If you’re a systems administrator, you may think of security as the task of installing security tools, configuring them to protect the latest threats, patching servers and endpoints, and re-imaging systems when they get a virus. It’s not a simple job, but its parameters are at least straightforward.
If you’re doing all that, however, you’re still doing only half your job. Some of the most effective cyberattacks you’ll ever encounter aren’t targeted at hardware or software – they’re targeted at people. Social engineering attacks often involve no more than a telephone or an email account.
Social engineering attacks go like this: First, an attacker will call or email a support desk and impersonate their target. They’ll say that they’ve forgotten their password, and they’ll usually concoct a believable story around this. They’ll use this to convince a customer service representative to change the target’s registered email address to an address belonging to the attacker, and then have a password reset token sent to that address. With that, the attacker will own the target’s account.
What’s your exposure to social engineering attacks?
Social engineering attacks work reliably and require no special programming skills. Technology known as VoIP spoofing allows the attacker to make their call appear to come from the target’s phone – this technology is widely available and also requires no special skills. As such it’s no surprise that the prevalence of these attacks is high and increasing. In 2017, 76% of information security professionals detected social engineering attacks via phone or email, with email being the primary vector. In 2018, that figure jumped to 83%.
This rise in social engineering and email phishing attacks has led to a concordant rise in high-profile incidents, with victims including:
The world’s largest asset manager was a victim in an attack by an environmental activist that fooled both The Financial Times and CNBC. Activists sent out an extremely convincing fake press release saying that the firm was pivoting to an environmentalist portfolio, causing a brief furor.
Users of digital wallets for a cryptocurrency known as Ethereum received phishing attacks disguised as fake error messages. These took the form of an email that prompted users to install a patch. Instead, the enclosed link would actually lead them to a compromised version of the wallet’s software that would let attackers harvest their digital earnings.
- Intelligence Agencies
Back in 2015, a teenaged hacker was able to call Verizon, find personal information belonging to John Brennan – then-director of the CIA – and steal access to his AOL email address. This address happened to contain sensitive information, including details from the director’s application for a security clearance. The hacker was even able to briefly speak with director Brennan on the phone. It took over two years before the attacker was found and arrested.
These incidents show how easy it is to wreak havoc using the simplest tools imaginable. Hackers can steal money, fool the media, and trick secrets out of the most powerful individuals on Earth using little more than a phone and an email address.
Defending yourself against social engineering attacks
There are two ways to defend yourself against social engineering attacks.
First of all, there’s technology. A solution known as DMARC (Domain-based Message Authentication, Reporting & Conformance) is designed to detect and quarantine emails that are spoofed, meaning that the address that’s apparent to the recipient isn’t the address that actually sent the email. Although this technology protects a brand’s consumers by ensuring that their emails can’t be used to do harm, adoption rates are very low – under 50% across all industries.
In addition to technology, there’s also policy – in this case, security awareness training. Here, security administrators train their workers by testing them against examples of faked emails. The goal is to make employees able to tell the difference between a faked email or the genuine article. Security awareness training is more than moderately effective – open rates of phishing emails decrease by 75% after security awareness training – but attackers still only need to fool one person to cause a breach.
At the end of the day, harm reduction and prompt incident response is going to do the most good against phishing and social engineering attacks. While a determined attacker has a very good chance of fooling employees with fake emails or spoofed phone calls, good administrators will still be able to detect account takeovers when they occur. Although it may be easy for attackers to steal user accounts, it’s still possible to limit the extent of the damage that they can cause.