What is Social Engineering?
Social engineering is the psychological manipulation of individuals into performing certain harmful activities or disclosing sensitive/private information.
In one of the latest incidents, a group of farm workers and unemployed youth from an Indian village managed to trick sports bettors in Russia into betting on a fake IPL (a professional Twenty20 cricket league) cricket tournament. . The scammers broadcast fake cricket matches live on a YouTube channel for over two weeks and took bets on a Telegram channel they created. Sound effects downloaded from the Internet and an impressionist able to imitate a famous commentator made the mock tournament seem authentic to the distant Russian audience.
It may be a funny story, but the harsh reality is that everyone is in danger. Individuals and businesses are battling social engineering, struggling to find a way out of this growing threat. Are you one of them? If so, keep reading to find out what social engineering is, how it works, how to spot social engineering attacks, and how to better protect your company’s lifeline: data.
What are the origins of social engineering?
The term “social engineers” (social engineers) was first introduced by the Dutch industrialist JC Van Marken in 1894. He believed that just as specialists with technical expertise could solve problems in machines and processes related (technical problems), social engineers could solve human problems. – related issues, aka social issues. His ideas came from improving the lives of his employees. His factories had schools, libraries, social clubs, etc., which employees and their families could use. He also offered insurance funds to his employees. One of his policies was that his workers must save money for unforeseen difficulties in the future. Van Marken used social engineering as a tool to change the attitude/behaviour of its employees.
Unfortunately, unlike Van Marken, some people want to use these techniques for their own benefit. Social engineering is a highly effective cybercrime technique and one of the most prevalent cyberthreats businesses today need to be aware of. Social engineering is the weapon of choice for cybercriminals because it is much easier to execute and inexpensive. It is estimated that more than 90% of cyberattacks rely on some form of social engineering.
What are other examples of social engineering in the past?
You may have heard of many of these infamous scams before, but seeing how varied they can be, we can truly understand the threat that social engineering presents to us in person or on the web.
The Nigerian scam, also known as the advance scam or 419 scam, is one of the best examples of social engineering. The scammer allegedly pretends to be a government or bank official, or a businessman who needs access to an overseas bank account to transfer money trapped in a frozen Nigerian account, in exchange of a commission. Sometimes the commission offered can go up to several million dollars to lure the victim. The abuser then convinces the victim to send a small amount of money for certain costs associated with the transaction, such as taxes and legal fees. Once the victim sends the money, the scammer disappears. In some cases, the scammer would ask the victim to send more money for unexpected charges like increased taxes or bribes to officials.
In February 2022, a man disguised as a Walmart employee managed to steal several televisions from a Walmart in Memphis without being noticed.
Have you ever come across an offer that seemed too good to be true? In 2010 Anthony Lee, a lorry driver from Yorkshire, attempted to sell one of London’s iconic landmarks, the Ritz Hotel. Anthony has offered to sell the luxury hotel for 350 million pounds, which is far below its real value. Amazingly, he managed to trick unsuspecting buyers into depositing £1million before being jailed for the outrageous scam.
Today, social engineering has reached a new level of sophistication. Over the years, social engineering attacks have evolved into one of the greatest cyber threats to individuals and organizations.
How has technology changed social engineering attacks?
Social engineering in cybersecurity and information security is the process of manipulating human psychology or behavior, tricking unsuspecting victims into performing certain actions or revealing sensitive information. Once the victim performs the desired action, it creates security holes for threat actors to slip through. They also use shared information to gain access to an organization’s network and data without being detected. According to the World Economic Forum’s (WEF) Global Cybersecurity Outlook 2022 report, social engineering emerged as the second biggest concern for global cyber leaders, with ransomware being their top concern.
The global pandemic has provided the perfect conditions for an increase in social engineering attacks. The world has moved from face-to-face communication to using digital mediums, such as email, video calls, text messages, and instant messaging to interact, which are goldmines for cybercriminals. It’s no surprise that social engineering threats have increased by 270% in 2021.
Today, with organizations transitioning to a hybrid work environment, on-premises vulnerabilities are returning. Less physical presence in the workplace means less “eyes” and less physical security for people. IT admins have become too used to servers being “secured” by obscurity, and assume they can leave root passwords unchanged since no one has been in the building. Additionally, as the global workforce has been working from home for almost two years now, most employees do not recognize everyone or even individuals in their own departments. Opportunity-seeking threat actors could use “classic” social engineering to break into buildings during smoke breaks or force their way into an office building. This makes it extremely easy to plug USB drives containing malware into computers or other media locations.
What weakness does social engineering exploit?
Cybercriminals have found simple methods to exploit weak spots in humans rather than finding vulnerabilities in a company’s IT infrastructure. Instead of hacking into an organization’s networks and systems, social engineering attacks aim to exploit human nature or qualities such as trust, greed, obedience, kindness, curiosity, etc. Why attack infrastructure directly when you can just use people to walk through or around it?
Social engineering attackers or social engineers patiently hope that at least one individual, say, in an organization of 100 employees or 1,000 employees, makes a mistake. One false move – clicking on a malicious link or downloading a malware-infected attachment – is enough for an attacker to breach an organization’s security perimeter to steal data or deploy malware. They rely on genuine communication with employees to convince them to disclose valuable information or act as the perpetrator intended. The techniques used in social engineering can be simple yet very persuasive. Threat actors can impersonate someone employees trust or entice them with something they want in exchange for something the scammers need. In 2020, cybercriminals used AI to clone the voice of the manager of a company, which was used to convince the manager of a bank in the United Arab Emirates to transfer $35 million.
What are the different types of social engineering attacks?
Humans are bound to make mistakes, which also makes social engineering very successful. Over the years, social engineers have developed new and complex techniques to exploit human error. Many of these methods have proven successful, as the statistics above show. Below are some common types of social engineering attacks that every business and individual should be wary of.
Phishing is the most widespread and common type of social engineering attack. This method attempts to exploit human error by using malicious emails, attachments, and links to harvest credentials, distribute malware, or perform various insidious actions. Malicious emails may appear to come from a company’s IT department, asking its employees to change their passwords immediately. Such emails may appear legitimate and may be more difficult to detect. In a recent cybersecurity incident, threat actors successfully hacked the email of an employee belonging to Kaiser Permanente, the largest nonprofit health plan provider in the United States. The event led to the disclosure of sensitive health information of around 70,000 patients. Here is an example of a phishing email: