Today we are unveiling a new blog series captioned, “Social Engineering Knowhow.”
Through the series of articles over a month, we would explain and spread awareness to help users become more educated about Social Engineering because it is a concern for SMEs, SOHO’s, enterprises and also for individuals, families, government and educational institutions.
Instance 1
In 2019, the CEO of a British energy firm received a call from his parent company’s CEO asking for an urgent transfer of €220,000. The deepfaked voice was minutely crafted to deceive the person on the other end and maintained even the exact German accent of the other CEO. Assured by the voice, the British CEO transferred the asked for amount to a Hungarian account of the Cyber Crooks.
Instance 2
Before the US Presidential elections in 2016, Hilary Clinton’s campaign chair, John Podesta received a spoofed email in his Gmail account. The legitimate-looking email from a Russian-sponsored hacker group asked the victim for a password reset. In exchange, John Podesta gave away his password, thinking it was the original Gmail login page.
Instance 3
In 2015, Patricia Reilly, an employee of Pebbles Media, received a series of emails from the Managing Director asking for a quick fund transfer. Obeying the order, Ms. Reilly transferred sums amounting to £193,250 through multiple transactions. Unfortunately, the emails Patricia received were from cyber thugs. The company recovered a portion of the money from the bank. It sued Patricia asking for the rest of the money.
Instance 4
In 2011, cyber thugs sent an email with an MS Excel spreadsheet to two employees of American computer and network security company RSA. Once opened, the macro file inside the Excel sheet installed a backdoor into the systems. The total cost of the cyber breach was measured later as a massive $66 million.
All these four real-life attack scenarios spread over a decade have one thing in common, cybercriminals used different forms of convincing social engineering tricks to dupe the victims. And most of the time, such nefariously-brilliant social engineering tricks involve multiple stages.
The various stages are: preparing the ground by accumulating information on the victim, selecting the mode of attack, engaging the target victim, expanding foothold, executing malware and covering the tracks by removing any digital footprint from the victims’ devices.
A real-life social engineering attack is complex and sophisticated, manipulating the weakest link in the chain – humans. Interestingly, all the social engineering attack methods focus on exploiting human psychology to achieve their goals.
The Deep Inside
According to several psychologists, the threat actor banks on four key human emotions – fear, greed, desire, and curiosity, to hunt their victims. And with social engineering tricks, the adversaries trigger pure human emotion embedded with the best available technology to ensure the victims logic system turns down.
To understand what goes on the victims’ mind, we have to dig deep inside the human brain. With each social engineering trick, the threat actors successfully manage to trigger the amygdala, an almond-shaped set of neurons sitting inside the brain’s medial temporal lobe.
The amygdala is responsible for our perception of extreme emotions such as anger, fear, greed, and many more.
When the victim encounters a finely-crafted social engineering trick, the amygdala turns on, and most of the time it draws power from other sections of the brain which are responsible for making us think rationally and renders us helpless to make decisions based on emotions.
Types of Social Engineering
Social engineering is a vast pool of trickery methods and is usually executed by involving human emotion in mind. The most popular methods of social engineering techniques used for engineering massive and small forms of cyber-attacks are Phishing, Vishing, Smishing, Spear phishing, Pharming, Baiting, Pretexting, and Scareware.
Social Engineering 101
We would discuss each type of attack with examples in the upcoming blogs. For now, here goes a handful of takeaway to keep the SOHOs and SMEs safe from any social engineering attacks.
- In nine out of ten social engineering attacks, employees without proper cybersecurity awareness knowledge end up as the potential victims. Hence every SME or SOHO should factor in the severity and educate its employees to be wary of such attacks.
- Embracing multi-layered security is the right approach to mitigate any such attacks. K7 Business security offers you just that. Multi-layered security comes with a bunch of nested levels as security measures which effectively detects and quarantines the infected part of a network or machines to keep the system safe.
- Make sure your security software comes with a dedicated firewall and gateway security. K7 Business Security suite comes with a smart firewall and capable of detecting and hunting down the incoming threats.
- Phishing is the most common and popular form of social engineering method to dupe the targets. As an act of safety, securing business email accounts is another must-have to stay away from attacks. Make sure your security software offers real-time phishing protection to filter out most of such mendacious emails.
- Impersonating popular websites is one of the most popular methods of launching social engineering attacks. As an act of protection against any such attacks, your business should also embrace a solution to detect spoofed versions of popular websites.
- Encourage your employees to use multi-factor authentication whenever available.
- Double-check the authenticity of any finance-related phone calls, emails, and messages before taking any action.
In the next article, we would decipher on the subject of phishing and how to avoid becoming a victim.