Why Social Engineering Succeeds

Carl Mazzanti is the president of eMazzanti Technologies in Hoboken.

I would never fall for that…Until you do Every day we read about new cyber crimes, from Bitcoin heists — where individuals are tricked into downloading their digital currency to bogus digital wallets — all the way to mass-theft capers where hackers gain access to big-company data and illegally download hundreds of thousands of pieces of sensitive personally identifiable information in one swoop. Even when a company has deployed robust Cyber Security solutions, the perpetrators can often breach digital defenses because they pose as a legitimate user and convince someone to let them “walk” right in

This is known as “social engineering,” and it relies heavily on human interaction. Specifically, it involves manipulating people into breaking normal security procedures and best practices so the perpetrator can gain unauthorized access to systems or networks for their financial gain.

The details of scams vary from incident to incident. However, they share a characteristic at the core: social engineers who find ways to wrap a lie inside many truths. A well-prepared attacker will create a situation — an email that appears to come from a trusted customer, a friend, or even a simple request for information — which makes the target believe the attacker is worthy of their trust.

Once they have a foot in the digital door, an attacker may try to bypass cloud security services and other defenses by attempting to get the targeted insider to react — like clicking on an innocent-looking yet malicious hyperlink in an email, paying a bogus invoice, or making a legitimate-looking bank transfer to a not-so-innocent offshore account. It is all about context and a social engineer’s ability to manipulate someone’s natural human instincts.

Everyone is a Potential Target

Everyone is a potential target and should be aware of the two most critical stages of a social engineering attack. The first involves research. Effective attackers spend considerable resources researching their targets. This enables them to carefully craft lies that appear plausible and actionable.

The second is Pretext Development, where the criminal sending the phishing or other bogus request fabricates a situation that gains trust from the target and attempts to establish a need for the target to act quickly. Often this happens with an action statement designed to breach trust and avoid security controls. A common example may involve an email that appears to have been sent by a major bank, warning the target that a data breach has exposed their password. The target will be directed to click on a link as soon as possible to reset the password. However, if the target clicks on the link, they will be directed to a fake website that appears to belong to the bank but is actually a realistic-looking replica run by the criminal. And this website will be designed to collect usernames and passwords that will be used to drain the target’s real banking site.

Threats are real, but businesses can take simple steps to safeguard their data. And the effort does not have to break the budget. Utilizing good spam filters and security software that helps block sophisticated social engineering attempts is a great way to start. Training end users with programs savvy organizations created to help their employees recognize sophisticated social engineering attacks is also efficient. As part of the program, create a healthy sense of skepticism so that employees are ready to ask questions and avoid acting even if the appeal or pretext is convincing. This is the “trust-but-verify” approach. If an employee receives a request, verify if it came from a legitimate source before interacting with it and avoid using the initial form of communication to respond. Instead, use an “out-of-band,” or separate method, like calling the source on a verified phone number instead of a number appearing in the suspect email or website.

If there is any notion that a breach has occurred, employees should be ready to contact IT support and take appropriate actions that are outlined in a previously developed plan. Do not wait for a breach to occur to develop a plan because by then, it will be too late.

Unfortunately, many threats exist, and cybercriminals are constantly developing new ways to breach your data. But when employees get into the habit of thinking about how they use technology, their usage of it will be much safer.