Social Engineering as it relates to information security refers to the use of deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes. Over the years, the Social Engineering tactics used by cybercriminals have evolved, allowing for record-high lossess for those who fall victim.
How Social Engineering Works
Though Social Engineering is ever-evolving, some of the most common techniques include:
Baiting involves attackers physically depositing flash drives with labels that might spark curiosity. These are typically left on the premise of a target company in hopes that an employee will plug the drive into a workstation, potentially impacting the network.
Scareware techniques involve bombarding a target with false information and fictitious threats. Scareware actually covers a broad scope of cyberattacks, including, but not limited to, deception technology, rogue security software, and fraudware. These types of attacks usually comes in the form of a pop-up claiming something like, “You have been infected with dangerous malware, Click Now!”
Pretexting is used by attackers who spend time to establish trust with victims by pretending to be coworkers, bank officials, police, or other authorities. The Pretexter invents a scenario and asks questions to “verify” the victim’s identity, leading the victim to divulge personal information that can be used for identity theft and to hack personal accounts.
Phishing is considered one of the most popular types of Social Engineering tactics. Phishing scams focus on sending messages to victims that create a sense of urgency, curiosity, or fear. These communications typically appear to come from a reputable source, and often use flattery or pressure in order to cloud judgment and increase urgency.
How Social Engineering Affects You
In the past, Social Engineering schemes have had major impacts on businesses. Recently, Phishing tactics were employed by a group of Lithuanian hackers, resulting in massive losses for both Facebook and Google. For over two years, the group simply redirected payments between the companies and legitimate suppliers to fraudulent accounts. This resulted in a loss of $100,000,000, and is considered the largest Social Engineering attack to date.
According to the 2021 Verizon Data Breach Report, small businesses with under 1,000 employees fell victim to 1,037 incidents with 263 confirmed data disclosures. For large businesses, there were 819 incidents with 307 confirmed data disclosures. For both types of businesses, roughly 90% of attacks were for financial gains. Of the 507 breaches, the human element played a role in 85% of incidents. Phishing was present in 36% of these breaches, up 25% from last year.
How Can You Protect Your Business?
Of all of the attacks in 2021, 80% were detected by third parties. If these companies had not been working with outsourced specialists, they may never have known that a breach had even occurred. So, how can you protect your business from Social Engineering attacks? To stay ahead of the ever-changing nature of these scams, you must be proactive instead of reactive. The mantra of “never open an email or download a file from a suspicious person” goes out the window when skilled scammers are at work.
Social Engineering communications have become so realistic, most will not know they have done something wrong until it is too late. Staying up-to-date on your Malware and Antivirus Protection, and operating with Multi-Factor Authentication, or MFA, is essential for all types of modern businesses. At HazeyTech, we will work to ensure you are taking the proper precautions, in 2022 and beyond.