There’s never been a better time to talk about social engineering.
With most people stuck at home and threats to cybersecurity continuously growing, understanding social engineering and how it works can go a long way to mitigating the spread of attacks – and don’t be fooled into believing that it’s only the vulnerable or the less tech-savvy that get caught up in social engineering scams. Every business has at least one story of the time they nearly exposed their most sensitive information to a hacker or a scammer, and the public can receive dozens of emails a day from scammers trying to trick them into revealing their information.
One particular story comes to us from an anonymous company well-known for their technological capabilities; they deal in advertising and digital marketing, and so can be considered a little bit more expert at telling apart the obvious scams from run-of-the-mill emails.
However, when the company’s accounts administrator received an email from her CEO. The email read:
‘Dear Annabelle, please pay the amount of EUR1,043 to the following account.’
How many emails have you received from your boss that read exactly the same? It’s not something that immediately sends an alarm bell ringing, and Annabelle wasn’t in the habit of questioning her boss’ decisions.
The thing that prevented her from authorising the payment itself was miniscule: her boss, a close friend of hers, never called her Annabelle in formal emails.
He called her Anna.
This tiny fragment of doubt prompted her to reach out and connect with him over the phone, where she found out that he’d never sent that email at all, and had never heard of the account that the payment was being authorised to. If it hadn’t been for Annabelle’s instincts, the company would have had to deal not only with the immediate loss of money, but with the loss of security that comes with a breach like that.
This story has a happy ending, with the scam stopped in its tracks. However, there are many more stories just like this that end with the scammer getting exactly what they wanted: access, money, and more.
In 2021, cybersecurity risks didn’t just double; they went up by 600% due to COVID-19, and they’re going to keep rising.
It’s time to start talking about the dangers of social engineering.
What is social engineering?
Social engineering falls underneath the umbrella of cybersecurity threats, but it actually doesn’t require a lot of technical knowledge at all! It refers to the exploitation of human psychology in order to gain access to secure data, buildings, or systems – or, in other words, people pretending to be someone they’re not in order to get access to your data, whether it’s through an email claiming to be from the postal service or a call from Mater Dei to set up an important appointment.
A key component of social engineering is that they’re posing as people who are either in a position of authority or in a position that you don’t really know much about, such as a security specialist or a receptionist at an important bank. If you don’t really know how certain things work, it’s easy to get caught up in social engineering schemes, even if the evidence, in hindsight, looks really unbelievable.
Why does social engineering work?
You might be thinking that nobody would fall for something as obvious as an email without a logo, but consider getting a phone call from the hospital. If it comes from a number that looks roughly the same, and the person sounds official enough, you’d believe it – the same applies for places like businesses and banks and, in the case of our anonymous companies, even small to medium enterprises with less stakes to go after.
After all, if you get an email from your boss on Monday to authorise a payment, and you normally have similar emails in your inbox, it isn’t a stretch to believe the one email that didn’t originate from him.
As a recent Cybint report discovered, 95% of cybersecurity breaches are caused by human error. Most of those probably involved social engineering.
What about cybersecurity measures?
In theory, cybersecurity measures are there to stop the risk of a breach or attack; in practice, those measures are only really very effective at deflecting the more obvious attacks. This isn’t to say that they’re not important! Cybersecurity measures such as AIRO software are crucial to protecting your organisation and enabling your people to learn better online safety.
However, not much is said about social engineering. Maybe it’s considered embarrassing, maybe it’s because of a lack of understanding, but social engineering tends to get swept underneath the surface when it comes to talking about safety.
What are the social engineering techniques?
We’ve mentioned a few already, but here’s some more to be on the lookout:
- First name addresses in emails. This can be gleaned from a company website, taken from the Facebook page, or even found through a personal Instagram, but it’s the easiest way to build a connection with someone you don’t know.
- Company emails with a non-standard logo or email signature.
- On that note, domain names that end differently – .com instead of .com.mt, for example
- A phone number from a completely different area code.
- Abrasive or sharp responses to simple questions.
- Nonspecific details – for example, ‘you owe X amount of money for customs’, but not listing the item that you’re paying customs on.
While these all seem very suspicious to experience, if someone emails you out of the blue or calls you out the blue and your mind is already occupied with something else, these small signs can quickly get ignored or pushed aside. Social engineering works by attacking when people are most vulnerable or least attuned to what’s going on around them, building on confusion and self-doubt to access what they want.
For example, in a highly-advertised news story, hackers actually posed as a known mystery shopping company and lured victims to spend their own money for an elaborate gift card scam. By convincing their victims to deposit a balance of money into their own account – usually something around the tune of 2000 – and instructing them to purchase gift cards and send images of the purchase to a verified email address, scammers could empty out the card balance before the victim realises the initial check was faulty.
That one is an elaborate scam, but there are even easier ones, such as the Royal Mail postal scam that sends a text message with a link instructing recipients to pay. It’s something so common right now that nobody would think twice about paying their customs parcel – only to be very surprised when the parcel doesn’t show up. A similar scam is going around in Malta using Maltapost links.
How do you prevent social engineering attacks?
Fostering a conversation around social engineering attacks and removing the stigma will go a long way towards normalising how subtle and insidious social engineering attackers are.
Teach people to be on the lookout for the three main techniques of social engineering:
- Pretending like they belong. One of the simplest and most successful ways that social engineering attackers can gain access is just by pretending to be someone they’re not, as we’ve pointed out in the story above. Pretending to be the CEO or another C-level executive could work, but it’s far better to pretend to be a nameless security specialist or developer that has forgotten their log-in. A new log-in would be provided easily, especially if the social engineer is targeting a big corporation.
- Offering a reward too good to be true. We’ve all laughed about those ‘Nigerian prince’ emails, however they’re still very effective today, and it’s all because human nature to want something better, whether that’s lottery winnings or a better job.
- Authority breeds obedience. This goes hand in hand with impersonating a CEO: if you’ve got the email signature and a considerable amount of knowledge about the company’s internal processes, you can get any employee to do whatever you want – and it doesn’t take much Googling to understand how most companies work!
Top five tips against social engineering
In this case specifically, knowledge is most definitely power, and understanding how to mitigate the worst social engineering attacks will help you and your company stay safe, especially now that cybersecurity threats are on the rise. As with most cybersecurity threats, actually preventing them is pretty simple:
- Train your employees in cybersecurity. They don’t need to be experts but you should absolutely have a programme in place that addresses all the threats they could potentially find themselves dealing with. Ideally, this programme should be updated regularly with new information as it becomes available. It’s not as easy as just relying on Google’s email scanners to safeguard your business anymore!
- Talk about the latest online fraud techniques openly. This is especially important for the people in your organisation with a key position ripe for exploitation, such as accounts manager or accountant, though don’t leave out the most vulnerable and eager-to-please low-level staff; they can be an easy target for a social engineer who knows what to look for.
- Review existing processes and procedures for financial transfers and keep them updated. This isn’t just good cybersecurity practice – it’s good financial practice too, and helps keep your company safe in more than one way.
- For those working from home, provide a way for them to access their network securely and check in on them often. This helps by limiting the capabilities of email hacking; if you’re communicating regularly with your employees, they’ll know what to look out for.
- Test out and strengthen areas of vulnerability. Understanding where your weaknesses are will help you understand what to look for in the case of a real threat – and it’s important to know where all your efforts in strengthening your company should lie.
If all this seems like too much, or you don’t want to take the risk, that’s no problem: today, there are companies who work to provide the cybersecurity services you need without the extra hassle of you putting together a new policy! If you’re not sure you can keep up with all the cybersecurity risks, we definitely recommend you reach out for help. There’s no shame in staying safe online.