You can build the tallest walls around your castle and equip it with the most advanced defense technology, but if an insider opens the gates to your enemies, all your efforts will go wasted.
This logic equally applies to cyber security: Even when a business uses state-of-the-art antivirus & malware protection software and implements robust technical security measures, one employee’s mistake of disclosing his login details to an intruder or downloading malware-infected attachments may lead to the compromise of valuable information assets, result in financial loss or disrupt business continuity.
This is why social engineering attacks are on the rise: Instead of trying to find and exploit system-related vulnerabilities which may require significant resources, cybercriminals increasingly play into exploiting natural human tendencies such as greed, trust, fear, and feeling obliged to reciprocate so that they can easily exfiltrate data.
In this article, we will talk about:
- How do social engineering attacks work?
- What are the main types of social engineering attacks?
- Rise of social engineering attacks
- Why are social engineering attacks on the rise?
- How to prevent social engineering attacks
I. How do social engineering attacks work?
Social engineering attacks refer to the use of deceptive techniques and arts by cybercriminals to persuade victims to take specific actions such as disclosure of sensitive information, downloading malware-infected attachments, allowing intruders entry into secure areas, or clicking on a link that directs them to a fake website, which is then used to steal sensitive data such as their login credentials.
By deceiving employees into taking these actions, malicious parties can infiltrate corporate networks, gain access to valuable information assets, steal credentials of high-level management or even transfer funds to themselves. A successful social engineering attack requires both technical skills such as crafting a phishing email and soft skills such as building trust with the target.
Overall, a social engineering attack consists of four phases:
Phase 1: Gathering of information about the victim
In this step, the cybercriminals collect information about the victims from different sources such as publicly available data on social networking sites, online directories, or via special tools such as OSINT.
Phase 2: Building a relationship with the victim
In this phase, cybercriminals earn the victim’s trust by using the information gathered previously and then applying principles of psychological manipulation to influence the victim into taking a particular action such as disclosing sensitive information like login credentials.
For instance, people like to reciprocate a favor, they want to be useful to others and they act without diligence when there is an imminent threat. Understanding these basic principles of human instincts helps cybercriminals trick their victims with ease.
Phase 3: Exploiting the relationship
In this stage, cybercriminals deploy their technical skills to attain results. This may include crafting a spear-phishing email, cloning a legitimate website, or persuading the victim into opening a malware attachment.
Phase 4: Exit step
This step involves the removal of all evidence that may have been left after the attack so the cybercriminals cannot be identified. Furthermore, concealing that an attack occurred is of critical importance for cybercriminals because it allows them to freely infiltrate the systems without getting caught.
II. What are the main types of social engineering attacks?
Phishing attacks are the most prevalent type of social engineering attacks. In December 2021, APWG observed 316,747 phishing attacks, the highest number since its reporting program began back in 2004. Furthermore, according to Verizon’s Data Breach Investigations Report, phishing attacks were used in 36% of all data breaches surveyed.
Phishing attacks entail the use of communication tools such as emails, phones, SMS, or social media to deceive users into divulging confidential information, clicking on malicious web links, or downloading malware-infected attachments.
Spear phishing is a sophisticated variant of phishing attacks. Unlike traditional phishing attacks where non-personalized bulk communications are sent to thousands, spear-phishing attacks are targeted at specific individuals within an organization. Worldwide, 36% of businesses have faced at least 10 spear-phishing attacks in 2020.
Business email compromise (BEC)
BEC refers to a type of attack where cyber attackers impersonate trustworthy senior executives via stolen credentials and then convince subordinates to transfer funds to other accounts. According to IBM’s 2021 Cost of Data Breach Report, BEC attacks cost the most to businesses worldwide, 5 million $ on average per attack.
III. The rise of social engineering attacks
As businesses implemented stronger technical security measures such as more effective anti-virus programs, network filtering, and cloud adoption, the cost of finding and exploiting system vulnerabilities required more resources and became more costly for cybercriminals. Given that the primary motivation for cybercrime is high-margin profits, it is no surprise that cybercriminals are increasingly using social engineering attacks to infiltrate IT networks more easily and in a more cost-effective way.
In fact, the Human Hacking Report by SlashNext shows that social engineering attacks increased by 270% in 2021. What is more interesting is that 98% of all cyberattacks involve social engineering to some degree. Another interesting trend when it comes to social engineering attacks is the growing use of more sophisticated and manual methods instead of generic and automated communications.
Traditionally, the use of automated means to send out generic phishing emails and SMS in bulk was the norm. However, cybercriminals now collect more information about their targets, identify the most vulnerable individuals within the target organization and personalize their tactics to deceive their targets more easily.
This is evidenced by the growing prevalence of spear-phishing attacks: In 2021, 65% of all phishing attacks worldwide were spear-phishing attacks, which entails in-depth research into the target organization and the victims to send more personalized and believable emails, SMS, and calls, thus maximizing the success rate.
IV. Why are social engineering attacks on the rise?
While there are many factors contributing to the rise in social engineering attacks, three factors stand out:
Professionals spend more time on social media networks and are often open to connecting with people they do not know to gain more prominence on social media platforms such as LinkedIn. This makes most employees potential targets for social engineering attacks because cybercriminals can easily open an account on these networks without ID verification, connect with the targets, earn their trust and then execute the attack. In other words, social media provides another attack vector for cybercriminals to build relationships with victims and exploit their vulnerabilities.
Access to more data
Social media sites where people share everything about their lives are a goldmine for social engineers: This enables them to profile their targets, identify individuals most likely to fall victim, and craft a more personalized message to them to boost their chances of success. For example, cybercriminals can set up an unofficial assistance page for a particular bank’s customers on a social media site and then target people following this page.
For instance, 1 billion LinkedIn users’ data were compromised as a result of two data breaches. This data was then on sale on the dark web. Access to this rich source of personal information has likely fuelled the rise in spearfishing attacks in 2021.
Social engineering requires fewer resources and technical knowledge
Compared to the exploitation of system vulnerabilities which requires technical expertise and resources, social engineering is an easier way for cyber attackers because all they need is an employee negligent enough to fall prey.
Social engineering attacks are less likely to get detected
When cybercriminals infiltrate corporate networks by using login credentials obtained via social engineering, this may go undetected for months, giving them the time to compromise troves of data without being detected.
Another factor that makes it easy for cybercriminals to evade email detection gateways, firewalls, and other detection technologies is that they host malicious URLs on legitimate infrastructures such as AWS and outlook.com. For instance, according to a report by SlashNext, 2.5 out of 14 million malicious websites identified were hosted on reputable infrastructure services such as Azure.
V. How can organizations prevent social engineering attacks?
Defending against social engineering attacks and minimizing their adverse effects on a business requires a combination of strong security culture, staff training, and implementation of appropriate cyber security measures:
Provide training to your staff
All staff should be educated on how they can recognize social engineering attacks such as phishing attacks. For email phishing, for instance, employees can be provided with training on the red flags such as incorrect email domain or grammar mistakes they need to watch out for.
Establish reporting mechanisms and encourage employees to report suspicious calls, emails, and other similar activities
There should be a reporting mechanism in place so that employees can report any suspicious activity to the security team, making it easier to detect and prevent social engineering attacks
Carrying out regular penetration testing is useful to discover the vulnerabilities in the human element of IT infrastructure so that weaknesses can be identified and remedied.
Network access control (NAC)
Implementing network access control technology can provide two distinct benefits:
- Preventing unauthorized access to the Network by applying multi-factor authentication: NAC systems enable businesses to restrict access to certain employees with credentials to certain areas of the network. NAC systems usually include multi-factor authentication functionality that is useful to prevent intruders from gaining access to critical IT infrastructure. Gaining account login credentials is one of the primary ways attackers use to infiltrate corporate networks. Multi-factor authentication would enable the recovery of accounts easily and prevent unauthorized access.
- Post-admission controls can mitigate risks by restricting lateral movement across the network: NAC systems can be used to restrict access to different parts of the network, minimizing the harm an unauthorized attacker can impose. This control can make it less likely that intruder obtains confidential data such as trade secrets and can reduce the number of individuals whose personal data are compromised. Therefore, financial loss because of a data breach would be less severe.
Try Portnox CLEAR for Free Today
Gain access to all of Portnox CLEAR’s powerful NAC capabilities for 30 days!