Social engineering attacks are not only becoming more common against enterprises and SMBs, but they're also increasingly sophisticated. With hackers devising ever-more clever methods for fooling employees and individuals into handing over valuable company data, enterprises must use due diligence in an effort to stay two steps ahead of cyber criminals.
Social engineering attacks typically involve some form of psychological manipulation, fooling otherwise unsuspecting users or employees into handing over confidential or sensitive data. Commonly, social engineering involves email or other communication that invokes urgency, fear, or similar emotions in the victim, leading the victim to promptly reveal sensitive information, click a malicious link, or open a malicious file. Because social engineering involves a human element, preventing these attacks, like preventing a phishing attack, can be challenging for enterprises.
We wanted to educate companies, employees, and end users on how to better recognize social engineering efforts and prevent these attacks from succeeding. To uncover some of the most common social engineering attacks being used against modern enterprises and get tips on how to avoid them, we asked a panel of data security experts and business leaders to answer the following question:
The most common social engineering attacks come from phishing or spear phishing and can vary with current events, disasters, or tax season. Since about 91% of data breaches come from phishing, this has become one of the most exploited forms of social engineering.
It was a 2-stage attack, trying to get me to reveal my credentials. They spoofed our Director of HR, and sent me the email below. This is an example of very high operational sophistication, typical of top-tier whaling attacks, those cases when an individual is subjected to spear phishing attempts because they hold valuable information or wield influence within an organization. They had done their homework and knew I was active on the SpiceWorks forum for IT admins.
Nine out of ten would fall for something like this. The only thing that saved me was the fact that when I hovered over the link I saw that the domain was one I had created myself for simulated phishing attacks. But it was a close call! One more second and I would have been pnwned.
Social engineering attacks that target companies or individuals are most easily and successfully launched through email. Everyone depends on email for communication, even more than social media which might be monitored by just one or a few company staff. Email is also a tool used daily by older members of the workforce. Also, email can direct a threat to everyone in an organization, including the CEO and CFO. But malicious emails require two triggers to be effective. The first is a cleverly worded subject line that will engage the recipient's curiosity and engineer them to open the email.
Obviously, Edward Snowden was the poster boy for social engineering attacks. He either befriended folks or asked for their passwords and logins by telling them they were needed for his computer systems administrator role. Pretext, or creating a fake persona or using one's role in an improper way, is pretty popular for social engineering attacks.
Today, there are many ways an attacker will try and compromise a corporate network, but in the end, the individual is at the highest risk from an attack. Attackers will take whatever means necessary to break into a network and steal information, and the most popular, and most successful, is by way of social engineering. Social engineering is responsible for many of the recent major attacks, from Sony to The White House. There are essentially two very popular types of attacks: phishing and vishing (voice phishing).
Phishing attacks are the most prevalent way of obtaining information or access into a network. An individual will open a seemingly harmless email, either click a link that leads to a malicious site or download an attachment which contains malicious code, and compromise a system. Phishing has been increasingly successful because the attackers are creating more legitimate looking emails and the attacks are more sophisticated. Thanks to the prevalence of social media, an attacker can look up everything they need to know about a person and their interests, craft an email specially tailored to that person, and email something directly to them, which increases the chances of that person clicking.
Vishing is essentially phishing over the phone. An attacker will call someone, such as an IT help desk, and with a little bit of information about a person (such as a name and date of birth) either get login credentials or more information about the individual, such as a social security number.
Protecting a company from these attacks starts with education. Teaching people what to look for when getting an email or receiving a phone call from someone asking for information or to click on something is what's going to lessen the likelihood of a successful attack. Actually looking at the from address, hovering over links and verifying the URL, and never downloading attachments unless you absolutely know where the email comes from will drastically decrease the likelihood of a successful attack against a company. When an individual receives a phone call asking for information, it's important to establish the identity of the person without giving hints. Remember: people's information is easily found on the internet. Asking good security questions on the IT help desk level is a great way to help guard against these attacks. Something like: What high school did you go to, or what was the make of your first car, is a thousand times better than your birthday.
\"I just need.\" Basically, someone calls the company claiming to represent the phone company, internet provider, etc., and starts asking questions. They claim to have a simple problem or know about a problem that can be fixed quickly but they just need one little thing. It could be as innocuous as asking for a username or someone's schedule or as blatant as asking for a password. Once the attacker has this information, they call someone else in the company and use the new information to refine their attack. Lather, rinse, repeat.
Commonly defined as the art of exploiting human psychology to gain access to buildings, systems, or data, social engineering is evolving so rapidly that technology solutions, security policies, and operational procedures alone cannot protect critical resources. A recent Check Point sponsored survey revealed that 43 percent of the IT professionals surveyed said they had been targeted by social engineering schemes. The survey also found that new employees are the most susceptible to attacks, with 60 percent citing recent hires as being at high risk for social engineering.
Companies should promote a people-centric security culture that provides ongoing training to consistently inform employees about the latest security threats. Fighting attacks against the human mind requires behavioral changes more than technology defenses.
Companies should use a combined approach of simulated social engineering attacks coupled with interactive training modules to deliver the best result. Incorporating continuous training methodology can be the difference between a five-alarm data breach and a quiet night at the office.
Companies need to consider securing all threat vectors and putting in place dedicated solutions to address every need. In a case like social engineering where victims are subject to spear phishing attacks, phishing attacks, malicious emails, and compromised sites, it is good to have a spam firewall and web filter in place to mitigate those threats before they even reach the network.
Google the top social engineering attacks. What do you get Stories about Trojan Horses, phishing attacks, malware injections, redirects, spam, and people giving up way too much personal information on public websites. The surface area for social engineering attacks is as big as all the employees and users in your corporation. The best social engineering attack will involve nothing but an unnoticed slip or mistake from one user. I am going address the very specific aspect of internal security and leave you with the following: the most important protection you need in your company is the ability to say, \"No.\"
Knowing the history of these attacks is useful, but overall, it is not going to protect you. The attackers are always ahead of those of us who are defending our information. A social engineer will always find a new way to do what they do. Someone who wants to target your company is considered an unending well of creativity, and must be treated as such. Keep in mind, technology always changes, but the humans utilizing that technology do not change. You can protect yourself with all the technology you want, but just one human mistake can blow your company's doors wide open. Humans are the attack surface on which a social engineer strikes.
Major data breaches and hacking of major companies such as Target, Sony, or even the State Department generally have one thing in common, and that is that despite the sophistication of the malware used to gather information, that malware has to be downloaded into the computers of the targeted company or agency and that is done, most often, through social engineering tactics that trick employees into clicking on links or downloading attachments that unwittingly download the malware.
1. Phishing: This is one of the most common attacks that entices employees to divulge information. An email impersonates a company or a government organization to extract the login and password of the user for a sensitive account within the company, or hijacks a known email and sends links which, once clicked, will embed a malware or a Trojan on the computer of the user. Hackers then take the reigns from there.
Similar attacks by phone, with the caller claiming to be a trusted source or an authorized organization, also can lead to employees revealing information that may be detrimental to the bottom line of the company or its reputation. 59ce067264