find a computer to log in and obtain valuable information. You’ve become a victim of tailgating — when an outsider poses as an insider, gaining access to information systems and confidential data.
How to Prevent Social Engineering Tactics from Doing Damage
There are a few approaches organizations can take to mitigate social engineering. First, behavioral analytics can help you recognize which employees pose the greatest threat to the business. They can be identified as a malicious insider or a careless user who is susceptible to these social engineering tactics. Once identified, they can be governed, trained, and if needed, sanctioned. Proactive monitoring of your cloud applications can also help you spot when a user may have been a victim of social engineering. If a specific sales rep only exports around 50 rows of data each week and suddenly exports 50,000 rows in one day, it could be an indication that their credentials were compromised. By layering application-level security on top of network or infrastructure-layer solutions or a DLP, you can gain fuller insights into vulnerabilities like phishing and man-in-the-middle attacks.
And because these types of attacks tend to exploit natural human psychology, training is the best way to affect the change in a user’s behavior. Training can help users better spot potential external attacks and avoid them, rather than clicking or responding and opening the organization to a breach. Re-training and new approaches may also be necessary. By coupling your training strategy with the insights you derive from user activity monitoring on Salesforce and other cloud applications, organizations can move toward a culture where security protocols blend seamlessly with day-to-day tasks. And as the cybercriminals continue to evolve in their social engineering tactics, you can ensure your organization will be ahead of the curve.