Social Engineering Attack Prevention Series: Understanding The Art of Malicious Deception
The information we share online, with whom we share it, and where we share it, poses a significant and critical threat to businesses, critical infrastructure organizations, hospitals, and financial institutions around the world. As we begin 2023, the importance of social engineering prevention cannot be overstated. While the pandemic ushered in the challenge of separating our personal and professional lives, threat actors took full advantage of the increased attack surface by designing sophisticated tactics to weaponize our lax digital habits against us. In support of zvelo’s mission to make the internet safer and more secure, this blog series aims to provide a social engineering prevention toolkit, offering an in-depth look at social engineering including what it is, the signs of an attack, how attackers collect and weaponize your digital information, as well as guidelines and strategies for attack prevention and what to do if you fall victim. The series kicks off with the basics of social engineering: What it is, how to recognize the red flags of an attack, and how our personal cyber hygiene is being weaponized to perpetrate large-scale organizational attacks.
The Growing Threat of Social Engineering
While most of us have grown accustomed to ignoring emails from Nigerian Princes, many of the scams circulating today are not so easily recognizable. Attackers are using sophisticated tactics to harvest publicly available data provided by the victims themselves through online posts and activity, and use what they gather to launch deeply personalized attacks through legitimate application features which makes them incredibly difficult to detect and prevent with technology alone. From romance scams, to investment scams, to charity and disaster fraud, and more, nearly 6 million people in the US reported losing more than $5.8 billion to fraud in 2021. Worse, organizations around the world have incurred losses into the trillions, and by 2025 total global cybercrime damages are anticipated to hit $10.5 trillion USD.
What is Social Engineering?
Social engineering attacks are a type of cybercrime designed to exploit human weakness by using psychological manipulation to trick individuals into divulging sensitive information or performing actions that may be against their own interests. Financially motivated, the goal of these attacks is usually to gain access to confidential information or systems that the threat actors can then leverage for fraudulent or malicious purposes. The most common attack tactics include phishing, spear phishing, whaling, smishing, vishing, pretexting, baiting, business email compromise, among others, and can take place through channels like email, mobile devices, social media, or in-person interactions. Regardless of whether an attacker is after an individual as the target, or looking to gain access to a larger network, the red flags of a social engineering attack are the same.
What are the Red Flags of a Social Engineering Attack?
Preventing social engineering attacks requires becoming familiar with the tactics and red flags to help you avoid becoming a victim. Most commonly, attackers use tactics that build trust and rapport with a target, use authority or legitimacy to coerce a response, or exploit human emotions such as fear, greed, or curiosity. While we explore this topic in greater detail in Part 3 of the series, below are some of the top red flags that can tip you off:
- A request to ‘verify’ your information along with a link to a form hosted on a deceptive phishing page to capture your account credentials.
- An unexpected attachment that could be an invoice, a resume, or other document that contains a malicious link.
- An unusual request that seems out of the ordinary like transferring a large sum of money — especially common when the attacker is impersonating a CFO or CEO.
- An urgent request that may be related to, for example, an unauthorized payment notification or suggestion that your device has been infected with malware, prompting you to call a fake support number.
- An offer that sounds too good to be true such as an offer to win money or prizes in exchange for entering personal or company information.
- Social media connection request from someone you don’t know — an obvious red flag on some platforms, but not others like LinkedIn where that behavior is typical. LinkedIn removed more than 87 million spam and scam attempts in the first half of 2022..
Despite the fact that today’s technology solutions can provide a certain level of protection against cyber attacks, research has shown that up to 80% or more of data breaches are caused by human error, and the most common social engineering attack type — phishing — was responsible for 90% of data breaches in 2021 according to Cisco. Raising awareness around the red flags of social engineering attacks and the need to develop better personal cyber hygiene is critical to both personal and organizational security.
How Does My Personal Cyber Hygiene Create an Organizational Risk?
Threat actors build digital profiles of potential targets quickly and efficiently by employing social media scraping tools and data mining algorithms to collect and analyze large amounts of publicly available information. Every piece of information that you have shared online, including seemingly innocuous things another person has shared about you (tagging you in a post, sharing a group photo, etc), could be gathered and subsequently used to tailor a social engineering attack. And while a portion of cybercriminals may be interested in gaining access to your personal bank account, credit card information, or social security number to use for identity theft, it’s often the case that the end goal is larger and you’re just the key to open that door.
How might your personal data may be used as part of a larger scheme?
- Password cracking: Using the same password for multiple accounts can potentially pave the way for an attacker to gain access to other accounts, including those belonging to the organization.
- Identity theft: An attacker uses personal information, such as an individual’s name, address, and date of birth, to create a fake identity and use it to gain access to the organization’s systems or financial accounts.
- Pretexting: Your personal data can be used to create a believable pretext to persuade you or someone else to divulge sensitive information or carry out actions that compromise the organization’s security.
- Spear phishing: An attacker could use personal information, such as an individual’s name, job title, or email address, to craft a targeted phishing email that appears to come from a legitimate source. The email could contain a malicious link or attachment that, when clicked on, allows the attacker to gain access to an organization’s systems.
- Business email compromise (BEC): An attacker uses personal details to impersonate a high-level executive or other trusted individual within the organization so as to induce employees to transfer money or reveal confidential information.
When it comes to social engineering prevention, awareness is a key defense. Know what it is, how to spot the red flags of an attack, and understand the linkage between your personal cyber hygiene and organizational risk.
Hacker Techniques: Profiling Social Engineering Attack Targets
In Part 2 of this social engineering attack prevention series, we explore the attackers playbook, delving into the tactics and tools they use to profile their targets.