Social Engineering and how to minimise threats to you.

The biggest weakness in any cybersecurity strategy is humans and our inability to not detect a potential attack. Social engineering takes advantage of a targeted emotion (typically fear and urgency or even a sense of fun and sharing) to trick the target into performing an action, such as sending the attacker money, divulging sensitive customer information, or disclosing authentication credentials.

• Social engineering is an illegal activity that accounts for 98% of cyber-attacks and is characterised by attackers coercing victims into divulging sensitive information by pretending to be a known person or legitimate entity.
• Identity theft through phishing attacks is the most common form of social engineering.
• Over 70% of data breaches start with phishing or social engineering attacks.
• You can employ several prevention strategies to avoid social engineering, from setting up multifactor authentication for your accounts to training friends, family and employees to identify suspicious behaviour.

Facebook quizzes are an excellent example of Social Engineering. I’m sure many of you have seen popular quizzes to gather seemingly innocuous data such as the month and day you were born, the street you lived on, your pet’s name, and your Favorite food or colour.

All this information can be correlated with your public profile data (phone number, friend list, email address, and other information) to create a clear picture of you. This process allows a potential attacker to custom-make attacks, take over accounts, and commit identity theft.

Moreover, some quizzes you find on social media platforms such as Facebook collect data usually linked to security questions for other online accounts, further increasing your security risks.

Other quiz posts you may come across as you traverse the internet may also lead you to malicious websites that can infect your device with malware, including spyware and credential-stealing Trojans.

In 2019, Facebook even sued two quiz developers for allegedly scraping the private data of over 63,000 through browser plugins that promised to unveil different personality traits, among others. In another privacy snafu involving the infamous Cambridge Analytica case, the information of millions of Facebook profiles was harvested through another personality quiz on the platform.

 

 

Some other examples of Social engineering techniques include:

• Phishing: With social engineering, an attacker usually pretends to be a corporate executive to trick users into sending money to an offshore bank account.
• Vishing and smishing: Attackers use text messages and voice-changing software to send SMS messages or robo-call users. The messages usually promise gifts or services in exchange for payment. These types of scams are called vishing (voice phishing) and smishing (SMS phishing).
• CEO (executive) fraud: Users often feel urgency when an executive requests action, so an attacker will pretend to be the CEO or another executive to instil a sense of urgency for the targeted employee to perform an action. This is known as CEO fraud.
• Baiting: It’s common for attackers to promise prizes or money in exchange for a small payment. The offer is usually too good to be true, and the payment is usually for shipping or some other cost coverage.
• Pretexting: Attackers may create a false pretext to gain sensitive information or access to a system. For example, an attacker might impersonate a bank teller and contact a target individual to claim that there’s been suspicious activity on their account and ask them to share sensitive information to confirm their account.
• Tailgating or piggybacking: Corporations that use security scanners to block unauthorised access to the premises. An attacker uses tailgating or piggybacking to trick users into using their own access cards to give the attacker physical access to the premises.
• Quid pro quo: Disgruntled employees could be tricked into providing sensitive information to an attacker in exchange for money or other promises.
• Watering hole: This form of social engineering attack involves targeting certain groups by infecting websites that the group is likely to visit. For example, an attacker might infect a popular news site with malware with the intention that employees of a certain company will visit the site and inadvertently download the malware.
• Responding to a question never asked: The targeted victim will receive an email “responding” to a question, but the response will ask for personal details, contain a link to a malicious website, or include a malware attachment.
• Threaten loss of money or accounts, or threaten prosecution: Fear is a useful tool in social engineering, so an effective way to trick users is to tell them that they will suffer money loss or go to jail if they do not comply with the attacker’s request.

 Social Engineering Prevention

Individuals and businesses are both targets for social engineering, so people must be aware of the signs and take the necessary steps to stop the attack. It’s the responsibility of an organisation to educate their employees, so follow these steps to empower your employees with the tools to identify an ongoing social engineering attack:

• Be aware of the data being released: Whether it’s social media or email, employees should know if the data is sensitive and should be kept confidential.
• Identify valuable information: Personally identifiable information (PII) should never be shared with a third party, but employees should know what data is considered PII.
• Use policies to educate users: A policy in place gives users the information necessary to act on fraudulent requests and report ongoing social engineering attacks.
• Enhance security with multifactor authentication: Adding extra layers to verify your identity can make online accounts much safer and impenetrable.
• Strengthen passwords and use a password manager: Using strong, unique passwords with diverse character types can make them harder to crack. A reliable password manager can also help manage your passwords safely.
• Limit personal information online: Avoid sharing any personal details, like schools you've attended, pet's names, or other details reflecting the answers to security questions or access passwords.
• Keep devices secure and close: Lock your computer and mobile devices, especially when in public places like airports or coffee shops. Keep your devices in your possession to prevent theft.
• Keep anti-malware software up to date: Should download malicious software be downloaded, anti-malware will detect and stop it in most cases.
• Be suspicious of requests for data: Any request for data should be received with caution. Ask questions and verify the sender’s identity before complying with the request.
• Train employees: Employees can’t identify attacks if they do not have the education that helps them, so provide training that shows employees real-world examples of social engineering.

Social engineering is one of the most common and effective ways an attacker can gain access to sensitive information. Statistics show that social engineering combined with phishing is highly effective and costs organisations millions in damages.

A few statistics on social engineering include:

• Social engineering is responsible for 98% of attacks.
• In 2020, 75% of companies reported being victims of phishing.
• The most common cyber incident in 2020 was phishing.
• The average cost after a data breach is $150 per record.
• Over 70% of data breaches begin with phishing or social engineering.

• Google recorded over 2 million phishing websites in 2021.
• Approximately 43% of phishing emails impersonate large organisations like Microsoft.
• 60% of companies report data loss after a successful phishing attack, and 18% of targeted users fall victim to phishing.

A few rules to follow:

• Research before responding: If the scam is common, you will find others talking about the social engineering method online.
• Don’t interact with a web page from a link: If an email sender claims to be from an official business, don’t click the link and authenticate. Instead, type the official domain into the browser.

• Be aware of strange behaviour from friends: Attackers use stolen email accounts to trick users, so be suspicious if a friend sends an email with a link to a website with little other communication.
• Don’t download files: If an email requests to urgently download files, ignore the request or ask for assistance to ensure that the request is legitimate.