Work smarter not harder. Even hackers nowadays are relying on this long-lived saying when it comes to gathering confidential information or gaining unauthorized access to a device, to name a few.
As a matter of fact, malicious actors are well aware of the fact that it’s much easier to manipulate and persuade people into giving out confidential information than spending far more time trying to reach the same goal using sophisticated hacking techniques.
We’re talking about the social engineering phenomenon: As the name may suggest, this ever-growing form of cyber-attack focuses on the weak link of every security chain – humans .
Despite the difficulty to raise a clear definition, experts agree to divide this field into 6 types:
- Reverse social engineering is a means to build trust among the victim and the attacker.
- Impersonation is a most-rewarding technique where the attacker pretends to be someone else, someone trusted such as a relative of the victim or an authority.
- Intimidation aims to make the victim more likely to follow the steps indicated by the attacker through fear.
- Incentive is a manipulation strategy which relies on the victim’s motivation such as the lure of gain.
- Responsibility is intended to make the victim believe that he or she must comply with certain laws, regulations, or social rules.
- Distraction is used to misdirect the victim’s attention, while carrying out an attack without being detected. Attacks – especially against companies – often rely on this technique: attackers identify the opportune time when the employees are focused on a specific event such as an important transaction to perform their attack.
Thus, manipulation methods to accomplish social engineering attacks are numerous and can result in deleterious effects, especially for businesses. Moreover, companies are even more targeted since the beginning of the pandemic and the growing use of remote working. As a matter of fact, cybercriminals stole $6.9 billion in 2021, using social engineering to break into remote workplaces.
One of the most common and successful social engineering attacks is known as spear phishing – a targeted phishing campaign. To better understand how it works and what the consequences can be, one can take a closer look at the Ukrainian Kyivoblenergo company’s case. In 2015, the employees of this Ukrainian electricity supplier, received an email that seemed to be an official communication from the Minister of Ukraine Energy. This mix of impersonation and responsibility strategies made the employees easily open the Word document attached with the email and allowed the hidden malware to spread across the whole company, causing a power outage for more than 225,000 customers all over Ukraine, lasting for three hours.
However, it’s not just the businesses that can be gravely impacted by this relatively new frontier in the realm of cyber-attacks.
Since we’re living in an era where basically all of our day-to-day activities – including transactions, business meetings and many more – are somehow carried out or shared online, one of the most vulnerable targets of social engineering are indeed individuals.
Probably all of us have at least once received a suspicious email requesting personal information or attempting to induce us to click on a malicious link.
Fortunately, the majority of scam emails being massively sent to users automatically end up in our spam folder. However, that’s not always the case. Indeed, users must be prepared to recognize and properly react to such fraudulent attempts since it’s not a matter of if but when it’s going to happen.
Some popular tips and tricks to avoid falling victim to phishing include never giving out private information – especially passwords or banking data – to sources whose legitimacy we’re unsure of and avoiding clicking on links from unknown or suspicious websites.
Nevertheless, cybercriminals are continuously refining their techniques and it’s becoming increasingly harder to spot and dodge potential scams. In fact, hackers have started to personalize attacks by relying more and more on personal information found on social media, which further helps to deceive the victim.
It’s therefore essential in this time and age for both businesses and individuals to be aware of the current cyber-threats and attack techniques relying on social engineering.
Companies should focus on employee training such as periodic courses together with simulation exercises which could help spread awareness of the phenomenon among all strata of the organization’s hierarchy.
Individuals, on their side, should stay vigilant and should be selective and cautious when it comes to sharing information on their social media profiles.
Undoubtedly, a proactive approach is the first step to tackle social engineering in all of its forms.
Link to the Italian version here: https://www.ilconfrontoquotidiano.com/post/social-engineering-sfruttare-la-psicologia-nella-nuova-era-degli-attacchi-informatici
Authors: Asia Giusti & Charlotte Arnaud
Leave a Reply