People have a natural inclination to open and respond to emails, and therein lies the reason for the tremendous success of social engineering attacks. Virtually all criminal-minded individuals using email as their primary entry point to a computer network, include social engineering as one of their main assault methods. Social engineering routinely causes all kinds of havoc with security systems, including business email compromise fraud (BEC), advanced persistent threat (APT) actors, and financially-driven cybercrime.
There is a constant game being played between perpetrators and victims. Companies invest in educating their employees to the dangers of social engineering crimes, and that makes employees better equipped to identify potential threats in their inbox. On the other hand, cybercriminals recognize that workers are being trained and are not as naive, so they take steps to make their attacks more sophisticated. Criminals realize they have to stay one step ahead of employees, or their attacks will not bear fruit.
Current Social Engineering Approaches
Given the fact that most employees have become aware of the dangers posed by unknown email senders, cybercriminals have evolved their attacks to allay the suspicions and fears of employees. Here are some of the most popular approaches to social engineering:
- Criminals frequently make use of themes in their emails which are known to be socially relevant, currently topical, or timely in nature.
- They also incorporate phone technology into their attacks, especially since virtually everyone on the planet currently owns one.
- When they hit on a successful strategy, e.g. using a trusted company’s services, they immediately exploit and expand that usage.
- Criminals have access to conversation threads which take place between co-workers, and they make use of this knowledge to exploit them.
- They try to establish prolonged and continuing conversations with employees, so as to build trust and confidence, before making a move to exploit them somehow.
Successful 2021 Social Engineering Attacks
2021 was a good year for Cybercriminals perpetrating social engineering attacks. In November, an attacker called Robinhood, an investing app which is commission-free. He got his customer service call escalated to a higher level, and eventually was able to access some of the customer support systems for the trading platform. Five million emails of customers were breached, and two million more investor names were exposed. As you might expect, the COVID-19 pandemic provided easy pickings for Cybercriminals.
All kinds of calls were made to people with the criminal posing as a government official, requesting people to submit data about their vaccination status. Using Deepfake technology, a Cyberattacker was able to convince a bank employee that he was making a legal and legitimate transfer of $35 million to a business client – instead that money went to the Attacker. The phone conversation was supported by phishing emails previously sent by the perpetrator to help with the use. The transfer went through, and the bank lost the $35 million.
Why Is Social Engineering So Effective?
Despite the best efforts of companies to educate their workers, the fact remains that humans are almost always the weakest link in any network chain. It is very often far easier to dupe them and exploit them than it is to circumvent the sophisticated security systems in place at other endpoints of a network. Many cybercriminals have grown so sophisticated themselves that they’re now setup to emulate legitimate businesses, and that provides them with a stable platform from which to operate and to carry out their attacks.
This has also allowed them to scale their operations, so as to reap in even greater profits than before. In short, it is becoming even more lucrative for Cyberattackers to carry out their attacks than it was in the past. Having been reinforced in their belief that humans are the most easily exploitable part of any infrastructure, criminals have made it a point to continue preying on the emotions, instincts, and behaviors of human employees. And that means that social engineering will not go away anytime soon – in fact, for the foreseeable future, you can count on social engineering to remain as one of the most effective tools in the arsenal of Cybercriminals.
What To Know About Social Engineering Attacks
Social engineering can take a great many forms, because there are all kinds of ways that employees can be duped into providing something an attacker needs. Of all the possible forms social engineering may take, the three listed below are by far the most common:
Baiting and scareware – baiting promises the victim something that increases their curiosity, and convinces them to supply personal data, or into doing something that permits the entry of malware into the company network. One popular use is to convince the victim that their system is infected, and that they have to install some software (which actually carries malware) in order to clean it.
Pretexting – this involves using a fake identity for the purpose of securing sensitive information. All kinds of data can be acquired using this approach, because it’s fairly easy to convince an employee that they’re actually talking to a company manager.
Phishing and spear phishing – still the all-time champion among social engineering tactics, phishing persuades an email recipient to click on an attachment that quickly downloads malware into the network. Spear phishing is a bit more exclusive, targeting specific employees with a message that has been customized just for them. When the employee responds or performs some kind of action, that allows the attacker into the system, where all kinds of damage can be done.
Outlook for the future
Social engineering is here to stay, just like human employees are here to stay. The only way to prevent or minimize damage done to a company network is to constantly train employees and increase their awareness of the risks posed by social engineering, and the ways that attackers operate. With increased awareness and constant training, there is hope that severe social engineering attacks in the future can be avoided.