Recognizing And Avoiding Social Engineering Attacks

Managing the risk of social engineering

A successful New Jersey business recently retained a cyber expert to evaluate the effectiveness of its network’s cybersecurity. The expert upgraded the company’s systems and educated its employees on how to recognize, prevent and respond to a cyber-attack. The expert then tested the defenses and was unable, despite multiple attempts, to hack into the company’s network. Satisfied that the network was reasonably secure, he decided to try one last trick.
 

Posing as a friendly client who had an upcoming meeting, he called a receptionist and was given a Wi-Fi password, which gave him access to the company’s network and sensitive information.

The good news for the company is that the breach was not real. The bad news is that, despite spending thousands of dollars to bolster its network security, the company’s network was compromised with a simple phone call. This is social engineering at its best.

Social engineering is a broad term to describe the practice of using social interactions and deception to obtain or compromise financial or computer information. It can be a cheap, easy and low tech way for hackers and cyber criminals to gain access to a company’s protected information. In fact, the majority of existing malware is designed to trick a user through some type of social engineering scheme rather than exploit a technical flaw in a system or program.
 
This is a wise strategy for hackers since it is estimated that computer users account for more than 90% of cybersecurity incidents.
 
Social engineering relies on psychology and human nature to manipulate its victims. Famed hacker and social engineer Kevin Mitnick, who is a prominent cybersecurity consultant, observed that people “may know that they shouldn’t give out certain information, but the fear of not being nice, the fear of appearing ignorant, the fear of an apparent authority figure – all these are triggers, which can be used by a social engineer to convince a person to override established security procedures.”
 
The social engineer targets companies and individuals by posing as a legitimate contact such as a client, employee, creditor or vendor in order to further the deception and gain access to company information. They can be friendly, helpful and unassuming or, in the case of an IRS scam, serious and threatening.
 
Social engineers also target people’s natural curiosity by sending e-mails or social media posts containing intriguing or attention-grabbing headlines and files or articles embedded with malicious links or software. One cyber expert was able to gain access to his client’s login credentials by placing Trojan-infected USBs throughout the company’s parking lot. He correctly assumed that at least one employee would plug the drive into their computer to see what was on it.
 
This is what social engineering is designed to do – exploit human nature to manipulate victims into giving information or access to computer networks.
 
Social engineering comes in many forms. It can involve direct communication such as phone scams or physical interaction such as “shoulder surfing” or “tailgating” (e.g., a fake delivery person following an employee into a secure area). Social engineers can also monitor social media and other sources to secure personal information to be used in a broader, more significant cyber-attack.
 
One of the most popular and successful forms of social engineering is phishing, which involves sending e-mail or social media messages to trick a person into providing personal information or to infect a computer system with malware or ransomware. Hackers pose as a trustworthy or recognized entity or may send an e-mail from a hacked account belonging to a friend, business associate or co-worker. More sophisticated hackers use e-mail or websites which appear legitimate and may include detailed business or personal information which makes an attack more difficult to detect. Employees at all levels of an organization are vulnerable to such attacks.

The business cost of social engineering and cyber-attacks is eye opening. A study conducted in 2015 estimated that the cost for an average company to contain malware is $1.9 million and that large companies, with more than 10,000 employees, spend an average of $3.7 million a year to address and respond to phishing attacks. Another study estimated that the average organizational cost of a data breach is $7.01 million.
 
The total cost of cyber-attacks on global business was estimated to exceed $300 billion last year.
 
Potential costs to companies include expenses for investigation, regulatory compliance, legal and public relations and lost business/revenue. In the case of the theft of customer financial data, a company may also be responsible for costs associated with customer notification and protection and potential fines and penalties for regulatory violations. Long term costs for a company could include increased insurance premiums and the loss of a company’s reputation and good will.
 
These risks apply to companies of all sizes. IBM recently estimated that small and mid-sized businesses account for 60% of all cyber attacks. Such companies, which are generally less sophisticated and less prepared to deal with cyber-attacks, may make more attractive targets to hackers and cyber criminals.

Companies can take certain steps to help mitigate the risk of social engineering. There are many factors that play into evaluating a company’s specific risk but some of the general steps are as follows:
 

Businesses can protect themselves by conducting regular, interactive cybersecurity training for both employees and management. Training should include a discussion of the common cybersecurity threats and attacks currently taking place. It is also beneficial to explain your business’s security principles, policies, resources and expectations of employees. Finally, your company’s protocols for reporting possible cyber incidents including breaches needs to be explained to your employees.
 
The last thing that you as a business owner want is to have an employee not report a possible cyber breach for fear of being admonished or disciplined. Cybersecurity training should be designed around the concept that everyone has a role to play in maintaining a cyber-secure work environment.
 
Regular cybersecurity training is one of the easiest things a business can do in order to protect itself from cyber attack. Oftentimes, cybersecurity training is mandated by insurance carriers that underwrite cyber insurance policies. With the proper behavioral changes, businesses can greatly reduce the likelihood that their company will experience a cyber breach. It all starts with educating your employees and developing a culture of cybersecurity.