Cybercriminals never stop trying to gain unauthorized access to data that they can sell on the Dark Web. Personally identifiable information such as names, addresses, dates of birth, and social security numbers are only the tip of the proverbial iceberg. Understanding the way that cybercriminals leverage human emotion to successfully steal data and the types of processes and technologies that organizations can use to prevent data breaches arising from these attacks is the only way to maintain financial stability in an increasingly digital world.
What is social engineering?
Social engineering is the process cybercriminals use to emotionally manipulate people into providing personal information. While imagining cyber attackers as socially awkward men in dark rooms wearing black hoodies may be a popular culture stereotype, the reality is that many of them are highly skilled at understanding end users’ psychological weaknesses. A successful social engineering attack needs to combine elements of both psychology and humanity.
How malicious actors leverage emotion for success
The most effective tool used in a social engineering attack is the end user’s emotions which is why training modules often fail. By evoking a strong emotion, such as fear, cybercriminals overwhelm the end-user and send them into a “fight or flight” mode. Once in a state of emotional and informational overload, the end user is psychologically overwhelmed and responds without thinking.
All social engineering attacks have a similar pattern:
- Grab a person’s attention
- Provide information that overwhelms the person
- Appeal to a user’s primary emotions, most often fear
- Offer directions that help prevent an outcome
Almost every successful social engineering attack uses these four elements. For example, consider the following “email”:
I need to talk about that upcoming presentation right away. Please text me at 555-555-5555.
If “Jane” is like most people, she gets a “snippet” of emails in her inbox view. Most likely, seeing
boss’s name at the bottom of the email and the “I need to talk” will create an immediacy that leaves her sending off the information requested. Problematically, the immediacy and request overload her senses which makes her less likely to go through the processes outlined in the social engineering training she passed.
What is phishing?
Security professionals define phishing as a fraudulent attempt, generally via email, to steal information by posing as someone that seems reputable. Mostly gone are the days where a foreign prince promises wealth if the reader lets him wire money to an account. Modern phishing attacks occur across all digital platforms and hide malware in fake websites.
Email phishing is when a cybercriminal sends an email that either scares the recipient or sounds too good to be true.
One way that malicious actors attempt to exfiltrate information is by sending an email implying that an account password needs a reset. The cyber attacker creates a fake website, embeds the link within the email’s text to hide it, and requests that the user click on the link to reset the password. When victims click that link, worried that the account has already been breached, the attacker either gains the password via the “change password” portal, installs malware on the computer, or both.
Social media phishing
Social media phishing works just like email phishing except instead of an email, the cyber criminal sends a private message to a social media account. The private message appears to be from someone the user knows but is really a duplicate or fake account created solely as a device for obtaining information.
SMiShing is the term used for getting phished by text (or SMS). Increasingly, hackers leverage texts as a way to get information. Texts, unlike emails or social media messages, are more difficult for end users to verify, especially since many people link their mobile phone numbers to their most important accounts.
For example, someone who agrees to text notifications about their data plan may receive a text that their data is reaching a monthly limit. The text provides a link and suggests that the user check the account. Clicking that link in the text poses the same problem as clicking both email and social media message links.
How to prevent a social engineering attack
Understanding how to prevent a social engineering attack means looking for clues to verify who sent the message. With email and social media, it might be easier than with SMiShing attack, but the same principles still apply.
Verify the sender
Most companies have an email formula. For example:
Even corporate “no reply” emails usually use a similar corporate formula. To protect from a social engineering attack, people should always check to see whether a message is real. If the attack is done via social media, users should go to their friends list and start a new conversation there to verify. If the text looks suspicious, it’s easiest to either ignore it or to find an office or customer service number before taking actions
Review the sent-to address
Most people receive emails from vendors or retailers everyday that filter into their Spam boxes. While this acts as an initial filter, oftentimes rogue messages get through to an inbox. As part of protecting themselves from a social engineering attack, users should review the “addressee” or “To:” line.
Many people assume that the hyperlinked name in the “To” is their email address. However, when an email looks suspicious, users should hover over the blue highlighted addressee name and then delete the email if they don’t see their address.
Validate the email introduction
Most phishing emails use a “vague” introduction such as “Dear User” or “Hello Friend.” However the rise in marketing automation tools changes how businesses communicate with their customers. Marketing emails from companies will almost inevitably use a first or last name because they collected information as part of the ordering or gated website content process. An email without a name should trigger an automatic “delete.”
Never click a link
Embedded links in emails, or links provided via text and social media are the primary threat vector. As people become increasingly aware of social engineering attacks, cybercriminals have made their messages look more legitimate. Blue hyperlinks, or automatic clickable in-text links the URL.
Never clicking on embedded URLs would be the best “best practice.” However, it’s not necessarily reasonable. To verify the URL, users can:
- Hover their cursor over the link and see if the address shows up.
- Hover their cursor over it, right-click “copy this link,” paste it in a document.
A valid link starts with “www.company.com,” and should be safe as long as there are no spelling errors in the link. A link that starts with “www.c0mpany.com,” where the link substitutes a zero for the first “o” is not safe.
Additionally, if the copied link pastes as “tiny url” that looks like this: https://bitly.com/123ncug or https://tinyurl.com/123xyr then the link is still hiding the final destination and should never be followed.
SecurityScorecard enables organizations to mitigate social engineering attack risk
SecurityScorecard’s security ratings platform tracks risk across ten risk factor groups, including social engineering. Our social engineering risk factor scans for employees using corporate account information for social networks, service accounts, personal finance accounts, and marketing lists to ensure that none of the resources were exploited.
Consistently working with employees on how to protect themselves from social engineering attacks is the first line of defense. However, for true defense in depth security, organizations need a way to locate potentially compromised corporate credentials. SecurityScorecard’s easy-to-read A-F rating scale provides at a glance visibility into social engineering risk by giving organizations the ability to dig down into the individual risk factors for weak controls.