By: Marc Larson
Despite spending millions of dollars on state-of-the-art perimeter and end-point security controls, determined actors are still finding their way inside company networks every day by exploiting the human factor. While bad actors have many techniques for attacks at their disposal, social engineering is still one of the most effective means of compromise. In fact, recent security studies suggest that just one percent of employees are responsible for 75 percent of enterprise security risks. This includes users sharing plain-text passwords via email, accidentally downloading malware, clicking on phishing links, using risky applications, reusing passwords, and engaging in other types of dangerous behaviors.
What Is Social Engineering?
Social engineering refers to the practice of using non-technical methods to trick people into doing something they wouldn’t normally do otherwise. Threat actors form relationships with targeted victims to get access to information or personal details that can be used to breach corporate networks, facilities, or accounts. In other instances, the intent is to defraud the victim under the pretext of needing money for a travel emergency or urgent surgery, for example. All of these schemes prey on most people’s natural inclination to trust. It is often easier to fool someone into giving away their password to get access to a corporate network than it is for them to get in via hacking.
By now many people are familiar with social engineering (even if they don’t know the term), thanks to the infamous emails about a “Nigerian prince needing help moving a large sum of money,” also known as 419 scams. However, they are most likely unaware that this obvious tactic, although still around, has been replaced by more subtle forms of deception. In many social engineering attacks now, scammers use personal details gleaned from social media or purchased on the Dark Web from a previous breach to create highly convincing and customized messages that appear to come from “trusted” sources.
These messages can be in the form of emails, texts, or social media messages, and can appear to be from a family member, colleague, vendor, or friend. Or, the message may come from someone who wants to “friend” you on a dating or social networking site. Typically, the “trusted” person will ask you to open an attachment, fill out a form, click on a link, or wire funds to an account. The message will be personalized with details to gain your trust, tricking you into believing it is legitimate. When you receive something like this in email form, it is called spear phishing.
Why Is Cyber Security Training Important?
The fact that so many people are still falling victim to these attacks highlights a major problem within many companies: training. According to a 2014 report by Enterprise Management Associates (EMA), more than 55 percent of a company’s personnel, excluding security and information technology staff, have not received security awareness training from their organizations. Additionally, about a third (33 percent) reported using the same password for work and personal devices, and just over a third (35 percent) said they had clicked on an email link from an unknown sender.
Spammers and con artists want you to act first and think later. If the message conveys a sense of urgency, asks for money or favors, or uses high-pressure tactics, slowdown and be skeptical; never let their urgency influence your careful review. When in doubt, it’s always best to contact the person who has sent the message if you actually know them. Of, if the message is from a stranger, ignore it and delete the message, or check it out on a search engine (do a quick search for commonly used phrases indicating scams) before responding.
View our infographic for common social engineering tactics and recommendations on how to avoid falling victim to social engineering attacks!
Contact us for more information on our Anti-Phishing Solutions or Cyber Security Training for employees.