If you’re a systems administrator, you may think your daily task list involves installing security tools, configuring them to protect the latest threats, patching servers and endpoints, and reimaging systems when they get a virus. It’s not a simple job, but its straightforward.
If you’re doing all that, however, you’re still only doing half your job.
Some of the most effective cyber attacks aren’t targeted at hardware or software – they’re targeted at people. Social engineering attacks often involve no more than a telephone or email address.
And because humans are more capable of making mistakes than software such as antivirus programs, these kinds of attacks are common. We’ll show you how you can protect against them in the future.
What is a Social Engineering Attack?
Social engineering is a form of manipulation where attackers imitate a trusted source in order to convince people to perform certain tasks, such as grant access to a computer or account, or disclose confidential information, such as passwords.
It works like this: First, an attacker will call or email a support desk and impersonate their target. They’ll say that they’ve forgotten their password, and they’ll usually concoct a believable story around this.
They’ll convince a customer service representative to change the target’s registered email address to an address belonging to the attacker, and then have a password reset token sent to that address. With that, the attacker will have complete access to the target’s account.
How Common are Social Engineering Attacks?
Social engineering attacks work well and require no special skills. The technology known as VoIP (Voice over Internet Protocol) spoofing allows the attacker to make their call appear to come from the target’s phone – this technology is widely available and also requires no expertise.
As such, it’s no surprise that the prevalence of these attacks is very high and increasing all the time. In 2017, 76 percent of information security professionals were targeted by social engineering attacks via phone or email, with email being the primary vector. In 2018, that figure jumped to 83 percent.
Famous Examples of Social Engineering
The rise in social engineering and email phishing attacks has led to a rise in high-profile incidents, with victims including:
The world’s largest asset manager fell victim to an attack by an environmental activist that fooled both The Financial Times and Consumer News and Business Channel (CNBC).
Hackers sent out an extremely convincing fake press release saying that the firm was pivoting to an environmentalist portfolio, causing a brief furor.
Users of cryptocurrency known as Ethereum received phishing attacks disguised as fake error messages. These took the form of an email that prompted users to install a patch.
Instead, the enclosed link would actually lead them to a compromised version of the wallet’s software that would let attackers harvest their digital earnings.
- Intelligence Agencies
Back in 2015, a teenage hacker was able to call Verizon, find personal information belonging to John Brennan – then-director of the CIA – and steal access to his AOL email address. This address happened to contain sensitive information, including details from the director’s application for a security clearance.
The hacker was even able to briefly speak with director Brennan on the phone. It took over two years before the attacker was found and arrested.
These incidents show how easy it is to wreak havoc using the simplest tools imaginable. Hackers can steal money, fool the media, and trick secrets out of the most powerful individuals on Earth using little more than a phone and an email address.
How to Recognize Social Engineering Attacks
Be very wary of any unsolicited advice or help, particularly if it requires action from you, such as clicking on a link or downloading a file. Any requests for passwords or personal information is very likely a social engineering attack.
Take caution if you receive a call from anyone claiming to be tech support or get an unscheduled ‘inspection’. Tech support are busy enough that they’re unlikely to look for new problems and inspection visits are likely attempts to install software like keyloggers on your computers.
Stay away from anything that creates a false sense of urgency as they use this to trick you so that you don’t use your better judgment, and be wary of any sob stories or other forms of psychological manipulation.
Always cross reference and double check. If you receive a suspicious email or phone call or anything asking you to disclose information or perform a task, first verify that it is legitimate before taking action.
How to Protect Against Social Engineering Attacks
There are two ways to defend against social engineering attacks.
1. First of all, there’s technology. A solution known as DMARC (Domain-based Message Authentication, Reporting & Conformance) is designed to detect and quarantine emails that are spoofed.
Which means that the address the recipient sees isn’t the address that actually sent the email. Although this technology protects a brand’s consumers by ensuring that their emails can’t be used to do harm, adoption rates are very low – under 50 percent across all industries.
2. Secondly, there’s policy – in this case, we mean security awareness training. Security administrators train their workers by testing them against examples of faked emails. The goal is to make employees able to tell the difference between a fake and a genuine email.
Security awareness training is more than moderately effective – open rates of phishing emails decrease by 75 percent after security awareness training – but attackers still only need to fool one person to cause a breach.
How to Remove Social Engineering
Since social engineering isn’t actually a physical piece of hardware or software, but a technique, you cannot actually remove it. Your best bet is to try and avoid falling victim in the first place by being aware of possible scams and attacks and always double checking.
If you have fallen victim to a social engineering attack, the best course of action is to install a powerful antivirus on your computer to remove any threats that attackers may have left there, such as malware. These malicious files may be lurking in the background waiting to log your keystrokes and steal your personal information.
We also recommend changing all of your passwords – using a decent antivirus with a password manager is a great way to do this.
The Last Word
At the end of the day, awareness and the right training, as well as a prompt response are the best defense against phishing and social engineering attacks.
While a determined attacker has a very good chance of fooling employees with fake emails or spoofed phone calls, good administrators will still be able to detect account takeovers when they occur. And although it may be easy for attackers to steal user accounts, it’s still possible to limit the extent of the damage they can cause.