We have heard of social distancing, but what about social engineering? Unlike the former, social engineering is here to stay and creates a dangerous atmosphere for potential victims. Social engineering in the context of cybersecurity is a tactic used to trick the victims into giving critical information that may compromise themselves or a company. The attackers try to get into the minds of people through words and manipulation, such as triggering fear and panic.
For example, when a person says, “Hey, give me your bank account information!” It will simply not work. Of course, you would never give away your bank account information to a stranger asking for money, right? But what if it was told differently? What if you get a call on a busy day stating they are a person of authority from your bank declaring that someone made unauthorized purchases using your bank account information. If they convince you well enough, such as by telling you that they can cancel this purchase if you act fast, you might absentmindedly trust the person on the other end of the call and give them whatever information they need to “cancel this (non-existent) purchase.” In this situation, it has the same element: 1) You do not know the person on the other end of the call, and 2) they are asking for your bank account information (the same exact information you use to make purchases!). But why do people freely give this information? Because there is the perceived threat and time pressure.
Once you realize that it is a scam, it is too late. This time, you make the call telling your bank that you have accidentally given someone your bank account information, and this is where they tell you the truth: you that you have been a victim of a phishing scam and that they could not cover your losses for this situation. You are devastated and mad for not being able to get into your senses quickly enough to prevent you from pushing through the conversation. But this is exactly why social engineering is widely used among scammers—it is the victims that are hit the hardest.
This is exactly why social engineering works. Attackers take advantage or perceived trust, comfortability, and familiarity against their victims. People tend to be more relaxed around people they are familiar with, and attackers take advantage of this by pretending to be someone that victims personally know or try to build rapport before the attack.
Preventative measures
Now we know what social engineering is and how useful it can be to the attackers, the question is: how can it be avoided? GlobalSign helps individual users and companies avoid these types of ploys by providing users with identity solutions and online security. Being one of the pioneers of online security solutions, GlobalSign has been stapled as one of the most reliable and globally trusted provider of identity services today. Since social engineering requires a human element, self-awareness in conjunction with our security solutions can help eliminate the user’s chances of falling victim.
Online security solutions from GlobalSign also keep businesses moving in the right direction as they do not only aid in reducing the risks associated to social engineering techniques such as phishing scams and malware attacks, but also increase credibility and among their clients.
The unsuspecting victim: vector for attacks
Social engineering only needs one element: an unsuspecting and vulnerable victim. It happens everywhere and through different methods such as digital and physical methods. For example, the perpetrator could be your disgruntled coworker who wants to get back at your company, or an attacker pretending to be an employee. This can also be referred as an insider threat.
According to a 2020 Ponemon study, there was a 47% spike in reported insider threats incident within the last two years. There was also a 31% rise in the average global cost of insider within the same period. According to this Security Magazine article, “The threat from malicious insider activity is an increasing concern, especially for financial institutions, and will continue to be so in 2021.”
There are other tactics used within the physical workplace such as tailgating, where the perpetrator strikes a conversation with the actual employee over lunchbreak, for example. They pretend to be working within the same company and try to earn an employee’s trust so they can slip inside the office. They might use different tactics and pretend like they have lost their IDs and ask for help from the employees to help them get in. This is where they find an unused and open computer to copy files from or infiltrate. Another tailgating method is when an attacker pretends to have their hands full and ask for an employee to hold the door for them.
Perpetrators are sneaky. Even shoulder surfing is a thing, where the attacker simply looks over your shoulder to access sensitive data such as emails, passwords, and bank account information. It can happen at any place, such as in coffee shops, trains, and public transportations.
Other social engineering techniques
There are different stances used in social engineering, such as pretending to be a person of authority and faking trustworthiness. When a person claims to be of higher authority, people tend to let their guard down. Attackers also use intimidation to coerce people into following their instructions. The element of time pressure and sense of urgency within social engineering schemes is also common. Most Business Email Compromise (BEC) scams use this tactic to get employees to do an urgent a wire transfer to their “CEO” (in this case a fake one) and bypass the usual procedures.
They press the victims to act from the moment they start reading the phishing email, or the moment they start taking the call. They cannot hang up or verify. They must take action this very moment. If the victim tries to stall, they are threatened with a serious risk or a negative consequence.
It is all in the head: best practices
It all boils down to one thing: it is all an illusion. They only get in your head and try to stop you from thinking critically, because no one would let their guard down and freely give information that could potentially compromise themselves or their company without being distracted with something. On the one hand, this might be very dangerous, but on the other, we can say that social engineering can be avoided if we always stay vigilant no matter the circumstance.
While it may be easier said than done, there are various ways to conform whether something might potentially be a social engineering tactic. Here are some preventive measures to take so you minimize your risks of falling for a social engineering tactic.
For individual users:
- Do not give away any personal information and always verify
- Reject unsolicited requests for help or offers for help
- Increase spam filters
- Use MFA whenever possible and secure devices
- Use hard to guess passwords
- Always be vigilant and mindful, internalize the situation before engaging
For companies:
- Train your employees
- Always incorporate the Zero Trust Architecture which refers to “security concepts and threat model that no longer assumes that actors, systems or services operating from within the security perimeter should be automatically trusted, and instead must verify anything and everything trying to connect to its systems before granting access.”
- Establish security protocols and procedures for managing confidential data, and track the security program
- Assisting the frontlines and human firewalls and help them understand the significance of proper compliance to protocols and procedures
- Routinely perform unannounced tests of security practices
- Ensuring offices and storage have security measures put in place such as locking mechanisms
- Ensuring all devices and computers employ encryption such as TLS/SSL.
- Ensuring email communications employ
- Ensuring any email verification systems employ S/MIME.
- Know the risks