Did you know that one of the weakest links in an organization's cyber security defense is its own workforce? Many business owners may rush to prioritize defense against cyber attacks that target technological vulnerabilities. However, gaining unauthorized access to otherwise secure business information is largely done by exploiting human weaknesses. In fact, the World Economic Forum reports that 95% of cybersecurity issues are traced to human error, according to their 2022 Global Risks Report.
Social engineering attacks are accomplished by manipulating and tricking someone into giving up secure information, resulting in access to critical business resources. Criminals find it easier to take advantage of human error, rather than attempting to attack software.
With even multi-billion dollar companies like Riot Games being the subject of social engineering attacks a recently as two weeks ago, you can expect your small business to become a target as well. In this blog, we'll break down common attack approaches and offer some insight on how to best protect your employees and business from falling victim to social engineering.
The measures that criminals take to set up a social engineering attack usually follows a standard cycle. Remember that at one point or another, social engineering attacks require communication between the attacker and the victim. Being aware of these steps will help you remember what to watch out for if you become a target.
1.) Research
• An attacker will begin by identifying the victim and collecting background info on the target and/or their organization. They may investigate someone via a previous security breach or even through the individual's public profiles, such as those on social networking sites. The more info the attacker holds on the target, the higher the chance that they can motivate the victim gives up sensitive information.
2.) Build a Relationship
• The attacker will move into engaging with the victim, ideally establishing trust by building a relationship. This can take place across a few email interactions, to many text message exchanges on other social messaging platforms. This step is a crucial part of the psychological manipulation process, making it easier for the attacker to draw out sensitive info from the victim when the time comes.
3.) Threaten & Infiltrate
• Perceived trust met with a convincing story or motive on the attacker's behalf will inevitably weaken the target. The attacker can also deliberately take advantage of heightened negative emotions like fear, shame, or guilt. Alternatively, compelling promises of a reward can also be an approach to getting the victim's hopes up through excitement. Following the acquisition of enough information from the victim, the attack can be executed. This means they can likely gain access to critical data that could put a business in serious jeopardy.
4.) Exit
• In an effort to avoid raising further suspicion, the attacker will end communication with the victim and ideally get rid of all traces of involvement.
Chances are you've already dealt with attempts to access your personal information. If you experience a suspicious interaction, it's important trust your instincts. Here's a list of the most common social engineering techniques:
Phishing & Spear Phishing Attacks
• Phishing is one of the most popular attack methods, which involves sending a fabricated message or email on behalf of a reputable source to the target. The message often prompts urgent action from the recipient, motivating them through fear, curiosity, or excitement. Usually this means accessing a link to a convincing fake website, where the user may be asked to input personal info like their login credentials. While email is one of the most common ways to deliver this type of attack, phishing can also occur through text message or over phone calls.
• Spear Phishing involves a much more targeted approach, in which the attacker collects information on a specific individual and fabricates a message that appears to be authentic. The attacker may even pretend to be an internal team member in an effort to further build credibility. While this type of attack takes significantly more time and effort to accomplish, it's typically harder to identify and can result in a higher success rate if executed carefully.
Baiting
• Baiting attacks take advantage of a target's natural curiosity by creating enticing links or ads to an external source where a reward is supposedly awaiting. Similar to phishing, these links lead to malicious websites where the user will be prompted to give up personal information, such as credit card info, in exchange for the promised reward. Users should be especially wary of sites that ask them to download files to their computer, as this often leads to installing malware on their system.
Contact Spamming
• Contact spamming attacks utilize hacked email or social media accounts to send malicious links by accessing the user's contacts list. This method is especially convincing at first glance, since the recipient will be receiving a message from what seems like a trusted source. Following the link leads to dangerous websites that could steal your personal information or install viruses on your device.
Pretexting
• Pretexting refers to creating a fake scenario to convince a target to give up personal information, such as credit card information, login credentials, or even social security numbers. Similar to other attack methods, pretexting usually involves impersonating a trusted authority to convince a target that they are legitimate.
Quid Pro Quo
• The Quid Pro Quo approach manipulates the target into believing they will receive a reward or compensation in exchange for giving up personal or business data. This attack can also be carried out by convincing users that their software is in need of an urgent upgrade due to a security issue. In reality, the attacker takes this as an opportunity to install malware on to the device.
Awareness
Use Multifactor Authentication
Strong Spam Filter
Secure Devices
Testing and Training
A good business plan should include an outline of the resources required to operate your organization. With cyber attacks on the rise, there's no doubt that cybersecurity measures should factor into your continuity planning.
GAM Tech's IT services offer a comprehensive set of security features to make sure your business is as protected as possible from cyber attacks. Cyber security training, multifactor authentication setup, and advanced email filtering are just a few examples of the services we offer in our IT packages.
To learn more, get in touch with us via our contact page!