Social Engineering: How Secure Organisations Are Compromised
Social Engineering is an issue not just for casual internet users but is a very successful methodology for malicious operators to bypass strong security protocols in businesses, even large global brands as demonstrated in the media. Companies with top down technical expertise may still have employees trained in simple security protocols but can still be “fooled” by bad actors. We have moved way past the days of an African Prince trying to solicit bank details and the techniques and outcomes of sophisticated social engineering schemes are delivering real world impact to very large multinational IT businesses.
What is Social Engineering?
Social engineering involves the use of psychological manipulation techniques to deceive individuals or organisations into divulging personal and or sensitive information or into taking actions that can compromise their security or data. Social engineers use a range of tactics to exploit human behaviour and the trust of their targets to trick them into providing access or to extract sensitive information and or resources. The goal of a social engineering attack is to gather information or access that can be used for fraudulent purposes, such as identity theft, financial fraud, or cyber espionage. Social engineering attacks can be difficult to detect, as they often rely on the victim’s willingness to provide information or access voluntarily.
Types of Social Engineering scams
There are several types of social engineering scams that scammers use to gain access to personal information. Some of the most common types include;
- Phishing scams involve creating fake emails, phone calls, or text messages that appear to be from trusted sources such as banks, social media sites, or online retailers. These messages contain downloadable attachments or links that direct to fake websites that mimic the real ones and trick victims into divulging sensitive information, such as their login credentials, financial and or account information.
- Spear Phishing is a more targeted version of phishing, in which the attacker researches the target to create a more personalised and convincing message. The goal is to increase the likelihood that the target will fall for the scam. This type of email scam is used to carry out targeted attacks against businesses.
- Pretexting (impersonating) involves creating a false scenario, identity or pretext to trick individuals into divulging sensitive or personal information or they may encourage performing certain actions. Two common examples might be; 1) a social engineer may call a company and pretend to be an IT support technician who needs the victim’s login credentials to fix a technical issue, or 2) a social engineer might pose as a bank employee and claim that there has been fraudulent activity on the victim’s account, asking for their personal information to “verify” their identity.
- Baiting is the activity or introducing a target to something of perceived value to have the victim perform an activity which results in a breach. The social engineer may leave an item such as a USB drive or a CD in a public place and wait for a victim to pick it up and connect it to their computer, infecting their system with malware or offering a free download or a prize, in exchange for personal information or access to a system.
- Tailgating involves following authorised individuals into a secure or restricted area without proper authorization. They may pretend to be an employee or simply ask to be let in based on a reasonable excuse. This attack targets individuals who can give scammers physical access to their target location and often work because of misguided common courtesy, like when a door is held open for an unfamiliar “co-worker.”
- Malware is a cyberattack involving malicious software, like ransomware or scareware. Victims are sent an urgently worded message and tricked into installing malware on their devices by hackers.
- Vishing involves cybercriminals leaving urgent voicemails to convince victims they must act now to protect themselves from arrest or another risk under the guise of being a financial organisation, a federal agency, or law enforcement. The use of this technique with SMS/text message is Smishing.
- Watering Hole Attack is an attack on an organisation’s frequently-visited website that is compromised and used as a nest to spread infection. If a company’s own website is on the list, the damage extends beyond the organisation, reaching existing and potential clients. Watering hole attacks can be difficult to prevent and require vigilance in maintaining end user’s system security and monitoring and responding quickly to strange occurrences on frequently-visited sites.
How data breaches impact businesses
There are a number of impacts on a business which has had a socially engineered data or access breach. All impacts revolve around some form of end financial impact whether that be direct cost of review, testing and clean up or the loss of revenue from loss of customer trust. Outlined below are some key considerations as to why defence against social engineering is a critical strategy for any business.
- Financial implications. Bad actors are always after something which is usually financial gain. A breach can cost a business anywhere from tens of thousands to millions of dollars in direct losses, without counting the costs associated with recovery. A data breach can be expensive for a business to remediate, as it would require hiring forensic experts, notifying affected customers, providing credit monitoring, and defending against potential lawsuits. There are also the losses to operational productivity and customer trust which is discussed below. A quid pro quo attack occurs when an attacker makes threats to leak or sell information or corrupt the data while making demands on the business, often paying a fee. In many situations a business does not have alternative options and will meet demands for the chance to recover their data.
- Productivity costs. A successful attack means significant time lost rectifying the impact of a breach and resolving the damage. This often craters the IT team’s productivity, general employee productivity, and ultimately the business’s profitability (time is money). Most successful attacks make it impossible to simply operate the business as usual, with some level of maintenance and cleanup required. Pretexting, phishing, baiting, where a specific employee is targeted in an attack, require a broad investigation and tend to destroy productivity.
- Operational disruption. Reduced productivity won’t just impact the IT team, it can trickle down the entire supply chain or service delivery operations, slowing every moving part of the business and causing logistical delays. The social engineering impact on business goes beyond work productivity alone. Operational disruption is common, made much significantly worse where systems and sites are corrupted. These attacks run far deeper than just social manipulation, involving malicious programs and viruses that infect company devices and websites to spread infection. Systems like the company websites, eCommerce or service platforms are taken offline just to keep the infection from spreading.
- Reputational damage. Cybersecurity attacks are extremely dangerous and put both business and customer information at risk. Organisations that are considered not adequately protected will lose customers through lack of trust. Prospective customers may be hesitant to do business with a company that has suffered a data breach, especially if personal information was compromised.
Legal and regulatory penalties. Depending on the nature and scope of the breach, a business may face legal and regulatory penalties for failing to protect sensitive customer data. For example, businesses that handle credit card data may be subject to fines from payment card industry compliance programs.
- Loss of competitive advantage. A data breach can also lead to the loss of competitive advantage if sensitive business information, such as trade secrets or intellectual property, is compromised. Competitors may be able to use this information to gain an advantage in the marketplace.
Best practices for online security and privacy
To protect against social engineering attacks, individuals and organisations should be vigilant about suspicious requests for information or access and or changed or unusual situations or experiences online and or offline. A simple rule is do not share personal or sensitive information unless you are 100% sure about the situation in which the information is required. It is important to follow best practices for online security and privacy, such as;
- being wary of unsolicited emails, messages or links and attachments,
- implementing and using password management software,
- enabling two-factor authentication,
- maintaining software and operating systems patches and updates,
- leveraging reputable antivirus and anti-malware software,
- regularly backup important data to a secure and or secondary location,
- scheduled regular audits of systems and security practices.
Employee education is a significant activity that can be employed to ensure employees are fully informed about what and what not to do when faced with unfamiliar or suspicious requests or messages. Organise training, meetings, guidelines, and protocols that can be followed to the letter. Set up monitoring of internal and external systems and websites and investigate any noticeable changes to patterns.
What should be done if a breach occurs
If a business has been impacted by a successful social engineering attack, it is important to take immediate action to mitigate the issue and prevent further damage. Below is a stepped list of recommended actions to follow:
- Containment. The first step is to contain the damage by identifying the extent of the breach and securing any affected systems or data. This may involve taking systems offline or restricting access to certain areas. If a business has fallen victim to a social engineering attack, the first step is to contain the damage by identifying affected systems and data.
- Investigation. The company should conduct an investigation to determine the cause and extent of the breach. This may involve reviewing logs, interviewing employees, and working with external experts. It is critical to be clear with the identification of what information was compromised.
- Notification. If customer data was compromised, the company should notify affected individuals as soon as possible. Notification should be clear, concise, and provide information about what steps the company is taking to mitigate the breach. It is also essential to notify any other affected parties, such as employees, about the breach. Transparency on the impact and remediation process can be a life preserver for an impacted business.
- Remediation. The company should take steps to remediate any vulnerabilities or weaknesses that were exploited in the attack. This may involve implementing new security controls, updating policies and procedures, or providing additional training to employees.
- Monitoring. The company should monitor its systems and data for any signs of continued or future attacks. This may involve implementing intrusion detection systems, conducting regular security assessments, and providing ongoing security awareness training to employees.
- Communication. The company should communicate openly and transparently with stakeholders, including customers, employees, and regulators. This can help to restore trust and confidence in the company’s ability to protect sensitive information.
- Follow Up. Finally, the business should review and update its security policies and procedures to prevent a similar attack from occurring in the future. It is crucial to implement proper security measures and educate employees on how to identify and prevent social engineering attacks.
Overall, a successful social engineering attack can have serious consequences for a company, but taking swift and effective action can help to mitigate the damage and prevent future attacks.
Social engineering is a serious threat that can cause immense damage to individuals and organisations. Bad actors use psychological manipulation to trick people into divulging personal information or taking actions that can compromise their security. To protect against social engineering breaches, it is important to follow best practices for online security and privacy, and use tools and software to detect and prevent these attacks. Working with a security expert to devise a robust security plan, regular review of practices and monitoring of systems and frequent activities and regular educational training for staff are effective ways to help prevent a breach. It is also critical to have a mitigation strategy and team or partner committed and ready to go into action should the worst case occur.