Social engineering is the use of manipulative tactics by fraudsters to convince individuals or organizations to voluntarily give up valuable private information
Modern businesses must contend with a range of cybersecurity threats, from DDoS attacks and hacking attempts to viruses and ransomware. However, according to findings published in the 2019 Trustwave Global Security Report, social engineering is now by far the dominant method for cybercriminals looking to access your data.
Indeed, the report found that 46% of all breaches in corporate settings can be attributed to successful social engineering attacks, and this rises to 60% in cloud and point-of-sale environments. As a result, learning to prevent social engineering attacks needs to be a top priority for all businesses and individuals.
Put simply, social engineering is the use of manipulative tactics by fraudsters and other malicious parties, in order to convince individuals or organizations to voluntarily give up valuable private information such as usernames and passwords. In this article, we take a closer look at this phenomenon and explain why social engineering awareness training can be so valuable.
The rise of spear phishing
By now, many people are familiar with the dangers associated with phishing emails, but, as overall awareness about the methods used has grown, cybercriminals have become more sophisticated and methodical in their approach. A good example of this is the rise of a technique known as spear phishing, which targets specific individuals.
As a blog post for Digital Guardian points out, spear-phishing differs from more conventional phishing attempts, because attackers tailor their outreach to individual people, who they have specifically chosen to target. They achieve this by using personal information gained from social media platforms and other sources to reference names, job roles, physical locations, supposed mutual friends and other information that may help them to gain trust.
The attacker could pose as a friend, a work colleague, or a business partner and will send a seemingly innocent message, often with a link to a malicious page, or with a request for information that can subsequently be used for malicious purposes. By adopting this method, attackers can focus on high-value targets, such as people with elevated access, or people with a degree of financial authority, rather than adopting a more random, scatter-gun approach.
One of the most pressing dangers associated with spear phishing is its ability to get around phishing detection software and other protection methods that may work to screen more obvious phishing attempts. With this in mind, the main IT support services and training efforts that are effective involve teaching employees about the tricks used.
Compromised emails and websites
One of the social engineering methods people are perhaps less aware of is the rise in compromised email accounts and websites. This is a growing problem, due to the number of mass data breaches that have occurred, leading to login credentials being made available and even sold on the Dark Web to other cybercriminals.
With emails, the general pattern is for attackers to gain entry into an email account, and then send seemingly innocuous messages to people in that account's contacts list. In reality, the messages will usually either be phishing for personal information or directing the recipient to a link that infects their device with malware.
Download our Business Resource – Business case template
This tried-and-tested template will help you create and build the case for investment from senior management.
Access the Business case template
"If your friend sent you an email with the subject, 'Check out this site I found, it's totally cool,' you might not think twice before opening it," an article for Norton explains. "By taking over someone's email account, a fraudster can make those on the contact list believe they're receiving email from someone they know."
With websites, attackers typically gain the login credentials of a trustworthy site and then infect it with malware, or use it to request personal information from people, using web forms. When a link is included within an email or posted on social media, it looks completely harmless and may even be a website the victim has visited before.
The value of raising awareness
With the growing prevalence of cyber-attacks and data breaches of all kinds, it is vital for small and medium enterprises to invest in the right IT support services. In relation to social engineering, however, because it is a sophisticated form of attack, the best methods need to be based on increasing awareness and taking sensible proactive measures.
For example, your team can be made aware of the rise of spear phishing and told how attackers gain the kind of valuable information that makes it such a threat. Employees can then take steps to limit the amount of personal information that is publicly visible on social media platforms, and think twice about clicking on certain links.
Most good social engineering awareness training programmes will also highlight other best practices, such as two-factor authentication, typing URLs manually rather than clicking on email links, and only entering login credentials on trusted sites, which have the right encryption protocols, in order to minimize the damage that can be done.
The last word
Cyber attacks are nothing new, but criminals and other malicious parties are continuously adapting their methods, in order to circumvent protection software and catch individuals out. One of the most obvious examples of this has been the growth in attackers using methodical social engineering techniques, in place of a more scattergun approach.
This poses a threat to businesses and individuals because phishing attacks and malicious links can become much harder to identify. It is, therefore, imperative that you invest in training that increases the awareness of your teams.
Fifosys provides cybersecurity awareness training to SMEs in London and the South East of England. Additionally, it can help you to identify and fix any vulnerabilities in your networks and computer systems. This combination can then provide you and your employees with the best chance of protecting against social engineering attacks of all kinds.
Mitesh founded
Fifosys in 2001, which provides IT services in London, following completion of a master's in computer science. He has a reputation for straight-talking, delivering focused and effective directives to his clients. Mitesh has an in-depth understanding of both operational and transformational IT projects and provides the best in town cyber security training. He also acts as a mentor, guiding junior aspirants commencing their business career.