The rapid adoption of remote work alongside the migration of data to the cloud has made cyber security an increasingly important priority for organizations and consumers alike. 2021 broke the record for most data breaches in a year, and there is good reason to believe 2022 will continue that trend.
When most people think of breaches they imagine hackers brute-forcing their way through a system, but that is not representative of a typical data breach. Most security incidents are a result of hackers exploiting human weaknesses to gain access to systems containing sensitive data.
One of the most common ways hackers infiltrate secure systems is through social engineering. According to Verizon's Data Breach Investigations Report, 93% of successful breaches are conducted using social engineering attacks! This post will explain what social engineering is, give a few examples of common social engineering techniques, and provide 5 ways to prevent social engineering attacks.
Social engineering is when hackers use psychological manipulation to trick people into giving up confidential information or login credentials. The most common way they will do this is known as phishing. Phishing attacks are when a hacker will pretend to be someone else (often someone the victim trusts) and persuade the victim to give up private data. People typically disclose this information either by willingly sending it directly to the hacker or by clicking on a link that steals their information.
Depending on the situation, many people will be completely unaware that they are allowing unauthorized access to private resources until it’s too late. Effective phishing attempts make it difficult for a victim to realize they are being phished, especially when the sender appears to be someone they trust. This type of social engineering attack is particularly effective because it is much easier to trick someone into letting you into a system than brute-forcing your way in. Cracking someone’s password can take lots of time and resources, but social engineering attacks can be conducted quickly and cheaply. With the rise in phishing and social engineering attacks, it’s important to be able to recognize some common forms of social engineering attacks in 2022.
An extremely dangerous form of social engineering is when hackers will pretend to be a bank, credit card company, or other financial institution. They will often strike around times where money is a common issue such as holidays or tax season and convince the victim they need their login information to resolve a financial issue. These attacks are some of the most devastating since a hacker can drain someone’s bank account or max out their cards if the victim discloses too much personal or financial information.
Pretending to be someone the victim trusts is one of the most common forms of social engineering attacks. Hackers will typically scour the internet for someone’s personal information in order to convincingly come across as someone the victim knows. They often pretend to be in distress to create a sense of urgency. If the hacker has already breached someone’s email address, phone, number, or social networking sites the message might actually come from their real accounts. A hacker may also pretend to be someone’s co-worker and request logins or sensitive data for work-related purposes. This is one of the most effective ways to socially engineer someone since people are naturally more trusting with people they know (or think they know).
Everyone’s heard jokes about the Nigerian Prince scam, but fake offers and giveaways are no laughing matter. These types of attacks happen when social engineers convince people to click on links or send them personal information by signing up for a fake offer. These offers usually seem too good to be true, and in this case they are! An increasingly popular social engineering attack in 2022 is scamming for cryptocurrency. Hackers will offer to make people money by giving away cryptocurrency if the victim discloses their wallet information. They may even send links to fake cryptocurrency wallets that contain malicious software. Spoiler alert: the victims never get their money back.
Fake website pages often go hand-in-hand with fraudulent offers, but they can be a part of any kind of social engineering attempt. Social engineers will create fake website landing pages that resemble a companies real website. These malicious websites are often e-commerce or banking websites where people enter financial credentials. People that click on links to fake websites will willingly fill out forms with their usernames and passwords, only for the hackers to instantly gain access to their real logins.
Now that you know some of the most common forms of social engineering attacks, here are some best practices to protect yourself and your organization.
If you get a message from a friend, family member, or co-worker that seems like it may be a social engineering attempt, contact them via some other medium or in person if possible to double check that they were the ones who sent the message. Do not respond to the suspicious messages directly in case the hackers have gained control of their accounts.
If you get a message from your bank or some other corporation, contact them separately to make sure they actually sent you a message. No financial institutions will ask you to submit sensitive information via email or social media. In general, reject requests to send information over non-secure channels. This also applies to if you get a text message from your phone company containing a link. If you ever have reason to believe any messages you receive may contain a phishing attempt, make sure to do your own research to verify they are from legitimate companies.
Although social media phishing is on the rise, email still remains by far the largest medium for hackers to trick people into disclosing valuable information. A spam filter is a great way to stop risky emails from reaching your inbox in the first place.
Spam filters will automatically detect common signs of fraudulent emails such as misspelled words, extravagant offers, or sketchy links. Another indicator that an email is a phishing attack is if it asks you to install software. Almost all companies will use anti-virus software firewalls on top of email filters on work devices, but you should use one for personal devices as well. Most spam filters also have settings that allow you to adjust how strict they are in filtering emails. For maximum security, set your spam filter to a ‘high’ setting to keep your inbox secure.
As an increasing amount of our lives are shared online via social media, it’s becoming more and more important to know what information is publicly available to malicious parties looking to optimize their phishing scams. Although many phishing attacks are conducted on a massive scale, spear-phishing refers to the practice of using personal information to target specific individuals. Spear phishers can be very convincing when pretending to be someone and are experts at taking advantage of people that don't take steps to protect themselves.
One of the best ways to prevent spear-phishing is to monitor your digital footprint. Oversharing private information online allows social engineers to learn more about you in order to impersonate your friends, family, or co-workers. You should also make sure your social circles are not posting your personal information online without asking you first. Monitoring your digital footprint isn’t just important for stopping breaches, it’s crucial if you want to maintain your privacy and protect against identity theft.
Utilizing multi-factor authentication for logins is a great way to ensure your accounts are not accessed even if you share your credentials or click on a phishing link. Multi-factor authentication offers a backup layer of protection to make sure that security breaches don’t cause significant damages.
Consider using an authenticator app such as Duo, Google Authenticator, or Authy instead of a mobile number. SIM hijacking, a process where hackers gain control of a mobile number to pass text-based 2FA, is becoming increasingly common. Physical authentication keys are an even better way to protect your accounts from unauthorized logins.
The final tip for preventing social engineering attacks is to always remain diligent. Treat every email you get with suspicion and report any sketchy emails to your IT team if relevant. If someone sends you an offer that is too good to be true, they are trying to take advantage of you. If you receive an email that may contain a fake link to a companies website, manually type out the domain to verify it is a legitimate site. Don't believe that any unsolicited messages from tech support are real. Even a seemingly innocuous phone call might actually be voice phishing. While there are tons of little steps you can take to stop social engineering, staying alert and emphasizing security at all times is the best way to stay safe.
Social engineering schemes are becoming more and more sophisticated. The days of typo-riddled emails offering millions of dollars are behind us. Hackers are utilizing more personal data to personalize phishing communications with an unprecedented level of detail. With this rise in social engineering, it is more important than ever to remain cautious and use best online security protocols at all times.
All companies should conduct frequent security awareness training that includes anti phishing techniques. Hackers will target the weakest link in a security chain, so it's essential that all employees get properly trained. If your organization is looking for security awareness training that's relevant to modern work, check out Haekka! Haekka was built from the ground up with a focus on protecting companies from rapidly evolving cyber threats. Haekka is integrated into Slack to make securing your workforce as simple as possible. If you want to check out Haekka for yourself, schedule a demo with one of our founders today!