According to recent studies, cybercriminals use social engineering techniques to drive 98% of cyberattacks, making this a significant talking point for businesses and users.
If your organization is a Managed Service Provider (MSP), read on to find out how social engineering works and what you can do to help your customers protect their business from attack.
Social Engineering statistics
- 98% of cyber-attacks are based on social engineering.
- 43% of IT professionals said social engineering schemes had targeted them in the past year.
- 21% of current or former employees use social engineering for financial advantage, revenge, curiosity, or fun.
- 43% of phishing/social engineering attacks targeted small businesses.
Source: PurpleSec, 2021 Cyber Security Statistics
Definition of social engineering
Social engineering is the practice of tricking an individual, in person, over the phone, or online, into doing something that makes them vulnerable to further attack.
In the digital world, it’s easier to trick people into cheating online than in real life, making online social engineering a typical and dangerous practice.
Social engineering techniques
Social engineering takes advantage of people’s emotions to get them to do something so that a criminal can gain physical access to private offices and buildings and online access to a company’s systems.
These criminals use some standard social engineering techniques to trick people into obtaining information to launch further attacks, extort credentials, and steal data or money.
Create fear. You receive an email from someone who says they are from the Internal Revenue Service (IRS) and will be arrested immediately unless they provide their credit card number to pay back taxes.
Exploit greed. You receive a message via Facebook Messenger saying you won a free laptop and clicked the <malicious> link so you can provide more personal information to redeem it.
Take advantage of your curiosity. You receive a text message from FedEx stating that they cannot deliver your postal package because their address is incorrect.
The message offers a link to provide your address and other personal information. The link may go to a malicious site that automatically infects the user’s device with malware.
Ask for help. He receives a text message from what he thinks is a colleague (who is a cybercriminal posing as his colleague) telling him that he is in a foreign country, that he has been robbed and that he needs money to back home.
The message prompts you to click the link to transfer funds or pay by credit card.
It tempts him to feel empathy or sympathy. He is entering his office building with her access code, and a nervous well-dressed woman follows him, saying that he lost his access code, is late for an important meeting, and takes advantage of her friendliness to let her in. to the building.
Types of social engineering attacks
“Social engineering is the art of exploiting human psychology, rather than technical hacking techniques, to gain access to buildings, systems, or data.” – CSO online.
Social engineering attacks are the first step attackers use to collect private information that can be used for a later attack, such as a phishing attack.
For example, suppose the attacker can lure an employee into providing password information. In that case, the attacker will use that information to gain access to the employee’s device and launch other attacks through the corporate network. Social engineering attacks can take various forms.
Phishing attacks lure people with attractive, heavily discounted, or even free products or services and entice a person to respond by clicking a <malicious> link or offering personal information, such as a credit card number.
Scareware is a type of social engineering attack that “scares” the user into taking an action that leads to an attack. For example, you are working on your computer, and an ad from what appears to be a legitimate malware vendor appears, telling you that your computer is infected and that you need to download a free trial to remove the malware. Once you click on the link to download the free trial version, you will indeed be infected with malware.
Physical breach attacks
A physical breach is an in-person attack in which the criminal poses as a person of authority or a person in danger to convince someone to carry out an order or provide assistance.
For example, an attacker may pose as a police officer and order a receptionist at the front desk to give him access to an office building under the pretext that a crime is being committed.
Cybercriminals use pretext attacks to establish a trusted connection with an intended target to obtain personal or sensitive information or to entice the target to perform a critical task.
First, the attacker probes the target to gather personal but public information, such as who the target works for, who his colleagues are, who he banks with, and who his circle of friends is.
The attacker then creates a persona online, posing as a trusted person or company, and entices the user to act.
For example, Katherine works in finance for ABC Company, and the company’s president sends an email to Katherine with an urgent message that she transfers funds to one of her partners. Believing this email to be benign,
Examples of social engineering attacks in real life
Below are several examples of some of the costliest social engineering attacks in recent years.
Google and Facebook were victims of the most significant social engineering attack. A Lithuanian attacker and his team set up a fake company, posing as a computer manufacturer that worked with both companies.
The team also set up fake company bank accounts and billed the companies for products and services provided by the authentic manufacturer. However, they instructed them to deposit money into phony bank accounts. Between 2013 and 2015, attackers cheated the two tech giants out of more than $100 million.
In 2020, Shark Tank TV host and judge Barbara Corcoran was the victim of a social engineering attack, costing her nearly $400,000. The attacker created an email address that appeared to belong to Corcoran’s assistant.
The email contained a fake invoice from FFH Concept GmbH, a legitimate German company, for $388,700.11 for real estate renovations.
This request seemed legitimate to the accountant because Corcoran invests in real estate, and she wired the money to the bank account listed in the email.
The scam was only discovered when the accountant copied Corcoran’s attendance when she replied to the original email.
In 2019, Toyota Boshoku Corporation, a major supplier of Toyota auto parts, reported that attackers tricked the company via email into convincing an employee with financial authority to change account information into an electronic funds transfer. The company lost $37 million.
In 2018, Cabarrus County, North Carolina, received an email from its county vendors requesting payments to a new bank account.
The email was malicious, and the attackers posed as county vendors. Cabarrus County paid $1.7 million based on instructions in the email, after which the money was diverted to other accounts.
How to spot a social engineering attack
The best way to detect a social engineering attack is through training and coaching users to “think before they link.” Users must be trained to:
- Understand that there is no such thing as a “free lunch.”
- Never open an email you do not expect and come from someone you do not know.
- Verify the authenticity of any request to transfer funds through other channels; for example, validate by phone or email the requestor separately, using the email account known to you, to verify.
- Investigate any email requesting personal and sensitive information by investigating through other online channels, such as Google.
- Never install pirated software or any software you don’t know about.
How to prevent social engineering attacks?
In addition to employee training and education, businesses need multi-layered protection to stop social engineering attacks. This includes a combination of:
Antimalware software (early launch anti malware) protects systems, applications, and data from malicious attacks, preventing users from accessing malicious sites.
Firewalls to prevent unauthorized access to corporate systems.
Email filters that scan emails for spam and phishing content and isolate them in a separate folder; users should make sure to set their spam filters to a high value and check their spam folders regularly for legitimate emails.
Multi-factor authentication requires users to provide at least two proofs to verify that they are who they say they are.
Timely software patches to ensure that the operating system and applications are always up to date.