Defending against social engineering attacks

A guide to protecting your business

Over time, as cybersecurity solutions have become more effective, low-effort, high-volume cyberattacks are no longer successful for bad actors. In 2021, Microsoft was able to block over 9.6 billion malware threats and more than 35.7 billion phishing emails.

This increase in effectiveness is in part due to the advancements in AI technology used within modern cybersecurity solutions. This allows them to stop zero-day exploits and reduce the chance of businesses falling victim to a variety of attacks.

However, as these low-effort attacks are no longer viable for cybercriminals, some have shifted their focus away from targeting technology to hacking humans. These are known as social engineering attacks.

In this blog, we will explore some key social engineering tactics, find out what is at risk if your business falls victim to one of these attacks, and what steps you can take to reduce your cyber risk.

What is Social Engineering?

Social engineering attacks are a broad category of cyberattacks that include some form of psychological manipulation to trick employees into sharing confidential or sensitive information. These attacks rely on human interaction and can be conducted via email, phone call, SMS, instant messaging or in-person communication.

Whilst a well-crafted social engineering attack does take time and expertise, they are a common method for cybercriminals, as it is easier to exploit vulnerabilities within humans than in software. For example, it is much easier to trick an employee into sharing their password, rather than brute forcing a password. Did you know that an 8-character password has over six quadrillion possible combinations?

Social Engineering Tactics

The first stage of any social engineering attack is investigation. In order to craft an attack, the bad actor needs to have an understanding of the target organisation and employee. This stage is also known as open-source intelligence (OSINT) gathering, as the collection of data is gathered from publicly available sources. Some of these sources include public social media accounts, Google Maps images of office spaces, company websites and viewing EXIF data from images.

Once the bad actor has researched their target, the next stage begins, the hook. This is when the cybercriminal engages the target and starts manipulating them into forming a relationship or trusting them. A common method to develop this trust is reciprocity, whereby the bad actor gives the target some information or does a favour for them, knowing that in the future the victim will be more likely to reciprocate and share sensitive information.

Once the cybercriminal has been able to expand their foothold, they can execute the attack. This may include a phishing attack, credential theft, planting of malware or physically entering an office space. Depending on how effective the investigation and hook were, the target may not even realise they are under attack.

If this is the case, the final stage is to exit. This is where the cybercriminal removes traces of malware, covers their tracks and ends their relationship with the target individual.

Real World Examples

To illustrate the potential fallout from a social engineering attack, and some of the common forms of attack, we have 3 recent examples.

DoL Brand Impersonation

In late 2021, email security provider INKY detected several phishing emails that were impersonating the United States Department of Labor (DoL). The phishing emails targeted stakeholders, asking them to submit a bid for a government project.

In order to ‘submit the bid’ they had to open the attached PDF and click the ‘BID’ button. This took the victim to a malicious website, with the same HTML and CSS as the real DoL website. From here, they were prompted to log in with their Microsoft 365 credentials, and upon submission, the hacker was able to harvest all the credentials, without the victim even knowing.

Source: INKY

AI-Based Vishing Targeting UK Energy Firm

In 2019, the CEO of an unnamed UK-based energy firm was contacted by who they thought was their boss, demanding a €220,000 bank transfer to a Hungarian supplier. The call did not raise suspicion for the CEO, as the person on the other end of the phone had the same accent and intonation as his German boss. However, this was not the case, as it is believed that the voice on the other end of the phone was an AI-based voice generation software.

The attack was successful, and the money was transferred to a fraudulent account. This is a prime example of a novel social engineering attack, as it was only successful as the attacker had previously researched the victim, and crafted the attack to manipulate the CEO.

Business Email Compromise Costing Facebook and Google $100 Million

A few years ago, a Lithuanian man crafted the largest social engineering attack of all time. He created a fraudulent company, pretending to be a computer manufacturer working with Google and Facebook. He then targeted specific individuals within those two companies, invoicing them for goods and services that a real manufacturer had provided.

Over 2 years, the man was able to fraudulently obtain over $100 million from Facebook and Google and was only caught 2 years after the attack.

How to Protect Your Business

It can be difficult to protect your business against complex social engineering attacks, especially as security solutions cannot supply 100% protection against many of the tactics used in these attacks.

With phishing emails being the most common form of social engineering attack, businesses should look for a holistic email security solution. This will block potential phishing emails, protect against malicious URLs, perform file analysis on attachments, and enable DMARC.

However, email security and phishing prevention will not stop vishing attacks, in-person attacks, or phishing attacks not carried out via corporate email. In order to safeguard against these attacks, businesses need to have a strong cybersecurity education and awareness training program. This will ensure that employees are aware of common social engineer attack methods, and how to detect and report them.

Finally, it goes without saying that all businesses should have multifactor authentication enabled. This simple control can stop 99.9% of account compromise attacks and does not take long to enable. With MFA, even if an employee shares their password with a bad actor, they will not be able to log in without the additional authentication method.

What solutions can we provide for you?

For businesses without security expertise, social engineering attacks can be difficult to protect against. Especially if your business does not already have a comprehensive cybersecurity awareness training program.

If you are concerned about your organisation’s security posture, contact Dunedin IT today and we can help ensure you’re doing everything you can to reduce your overall cyber risk.