Supposing one day, you receive a call from the IT department in your organisation. The IT officer informs you that there has been a security breach in the organisation's network and urgently requests for your password to reset the system. Without verifying the caller's identity, the typical employee would reveal his or her username and password to the caller without hesitation.
Unbeknown to the employee, the caller could very well be a hacker, using social engineering techniques to obtain access to the organisation's database. With simply the name and corporate phone number of any low-ranking employee, hackers can execute social engineering and steal confidential information. Websites, such as LinkedIn, facilitate this information sharing, allowing social engineering to take place.
At its heart, social engineering is the act of psychologically manipulating people for the aim of making them reveal sensitive information. Social engineering has its early roots in conning or otherwise known as, confident trick – an attempt to deceive a person after gaining their trust. Though technology plays a significant role as a medium in social engineering, social engineering is essentially psychological hacking. Social engineering taps into the human psyche by manipulating powerful emotions, for instance, fear, compassion or greed.
Social engineering tactics commonly involve leveraging on the human trust, just like the scenario that we have illustrated above. By using certain titbits of information, the attacker can trick a victim into thinking that the attacker is a trusted party. Once the victim lets down his or her guard, the attacker would swindle the victim of confidential information, or even money!
Hackers who employ social engineering techniques target human nature and vulnerabilities to illicitly obtain confidential information such as bank information or undisclosed corporate data, rather than targeting the technical vulnerabilities. This is because it is easier to deceive humans than to design complex software to obtain useful information such as passwords. Jean-Phillip Taggart, Senior Security Researcher at Malwarebytes, highlighted this point accurately: "Attacking the human element has always been a favourite. Why use some hard technical flaw to acquire a password when you can simply ask the user for it?"
In recent times, we have witnessed the social engineering pandemic that has caused billions of dollars stolen yearly. Though this seedy online manipulation has been around for a considerable amount of time, it has never reached such endemic proportions as we have seen today.
If we fail to warn people adequately about the perils and potential of social engineering, this pandemic will only exacerbate. Therefore, all active online users require an adequate understanding of social engineering and the various ways it can happen to sufficiently secure their information and money. This way, you can learn the art of being cyber secure – knowing instinctively who and what to trust, and not fall into the trap of social engineering.
Formerly, social engineering occurred mainly against individuals. However, corporations are becoming popular targets because they usually consist of many people and therefore, possess potential loopholes for malicious social engineers to exploit.
As email becomes a common means of communication among employees in an organisation, hacking the email of a high-ranking person can result in disastrous consequences. This is because the hacker assumes the identity of the superior and is, thus, capable of issuing commands to subordinates. The possibilities that may ensue from social engineering are immeasurable. Below are some possible social engineering attacks that corporations can face:
1. Through a high-ranking employee's email account, hackers may request for either wage or tax statement information or a company's list of Personally Identifiable Information (PII). Hackers usually target employees who work in human resources or the audit department.
2. Hackers may imitate third-party vendors or suppliers through email, fax or phone calls, duping a company's employees into wiring an invoice payment to a bogus vendor account.
3. Hackers may hijack a senior executive's email account and use it to request the company's finance department to wire transfer funds to the hackers' bank account.
4. Hackers may hack into an employee's email account and use it to send payment invoices to the company's customers. These customers could be tricked into making payment to the hackers' bank account instead of the legitimate one.
5. Posing as an attorney through an email or phone call, hackers may claim to be handling a time-sensitive or confidential issue. They may then pressure the employee to transfer funds into the hackers' bank account.
With such severe information asymmetry between the hackers and victims, how do we guard ourselves against something that appears so genuine and yet, is so insidious? All hope is not lost for there are a series of simple guidelines we can follow to safeguard our data and systems.
1. Verify the identity of the person you are communicating with, and make sure that the message is bona fide.
2. Never provide confidential or non-confidential data and information through email, chat messenger or phone to unknown or suspicious sources.
3. If you receive an email with a link to an unknown site, verify that your contact has sent it before opening it. Examine the URL before opening it. Prior to opening links both from emails and on websites, keep an eye out for misspellings and suspicious sub-domains.
4. When clicking on links sent via email or on websites, always keep an eye for automatic downloads and requests to enable macros. It might be a malware attaching itself onto your system. All such activity should be reported immediately to your IT security department.
5. Utilise spam filters, and keep them updated.
6. Secure your computing devices. Install anti-virus software, advanced end-point protection such as anti-exploit systems, next-generation firewalls with auto-updating threat intelligence, and email filters, and keep them up-to-date. Use an anti-phishing tool offered by your company for security breach notifications.
7. Finally, instilling awareness about these social engineering tactics and threats in employees is paramount for preventing these tactics from succeeding. Conduct regular cyber security awareness training for employees. While the training material can be simple and easy to understand, it is important to conscientiously remind employees about cyber security so that it becomes instinctive for everyone. Advise the employees to watch videos about advanced hacking and be knowledgeable about their techniques. The enterprise would need to highlight a more vivid form of cyber security awareness via show and tell, which is now mandated by many security regulators.
Social engineering strategies are a highly prevalent form of fraudulent schemes among corporations and governmental organisations alike. Necessary measures must be adopted by employees to ensure data sovereignty within the organisation.