There are multiple types of cyberattacks – many of which are very sophisticated, often because of the technology they use. But more often, the kind of attack that leaves the biggest impact on its victims – emotionally and psychologically, is the one that is not necessarily driven by sophisticated technology, and often appears to be rather benevolent. These are the attacks that are driven by social engineering.
Social engineering can be devastating not only in terms of damage to finances and brand reputation, but also in terms of the sense of manipulation the organization experiences and the doubt it raises regarding its ability to detect and prevent such attempts.
So, what is social engineering and why can it be so distressing? Let’s take a look.
A quick primer to social engineering
‘Social engineering’ is a term that is used for a broad range of cybercriminal activities that are primarily endeavored through human interactions rather than technology alone.
Also known as “human hacking,” it involves the use of psychological manipulation. In these attacks the hacker exploits the human tendency for error and lures unsuspecting users into unintentionally exposing data, spreading malware, or giving access to restricted data, applications, and systems.
The perpetrator first investigates the intended victim, gathers background information, and takes certain convincing actions to gain the target’s trust. Once the attacker understands what lies behind a user’s decisions and behaviors, they can be very effective at deception, causing the target to break security practices and reveal sensitive information.
For example, instead of seeking out a vulnerability in the organization’s security perimeter, they will reach out to an employee under the guise of an IT support engineer. Then, equipped with knowledge about the organization’s processes and systems, the hacker will dupe the employee into divulging their password to an important system that contains sensitive data.
Another powerful weapon in the social engineer’s arsenal is the fact that targeted users are often unfamiliar with the social engineering repertoire – and therefore don’t know how to spot an attempt.
What you need to know about phishing and how to prevent it
One of the most prevalent types of social engineering attacks is phishing. In fact, the recent Verizon Business Data Breach Report has noted that it accounts for over 30% of breaches in small organizations.
Phishing primarily involves tricking users into taking one of two main actions. The first is to unwittingly submit credentials to hackers for accessing sensitive or proprietary data. The second is to install malicious software so the hacker can infiltrate the organization’s network.
This is often achieved by making the premise for the attack look like a legitimate event. For example, this could be a (fraudulently) urgent email from the organization’s bank, alerting to a supposed breach. To remedy the situation, the email’s author instructs the user to click on a link for verifying credentials, which sets the crime in motion.
So why should phishing be on everyone’s radar? Because cyber criminals know that quite often:
- Cyber protection is not always as robust as the organization would like it to be
- Resources for educating and training users on awareness and prevention can be limited
- There are always at least some employees who are less experienced in identifying phishing attempts
- There isn’t always the knowledge in-house on which actions need to be taken to defend against such attacks
Protecting your business against phishing
- Building awareness
To avoid falling victim to a phishing attack the first step is to raise awareness throughout the organization – regarding the type of attack, how it works, and how to prevent it.
It is also recommended to equip employees with the following set of questions that they should regularly ask themselves:
- Did the email or call come from a legitimate party who can prove their identity?
- Does the website have an irregular URL, poor image quality, typos, or other elements that typically hint to a fraudulent website?
- Is the attachment or embedded link legitimate?
They should know that whenever there is doubt, they should disengage. And whenever there is suspicious activity, the user should always notify the organization’s security team.
- Being proactive
Moreover, users must know that they should:
- Never click on suspicious links in emails
- Never let unauthorized personnel connect to the organization’s network
- Never leave devices unattended in public places
- Always keep software updated
It is recommended to create a cybersecurity awareness “cheat sheet” with the recommendations of the above two sections and circulating with all employees throughout the organization.
A focus on password protection
In addition to the above noted steps, robust password security is another important preventative measure. With 80% of cyber breaches being enabled by poorly protected passwords, one can certainly understand why.
- Two-factor authenticationBeyond picking a long, complex, and unpredictable password – a best practice for any organization is to implement two-factor authentication (2FA), which adds another layer of security. This means using any combination of at least two of the below noted security measures:
- Pin number
- A code that can be sent to a mobile device
- A fingerprint
- Password manager tools
- Length & uniqueness
Defending this vulnerable breach point requires a basic understanding of how quickly and easily weak passwords can be compromised. To illustrate, it takes:
- 10 seconds to breach a 5-character password
- 1,0000 seconds to breach a 6-character password
- 1 day to breach a 7-character password
- 3,000 years to breach a 10-character password
The longer the password is and the more unique characters it contains, the harder it will be for hackers to crack it.
Social engineering is prevalent and can be very damaging when successful. Furthermore, many organizations are not sufficiently equipped with knowledge and tools, and therefore are a prime target for cybercriminals who use this mechanism for their attacks.
Accordingly, it is critical for them to make sure that every employee is aware of what social engineering is, the methods that social engineers use, and how they can prevent the attack. The key is awareness and education, as well as robust security practices, especially when it comes to passwords.
To learn more about how to protect your organization against social engineering and specifically phishing attacks, we invite you to visit our website at www.cyrebro.io