Up to 90% of all cyberattacks use social engineering as a tactic.
- Social engineering’s role, foundation, or forerunner status in relation to previous, more sophisticated hacks is largely underestimated.
- Up to 90% of all cyberattacks are social engineering-based, according to hackers.
- Social engineering works because it takes use of people’s inclinations to obey, be afraid of, or trust authority figures. Social engineering was the root cause of two of the largest cyberattacks in 2023.
Social engineering remains one of the most difficult problems for companies to solve, if the recent hacks of MGM and Caesars are any guide. It is important to safeguard the IT infrastructure using the most recent tools available to prevent newly adopted techniques, procedures, and tactics (TTPs) used by cybercriminals.
people are still cyber security’s weakest (or most vulnerable) link. In their 2023 Data Breach Investigations Report, Verizon stated that human error was to blame for 74% of all incidents. Verizon reviewed over 16,312 security incidents, of which 5,199 led to data breaches. Social engineering was the cause of 10% and 17% of security incidents and data breaches, respectively.
The problem is primarily psychological rather than technological, as one might expect. Thus, let’s review the fundamentals of what social engineering is once more, in keeping with humans’ persistent incapacity to resist them.
Introduction of Social Engineering?
Social engineering is the practice of taking advantage of someone’s trust, lying, and psychological manipulation in order to trick them into opening a harmful attachment or link through phishing or divulging login credentials. To put it another way, the effectiveness of social engineering primarily hinges on how weak the “Human Firewall” is.
Since the invention of computers, social engineering attacks have been the most successful attack type, and this trend doesn’t appear to be changing anytime soon, according to Roger Grimes, data-driven defense advocate at KnowBe4. Social engineering attacks can bypass the majority of technological protections, are compatible with all systems and languages, and typically let the attacker breach the perimeter as if the technical defense never existed.
Types of social engineering attacks:
-
Phishing
-
Pretexting
-
Vishing
-
Smishing
-
Spear phishing
-
Whaling
-
Tailgating
Why success rate of Social Engineering High?
According to Grimes, social engineering’s role as an enabler, foundation, or forerunner of more sophisticated hacks is largely underestimated. 50% to 90% of attacks use social engineering, while not a single corporation invests even 5% in countering it. The success of hackers and their software creations can be attributed to this basic imbalance, according to Grimes.
Social engineering works because it takes use of human characteristics, or weaknesses. Trust, fear, deference to authority, FOMO, reciprocity, etc. are examples of this.
Social engineering takes “almost no technical skills- practically anyone can initiate a social engineering attack,” according to Cary co-founder Dror Liwer. The “reward is relatively large, as it’s a con game and the stakes can be very high,” he continued.
For example, in September, Scattered Spider gained access to MGM by pretending to be a worker they discovered on LinkedIn and phishing for login credentials over the phone from a customer support representative.
The disastrous consequences have reached losses of $100 million, as disclosed in an 8-K filing to the Securities and Exchange Commission (SEC). Furthermore, the ransom is not included because MGM chose not to compensate the threat actors.
For a number of its facilities, it also interfered with the operation of thousands of rooms, ATMs, gambling machines, restaurants, websites, and more. Additionally, it resulted in the compromising of its customers’ personally identifiable information that was obtained before to March 2019. Names, contact information, gender, date of birth, and driver’s license numbers are among the data that are affected.
But there are drawbacks to social engineering as well. Being a highly customized attack, it necessitates a high level of customization and focused intelligence. Unlike a “spray and pray” bulk phishing campaign, both need time and work, according to Liwer. Even if the success rate may not be high, the payout is comparatively higher than typical.
Hidden purpose Of Social Engineering Attacks.
Threat actors use social engineering to compromise business and individual systems primarily and most significantly for financial gain. Caesars, for example, which suffered after MGM in September 2023, paid about half of the $30 million ransom that was demanded of it.
Although precise figures are unavailable, it is believed that financial incentives play a role in more than 90% of cyberattacks. Nothing compares,” remarked Grimes.
Even if every cyberattack might not be as profitable as the one on the Caesars, most cybercriminals can still make good money with an incentive of a few thousand dollars. Grimes went on to say that hacktivism, nation-state attacks, insider attacks, gaming, corporate espionage, hobbyism, and adware are some more reasons why people engage in social engineering.
List Of Tools Used in Social Engineering
Social engineering is not limited by the constraints of technical-driven attacks and can be quite dynamic. Threat actors with strong interpersonal skills can use this to their advantage to socially engineer their way into places they have no business being.
Phishing kits via email and the human mind. According to Grimes, phishing kits give an attacker the ability to launch a phishing campaign, disseminate malware, infect machines, and oversee the whole process.
Nevertheless, threat actors use specific technologies to expand their search and gather as much information as they can about their likely targets. Email is typically the primary point of entry, but before an attack, the attacker would typically conduct extensive research utilizing publicly accessible information from websites of social networks, government registrations, news sources, and other sources, according to Liwer.
everyone who works for the company, from regular employees to senior C-suite executives, is in danger. “We have witnessed social engineering attacks on everyone. According to Liwer, “from lower level employees receiving an email from ‘their HR department’ requesting them to confirm the details of their bank accounts for payroll purposes, to CFOs being duped into diverting funds.”
Grimes went on to say that an infiltration at any level, even the top, might result in the company’s collapse.
Steps To Cover the Threat of Social Engineering.
Experts concur that elimination is unlikely since the highly subjective human mind serves as the first line of protection against social engineering attacks. On the other hand, users can teach themselves to spot indications of the widespread assault technique.
Users need to be alert to the warning signals at all times, which include pleas for fear, curiosity, rage, or any other emotion. Instilling a sense of urgency is likewise a warning sign. An example of a traditional social engineering phishing effort is an email that asks recipients to promptly renew their antivirus service subscription in order to prevent being the target of a cyberattack.
Natural disasters, economic hardship, sporting, holiday, political, and healthcare problems are just a few of the situations that attackers can use to trick their targets into doing something they shouldn’t.
Unsolicited communication is another crucial component of social engineering. This includes any kind of email, phone call, SMS, or other correspondence that asks financial or personal information.
Grimes emphasized how most institutions fail to provide sufficient education. “To defeat, employ the most effective defense-in-depth mix of technical defenses, policy, and education. Grimes stated that most businesses do not adequately train their staff on identifying, mitigating, and properly reporting social engineering, out of the three mitigations.
Most businesses provide their staff members a yearly social engineering awareness training. That is much insufficient. To assist in educating their staff, we advise firms to conduct simulated phishing testing and training on a monthly basis.
Liwer stressed the importance of establishing confidence by having those who correspond with one another confirm that they are who they say they are. “Verifying requests through a trusted method should be part of any organization’s DNA, as the majority of social engineering attacks have financial motivations,” Liwer stated.
Concluded Remarks.
Call your reliable HR contact to find out if an information request from HR is legitimate. Give a vendor a call and find out why if they want you to adjust their payment account details. The earliest game is social engineering, which is a con game. It has always existed; the medium is the only thing that differs. The sole method to avert a scam is to have faith but double check.
Organizations can implement a number of technical solutions in addition to education, such as multi-factor authentication, email filters, firewalls, and antivirus software.