We are excited to bring Transform 2022 back in-person July 19 and virtually July 20 – 28. Join AI and data leaders for insightful talks and exciting networking opportunities. Register today!
The weakest link in the security chain is not our processes or our technology: it is us. On one hand, there is human error. A large number of security incidents (40%, by conservative estimates) are caused by human behavior, such as clicking on a phishing link. On the other hand, there is the role of social engineering in triggering this human error.
Social engineering is a term used for a broad range of malicious activities accomplished through human interactions. It uses psychological manipulation to exploit our emotional vulnerabilities and trick users into making security mistakes or giving away sensitive information. Often these involve time-sensitive opportunities and urgent requests to convey a sense of panic in the victim.
The most common social engineering tactic: Phishing
The most dominant form of social engineering attacks are phishing attacks. Phishing is a form of fraud where an attacker pretends to be a person or company known to the target, and sends them a message asking for access to a secure system in the hope of exploiting that access for financial gain. The most famous example of this type of attack is the “419” scam, also known as the “Nigerian Prince” scam, which purports to be a message from a Nigerian prince, requesting your help to get a large sum of money out of their country. It’s one of the oldest scams around, dating back to the 1800s when it was known as “The Spanish Prisoner.”
While the modern version — the “419” scam — first hit email accounts in the 1990s, the world of phishing has expanded over the decades to include methods such as spam phishing which is a generalized attack aimed at multiple users. This “spray-and-pray” type of attack leans on quantity over quality, as it only needs to trick a fraction of users who receive the message.
In contrast, spear phishing messages are targeted, personalized attacks aimed at a specific individual. These attacks are typically designed to appear to come from someone the user already trusts, with the goal of tricking the target into clicking a malicious link in the message. Once that happens, the target unwittingly reveals sensitive information, installs malicious programs (malware) on their network or executes the first stage of an advanced persistent threat (APT), to name a few of the possible consequences.
Whale-phishing or whaling
Whaling is a form of spear phishing aimed at high-profile, high-value targets like celebrities, company executives, board members and government officials.
Angler phishing is a newer term for attacks typically instigated by the target. The attack begins with a customer complaining on social media about the services of a company or financial institution. Cybercriminals troll accounts of major companies, seeking these types of messages. Once they find one, they send that customer a phishing message using bogus corporate social media accounts.
Vishing — also known as voice phishing — employs the telephone or VoIP (voice over internet protocol) technology. This type of attack is growing in popularity with cases rising an incredible 550% over the past 12 months alone. In March 2022, the number of vishing attacks experienced by organizations reached its highest level ever reported, passing the previous record set in September of 2021.
Vishing tactics are most commonly used against the elderly. Attackers may, for instance, claim to be a family member who needs an immediate money transfer to get themselves out of trouble, or a charity seeking donations after a natural disaster.
Baiting and scareware
Beyond the numerous categories and subcategories of phishing, there are other forms of social engineering such as ad-based and physical. Take, for example, baiting — whereby a false promise such as an online ad for a free game or deeply discounted software is used to trick the victim into revealing sensitive personal and financial information or infect their system with malware or ransomware.
Scareware attacks, meanwhile, use pop-up ads to frighten a user into thinking their system is infected with a computer virus, and that they need to purchase the offered antivirus software to protect themselves. Instead, the software itself is malicious, infecting the user’s system with the very viruses they were trying to prevent.
Tailgating and shoulder surfing
Forms of physical social engineering attacks including tailgating — an attempt to gain unauthorized physical access to secure spaces on company premises through coercion or deception. Organizations should be particularly sensitive to the possibility of recently terminated employees returning to the office using a key card that is still active, for example.
Similarly, eavesdropping or “shoulder surfing” in public spaces is a remarkably simple way to gain access to sensitive information.
Ultimately, as technologies evolve, so do the methods used by cybercriminals to steal money, damage data and harm reputations. Companies can have all the tools in the world at their disposal, but if the root cause is driven by human actions that are not protected or controlled, then they remain vulnerable to a breach. It is therefore critically important for businesses to deploy a multi-layered approach to its cybersecurity strategy, incorporating a mix of staff training, positive company culture, and regular penetration testing that uses social engineering techniques.
Ian McShane is Vice President of Strategy at Arctic Wolf.