Defending against hacking attacks is more important than ever in today's environment. With the average cost of a data breach running into the millions, it's something no firm can afford to cut corners on.
Often, however, the stereotypes of the hacker using complex code to find weaknesses in firewalls and other defenses isn't accurate. In many cases, the best skill a criminal can have to help them gain access to a network is psychology - understanding how your employees' minds work and how to exploit this.
This is called social engineering and it's a major cause of data breaches. Research by SlashNext Threat Labs suggested that in 2021, social engineering threats rose by 270%, while Verizon's 2020 Data Breach Investigation Report suggests this is a factor in nearly a quarter of incidents.
Social engineering hackers have a number of advantages. Firstly, these methods often don't require much technical knowledge. What's more, they're hard to stop. Many traditional antimalware solutions can let some techniques slip through their defenses, and it only takes one employee who happens to be a bit rushed or careless that day to succeed.
Ensuring your workforce is aware of cybercriminals' most common techniques is necessary for any successful security team. Here are a few common tactics.
1. Phishing (and all its variants)
Phishing is a catch-all term for a variety of social engineering tactics designed to trick recipients into handing over sensitive information, whether these are login credentials, financial details or other confidential data.
Hackers use messages, typically delivered via email, that aim to direct users to fake websites or online forms to enter the data, and often include warnings or other efforts to instill a sense of urgency in order to overcome any doubts users may have. For example, they may ask a user to log in to an online portal to confirm an order. However, there are many variations on this, so employees need to be aware of what to look for.
Spear phishing
A standard phishing attack is often fairly impersonal, with hackers accepting the likelihood of low response rates in exchange for volume. By contrast, a spear phishing attack is much more targeted, and will often be aimed at a single individual. As the name implies, it's the difference between throwing out a net to catch fish and picking out an individual target to aim for.
This goes much further than an email addressing the recipient by name. Spear phishers may have detailed information about a person's role, interests or other personal details they can use to make their messages more convincing.
Whaling
Whaling is similar to spear phishing but involves hunting much bigger and more valuable targets. This involves messages tailored specifically to senior executives and other individuals who may have privileged access. As such, it's vital these personnel get a particular focus when security teams are running social engineering training to spot the telltale signs.
Vishing
Phishing that takes place over the phone is known as voice phishing or vishing. With many efforts focused on email as the primary channel, it's easy to forget more traditional forms of communication can still pose risks - and with tools such as VoIP making it easy to mask the source of calls, they can be easy to pull off with no technical skills.
Smishing
Short for SMS phishing, the use of text messages as a delivery channel has boomed in recent years, taking advantage of the fact people tend to act quickly on this channel - with 98% of people reading a text within three minutes. They're often targeted at consumers, with fake 'missed delivery' alerts especially prevalent, but business users can also fall victim.
2. Business Email Compromise
There are many other email-based attacks that may technically fall under the banner of phishing but have enough distinctive features to be treated as their own threats. One of the most dangerous of these is business email compromise. This works by hackers spoofing or taking over familiar email accounts to make it look like the message originates from a trusted source, often one inside the company. This can lull people into a false sense of security and make them believe the request contained within is legitimate.
3. Pretexting
This type of phishing doesn't rely on instilling a sense of urgency or fear in users but instead looks to build trust. This may, for example, claim to be from an authority or trusted IT provider, or even allege a personal connection, to create a scenario that requires the victim to share key information. It can work because if users have only been trained to look out for more common signs of phishing, they may let their guard down with these types of communication.
4. In-person social engineering
Not all social engineering attempts take place via digital channels. Some of the most effective tactics can involve a face-to-face conversation, which takes advantage of the fact that people may be even less likely to refuse a reasonable-seeming request in person. For example, a common technique is 'tailgating', where an individual attempts to follow an authorized employee into a secure area.
This may be viewed as a physical security matter rather than a technology issue, but if intruders are able to access unsecured workstations or USB ports through these methods, it will quickly become the IT team's problem, so awareness of these risks must be part of any cybersecurity training.
Further reading:
- 2021 Data Protection Report
- Blockchain as a Force for Good
- Malware B-Z: Inside the Threat From Blackhole to ZeroAccess
Access the latest business knowledge in IT
Get Access
Comments
Join the conversation...