Cyber security threats of all kinds are on the rise, but as individuals and businesses become more aware of the various dangers, those with malicious intent are coming up with increasingly sophisticated methods. One of the biggest examples of this in recent times has been the growth of social engineering.Research from Beazley1 found that social engineering accounted for just one percent of data breach incidents in 2016, but this figure rose to nine percent the following year. Meanwhile, an article published by Security Now2 states that phishing and social engineering attacks will have risen again over the course of 2019.In this blog post, we take a closer look at the rise of social engineering attacks and explain why it is so important to be vigilant, seek out IT support services, and provide the right training for your employees.
As an article for Imperva3 explains, social engineering refers to a range of cyber threats which use "psychological manipulation to trick users into making security mistakes or giving away sensitive information." Effectively, it involves those with malicious intent capitalising on people's emotional responses, good nature and desire to help.Social Engineering differs from brute force hacking attempts primarily through the involvement of human interactions. Whereas a hacker might look to exploit a vulnerability in a computer network or a software application, a social engineer will instead try to trick another person into volunteering personal details, login credentials and other valuable information.For this reason, one of the main ways businesses can mitigate risk is through the provision of social engineering awareness training for staff members, so that they become aware of what to look out for.
Social engineering can take many forms, especially as attackers become more resourceful, but some of the most important types to focus on during social engineering awareness training are outlined below.
Phishing involves attempting to obtaining private information via email. The most common example of phishing is when an attacker either creates a fake email address or compromises an existing, genuine address. Utilising either this fake or compromised address, the attacker will typically ask a user to confirm their login details to an account for a service they use. The email will also include a link directing them to a fake website for them to click through to. At this point, the goal of the attacker is that the user will enter their login details and thus, the attacker has obtained their details.
A more sophisticated form of phishing attack is known as spear phishing and rather than sending phishing emails to thousands of random people, the social engineer will instead target specific individuals4. They are then able to tailor their message to that person, referring to personal information they have obtained, and perhaps even posing as a friend or co-worker. This then increases the chances of the attack being successful.
Another sophisticated form of social engineering centres around compromised websites. As the aforementioned Security Now article explains, this is one of the key battlegrounds today, because it circumvents many anti-phishing security solutions. Here, the social engineer actually manages to compromise a trusted or benign website.Given that we know thatwebsite login details are being sold on the Dark Web, social engineers can gain access to the source code and plant malware, such as a key-logger, and gain information that way. It is then relatively easy for the fraudster to direct people to the website, as it is seemingly trustworthy and the victim may even be a regular user of that site.
Finally, a social engineering attack that is gaining popularity involves placing bait in real-world environments and preying on people's natural tendencies, such as curiosity or concern. As an article for Norton5 points out, a common example of this involves leaving a labelled USB stick in a real-world environment, such as a workplace.The USB stick will contain malware, but it will be labelled in a way that will entice people to pick it up and use it. For example, a fraudster may label it "employee bonuses" and then leave it in the toilets of an office building. An employee may then get curious, use it on their computer, and infect the computer with the malware.
Social engineering attacks are increasing year-on-year and now represent one of the main cyber security threats for SMEs. As a result, it is important to equip your employees with sufficient knowledge to mitigate the risk, and to enlist the help of a managed service provider offering the relevant IT support services.Fifosys provide cyber security awareness training to SMEs in London and the South East of England. Additionally, we can help you to identify and fix any vulnerabilities in your networks and computer systems. This combination can then provide you and your employees with the best chance of protecting against social engineering attacks of all kinds.
1Beazley: Social Engineering Claims On The Rise
2Security Now: Phishing & Social Engineering Attacks Will Rise In 2019
3Imperva: What Is Social Engineering?
4Spear Phishing: The Rise Of Social Engineering And 10 Ways To Protect Your Business From Attack
5Norton: What Is Social Engineering? Tips To Help Avoid Becoming A Victim
I’m sure you know yourself. You know your business. Of course you want to protect everything in it,
Technology is evolving quicker than most peoples’ ability to understand it; therefore it is increasi
You should now understand the difference between Privacy, Anonymity and Pseudonymity. which should l
What business owners consider to be valuable assets will vary from one business owner to another bu