Uncategorized

Why Social Engineering Succeeds

I would never fall for that…Until you do

Every day we read about new cyber crimes, from Bitcoin heists — where individuals are tricked into downloading their digital currency to bogus digital wallets — all the way to mass-theft capers where hackers gain access to big-company data and illegally download hundreds of thousands of pieces of sensitive personally identifiable information in one swoop.

Even when a company has deployed robust Cyber Security solutions, the perpetrators can often breach digital defenses because they pose as a legitimate user and convince someone to let them “walk” right in

This is known as “social engineering,” and it relies heavily on human interaction. Specifically, it involves manipulating people into breaking normal security procedures and best practices so the perpetrator can gain unauthorized access to systems or networks for their financial gain.

The details of scams vary from incident to incident. However, they share a characteristic at the core: social engineers who find ways to wrap a lie inside many truths. A well-prepared attacker will create a situation — an email that appears to come from a trusted customer, a friend, or even a simple request for information — which makes the target believe the attacker is worthy of their trust.

Once they have a foot in the digital door, an attacker may try to bypass cloud security services and other defenses by attempting to get the targeted insider to react — like clicking on an innocent-looking yet malicious hyperlink in an email, paying a bogus invoice, or making a legitimate-looking bank transfer to a not-so-innocent offshore account. It is all about context and a social engineer’s ability to manipulate someone’s natural human instincts.

Everyone is a Potential Target

Everyone is a potential target and should be aware of the two most critical stages of a social engineering attack. The first involves research. Effective attackers spend considerable resources researching their targets. This enables them to carefully craft lies that appear plausible and actionable.

The second is Pretext Development, where the criminal sending the phishing or other bogus request fabricates a situation that gains trust from the target and attempts to establish a need for the target to act quickly. Often this happens with an action statement designed to breach trust and avoid security controls. A common example may involve an email that appears to have been sent by a major bank, warning the target that a data breach has exposed their password. The target will be directed to click on a link as soon as possible to reset the password. However, if the target clicks on the link, they will be directed to a fake website that appears to belong to the bank but is actually a realistic-looking replica run by the criminal. And this website will be designed to collect usernames and passwords that will be used to drain the target’s real banking site.

Threats are real, but businesses can take simple steps to safeguard their data. And the effort does not have to break the budget. Utilizing good spam filters and security software that helps block sophisticated social engineering attempts is a great way to start. Training end users with programs savvy organizations created to help their employees recognize sophisticated social engineering attacks is also efficient. As part of the program, create a healthy sense of skepticism so that employees are ready to ask questions and avoid acting even if the appeal or pretext is convincing. This is the “trust-but-verify” approach. If an employee receives a request, verify if it came from a legitimate source before interacting with it and avoid using the initial form of communication to respond. Instead, use an “out-of-band,” or separate method, like calling the source on a verified phone number instead of a number appearing in the suspect email or website.

If there is any notion that a breach has occurred, employees should be ready to contact IT support and take appropriate actions that are outlined in a previously developed plan. Do not wait for a breach to occur to develop a plan because by then, it will be too late.

Unfortunately, many threats exist, and cybercriminals are constantly developing new ways to breach your data. But when employees get into the habit of thinking about how they use technology, their usage of it will be much safer.

MXINSPECT Email Defense

Complete Defense Against Today’s Email Threats

Multi-Factor Authentication

Passwords are no longer enough.

Security Awareness Training

Reduce phishing attacks and malware infections.

Carl Mazzanti

Recent Posts

The Executive’s Guide to Security Operations Center Models

Cyber threats never take a day off, never clock out and go home at the…

2 days ago

Introduction to Azure Services

Building, deploying, and managing applications via Microsoft's global network of data centers is easier with…

2 days ago

Introduction to Microsoft Copilot

Microsoft Copilot is a tool, powered by AI, that aims to boost your productivity within…

3 days ago

Project Management: Why is it important?

Making things happen is the art and science of project management. The process involves managing…

1 week ago

Enhancing Website Performance and User Experience Through Caching Strategies

In today's fast digital life, website performance is important, as it holds visitors and ensures…

1 week ago

Protecting Municipal Data: Security Tips for City Officials

The FBI reported that cyber attacks against government facilities saw an increase of almost 36…

1 week ago