A 2015 PwC study found that more than half of global organizations offer some type of cybersecurity awareness training for their employees. Having such training is vital because employees are a company’s most effective security tool. The more they know about why practicing good security hygiene is necessary and the more they know about how to spot potential threats, the less likely the company will experience a data breach or other type of attack.
Yet, even when insiders have cybersecurity education, they continue to make mistakes that create serious security incidents. In fact, that PwC study found that half of data breaches in 2015 were caused by human error.
Why is there such a wide disconnect between training and mistakes? It all boils down to social engineering. Cyber criminals have become increasingly skilled at manipulating human behaviors, and, thanks in large part to social media, we have made the cyber criminals’ job much easier. So much so that 60 percent of organizations were the victims of a socially engineered attack, according to a survey conducted by security company Agari. We can expect this number to get higher, as the study found that social engineering attacks are increasing faster than other types of threats against businesses.
Why Social Engineering Works
Social engineering is all about manipulation and conning the end user into confusing something fake as something real. The cyber criminal’s goal is to get his victim to download malware or reveal sensitive information like username/password combinations or financial account numbers. We fall for social engineering tactics because humans are, for the most part, trusting. We want to believe that people are good and that the information we are receiving is sincere. Because of all the information that is readily available about individuals or organizations, however, cyber criminals are able to tailor scams to reach a particular audience, tricking them into believing what they are seeing is real.
Social Engineering Tactics
Most of us are familiar with one of the most popular versions of social engineering: phishing. Generic phishing emails are much easier to spot because, in most cases, they are riddled with errors or the end user has no connection with the “company” or “product” represented in the email. Spearphishing takes phishing emails up a notch. These email scams are purposely tailored to specific individuals. Sometimes they spoof a familiar email address to make it look like the message is coming from a friend or co-worker. Sometimes the spearphishing attack appears to be a business transaction, complete with an attachment that looks legitimate.
Another common social engineering technique is to impersonate IT staff, telling the employee there is a problem with a computer and it is necessary to share password information. The unsuspecting employee complies with the request, giving the cyber criminal easy access to the network and its databases. This is known as pretexting, or fabricating an identity to steal information.
Social Media Risks
Social networking sites are fertile ground for social engineering attacks. First, the information we share in social media is mined to create targeted attacks. Users readily share details like hometowns, schools attended, birth dates, mother’s maiden names, and job history, which hackers then turn into spearphishing emails.
Second, consider the videos and articles that cycle through the social site’s wall. Many of these are legitimate, based on the user’s habits. But hackers also have access to those algorithms, and will engineer similar but malicious sites to pop up on feeds.
Finally, social media sites themselves make it very easy for cyber criminals to take advantage of end users. “As much as they aim to mitigate security threats and terrorist propaganda on their platforms, they aren’t close to 100 percent effective,” Nick Hayes writes in a Dark Reading article. “For example, Facebook reported that for 2015, up to 2 percent of its monthly average users—31 million accounts—are false; Twitter estimates 5 percent; and LinkedIn openly admitted, ‘We don’t have a reliable system for identifying and counting duplicate or fraudulent accounts.’”
Stop Falling for Scams
Because cyber criminals focus on human behaviors, manipulation, and trust to get end users to make mistakes, social engineering is an extremely effective threat vector and can be difficult to defend. However, there are a few basic steps that can be taken to avoid becoming a victim:
- Verify everything. Don’t click on links, open attachments, or share sensitive information without verifying the request is real.
- Think before clicking. The more urgent an email sounds, the more likely it is fake.
- Understand an organization’s policy regarding customer interaction. Most organizations will contact customers through snail mail letters regarding concerns about an account.
- Use the highest privacy settings on social media sites. Also limit the amount of personal details shared.
- Provide a baseline for employee behaviors with tools provided by Threat Sketch Risk Assessment.
“Social engineering is hard to prevent,” says Curtis Peterson, Digital Marketing Manager for SmartFile, in Digital Guardian. “That’s the tough part.” With improved employee security awareness training and a better understanding of how criminals use behavior tactics to their advantage, companies can better address the risks involved with social engineering.
About the Author: Sue Poremba. Sue is a Central PA-based writer who has covered cybersecurity since 2008.