Businesses of all sizes recognize the danger of cyberattacks and security breaches, often dedicating significant portions of their budgets to protective measures like hardware firewalls, antivirus software, and continuous monitoring tools. However, many overlook a key vulnerability: their employees.
Employees, often unaware, can be prime targets for attackers using social engineering tactics. An Accenture study found that the average annual cost of phishing and social engineering attacks to a company was $1.4 million in 2018. It’s crucial, particularly for small and medium-sized businesses (SMBs), to take the threat of social engineering seriously. As remote and dispersed workforces become more common, cybercriminals are likely to exploit these situations further.
What is a Social Engineering Attack?
Social engineering attacks focus on manipulating people rather than targeting devices or software. These attacks exploit human behavior and weaknesses, rather than attempting to breach a company’s cybersecurity defenses through technical means. While these attacks can occur in person or over the phone, email and social media are increasingly being used to carry them out. Some of the most notorious hacks in recent years, including those at Sony Pictures, Target, and the Democratic Party in 2016, were the result of social engineering attacks.
The 4 Most Common Types of Social Engineering Attacks
Here are some of the most prevalent forms of social engineering attacks and tips on how to prevent them:
Phishing
Phishing is the most widespread type of social engineering attack. Scammers send emails (and increasingly text messages) designed to trick recipients into revealing sensitive information. These messages often appear to be from a trusted source, such as an IT staff member or a known vendor. They typically create a sense of urgency, warning that "something is wrong with an account" or that an "invoice needs immediate payment." Victims are often directed to click a link to enter credentials or financial information, or to download a file that contains malware.
A more targeted variant of phishing is known as “whaling” or “spear phishing.” Unlike broad phishing attempts, whaling targets specific individuals, often those with significant authority. A well-known example is the 2016 spear phishing attack on John Podesta, chair of Hillary Clinton’s presidential campaign. He received a fraudulent email that appeared to be from Gmail’s security team, leading him to a fake login page where he entered his credentials. The Russian hacking group behind the attack later released his emails via WikiLeaks.
Baiting
Baiting exploits natural curiosity and the desire for insider information. Hackers might leave a USB drive labeled with enticing information (like “board meeting minutes” or “employee salaries”) in a conspicuous place. When someone picks up the drive and plugs it into their computer, the malware on the device grants the hacker access to the company’s network. With remote work on the rise, digital baiting is becoming more common, luring victims into downloading files containing malware.
Tailgating
Tailgating is an old but effective method where an attacker gains physical access to restricted areas by following someone else inside. Posing as an employee or a delivery person, they may gain access and then install malicious software on unattended devices or plant USB drives for baiting attacks.
Pretexting
Pretexting is a more sophisticated version of phishing, where the attacker builds a relationship with the victim by impersonating someone they know. Through emails, texts, or phone calls, the hacker gains the victim’s trust and eventually requests sensitive information under the guise of needing it for their job. A recent example involved a hacker using a combination of pretexting and an AI-generated voice to impersonate the CEO of a German company. This convinced the CEO of its UK subsidiary to transfer $243,000 to a fraudulent account, believing the request was legitimate.
How Can I Prevent Social Engineering Attacks?
No software can stop an employee from mistakenly giving information to someone they think they trust. The first line of defense against social engineering attacks is educating your workforce about these threats and the damage they can cause. Regular training on both common and emerging cyber threats is essential to keep employees vigilant.
Here are a few immediate steps to help prevent social engineering attacks:
- Hover over hyperlinks before clicking to ensure they lead to legitimate sites.
- Verify requests for sensitive information by contacting the person directly using their official contact details.
- Be cautious of unexpected requests for sensitive information and report them to your IT or security department.
- Use end-to-end encryption tools to secure your communications, even with existing email accounts like Gmail or Microsoft Office.
Using real-world examples can be an effective way to illustrate the dangers of social engineering. While many are aware of major hacks and data breaches, they may not realize that these incidents often begin with something as simple as a phishing email.
We at GIGAMiT understand the significant risks that social engineering attacks pose to your organization and are committed to providing best-practice recommendations for robust security management. Navigating the complex landscape of cybersecurity, especially in today’s environment, can be challenging, but GIGAMiT is here to support your organization every step of the way.