Cyberattacks are becoming more advanced and complex. Scripts designed to track your online activities can now be used to build a very detailed profile that can later be exploited for stealing your details. Technologies like machine learning are being used to make scanning attack surface and penetrating systems more effective.
Despite the evolving nature of cyberattacks, however, some old tricks in the book of cyberattacks are still being used today. Social engineering is one of them. In simple terms, social engineering exploits human nature to gain access to systems or personal details. Social engineering is deemed one of the most effective tactics, even today.
What Is Social Engineering?
As mentioned before, social engineering is all about exploiting human nature or psychology for malicious intent. An attacker can call the target directly, pretend to be a customer service officer for a legitimate service, and then probe the victim for crucial information. Social engineering can also come in the form of subtle coercion that leads to the victim transferring money or completing other actions.
Social engineering is more than just pretending to be someone else for malicious purposes. Attackers that employ social engineering effectively are very smart, capable of adapting to responses from the victim, and even quick in changing the script or approach when needed. An attacker that employs social engineering is prepared to do whatever it takes to achieve their objective.
Social engineering isn’t just being used to target individuals either. There have been cases where businesses – and even large corporations – were the victim of social engineering attacks. Attackers exploited vital decision-makers within the organisation, but they did it for the purpose of moving the entire corporation into committing an act.
Social Engineering Examples to Learn From
Barbara Corcoran was a recent victim of social engineering attack – she was a judge in the famous US television series, Shark Tank. An attacker used social engineering to gain a better understanding of the victim’s assistant. The attacker then impersonated the assistant and sent a legitimate-looking email to Barbara’s bookkeeper, asking for a payment to be made.
The bookkeeper fell victim to this attack and transferred US$400,000. It was later uncovered that the whole thing was a scam and that the real assistant never sent the request. We’re not talking about a careless individual here; victims are all very aware of this type of attack and how to defend against it. Still, Barbara Corcoran lost US$400,000.
Another notable case happened a year prior to the above incident and was even more significant. It was a social engineering attack that targeted Toyota Boshoku Corporation, a major supplier of car parts. This attack combined social engineering with a business email hack, allowing the attacker to communicate through legitimate means.
The attacker directed a finance executive to alter the destination for a wire transfer. Keep in mind that this wire transfer was meant to be processed anyway, so you get a good idea of just how deep social engineering can go to obtain information. This was one of the biggest cyberattack cases in history, with the company losing $37 million in the false transfer.
Social engineering is often used in conjunction with other attack types. In the case of Ethereum Classic, social engineering was used to gain access to a domain used by Ethereum Classic. Attackers were then able to redirect the domain name to their own server, set up a form for collecting users’ wallet keys, and steal large sums of Ethereum cryptocurrency from multiple wallets.
The target for this social engineering attack was the domain registrar. Attackers were able to convince the domain registrar that they were the legitimate owner of the domain wanting to make a regular change to nameserver configurations. It shows how attackers can be very sophisticated in using different attack vectors for maximum impact.
A Closer Look at Engineering Attacks
Now that we have answered the question, “what is a social engineering attack?” it is time to take a closer look at some of the attack types that incorporate this tactic, starting with classic manipulation. An attacker can choose to manipulate the victim into revealing more information or performing an act using a small amount of preliminary information.
Unfortunately, preliminary information is easy to find. Social media sites have millions of posts that attackers can simply scrape and process into insights. The same set of insights can also be acquired through online aggregators, which often collect information and build profiles of users on the internet. Even your IP address reveals a lot about yourself as an internet user.
Impersonation is another classic tactic used in social engineering. For instance, it is easy to buy a T-shirt with a Microsoft logo on it. With the T-shirt and some basic information about a target, attackers can do a video call pretending to be a Microsoft support executive and then gain access to the victim’s computer through legitimate means, such as remote desktop.
In one of our articles, we also revealed that establishing authority is a common tactic used in social engineering. By using the identity of a law enforcement officer or another authoritative figure, attackers can command more responses from the victim. We’ve discussed how acting as the assistant of a known client can have dire consequences.
Other attack types leverage scarcity and fear of missing out to force people to act quickly. “We need to verify your identity now, or we will have to void your account” is a common line used to get victims to think that they have to act quickly. Forcing victims to act quickly is also a classic tactic that prevents victims from thinking things through before revealing more information.
Regardless of the attack types, it is clear that social engineering can be very dangerous. You need to know how to prevent social engineering attacks as well as attacks that combine social engineering, phishing, and other methods.
How to Prevent Social Engineering
It is nearly impossible to detect social engineering attempts accurately without sufficient understanding and awareness of information security. You must be aware of the information you disclose, the activities that you are engaged in, and the communications you have with other parties in order to avoid falling victim to social engineering attempts.
A good way to start protecting yourself against social engineering attacks is by providing everyone in the organisation with IT security training. The best IT support in London can help increase information security awareness. This alone will significantly reduce the risk of falling victim to social engineering attacks.
At the same time, proper procedures for handling sensitive information and doing certain things must also be put in place. If you are not sure about which business processes to protect, start with processes that – when misused – lead to unwanted expenses or financial loss. You can then review the rest of your business processes and improve them further.
You also have the option to, once again, enlist the help of IT support in London to review the safety of your systems. You want to make sure that emails coming from illegitimate sources are filtered and that no fake phone calls can ever reach members of the business. Similar to increasing awareness, this also reduces the attack surface of your business significantly.
As an added step, do a series of checks. Testing using social engineering penetration testing methodology lets you run real-life attack simulations. Testing is a fantastic way to check if the security measures you put in place are enough to prevent social engineering attacks and whether they stop this type of attack from harming your business directly.
Last but certainly not least, refine the security measures you put in place regularly. Attackers will always find new ways to use social engineering to steal information (or more), and it is up to you to keep up with those new methods. Enlisting the help of the best IT support in London allows you to worry less about refining your security measures and more about running your business.
Getting to the Bottom
What should you do when you fall victim to a social engineering attack? The first thing you want to do is make sure that the attack poses no more risk. If you share confidential information about your bank account, for example, you need to make sure that you change your account password and block further unauthorised access to it.
The same is true for when attackers are able to gain access to your email, social media accounts, or even messaging apps. Blocking access is a must because it prevents attackers from causing more harm. Once you have completed this step, you can start checking for other possible security holes and close them immediately.
The next step is doing a thorough review of how the attack happened. As soon as you realise that someone is making an unauthorised transfer, you need to trace the source of the attack. A phone conversation or a random email may be the cause of the leak. After finding the source, collect and document all information you can find about the attacker and the attack itself.
Continue by consulting security experts and IT support in London. Trained IT support specialists can help you decipher the attack step by step and then pinpoint where you did wrong. This is a crucial step that helps you stop future attacks from harming you again. At the same time, a thorough review also strengthens your IT security.
Lastly, deal with the aftermath of the attack. Report the attack to authorities, get in touch with stakeholders who are affected by the attack, and take the necessary steps to correct the issues.
With the details that we covered in this article, social engineering attacks can be prevented. You have the knowledge and the skills to stop future attacks from affecting your business; you can implement the same knowledge and skills to protect yourself personally, too. Attackers will still try this attack type, but when they do, you know exactly what to do.
Call totality services if you’d like to know more about the kind of cyberattacks.