Cybersecurity’s Soft Underbelly: The Threat From Social Engineering
Hackers leverage social engineering in as much as 90% of all cyberattacks.
- Social engineering as a function, basis, or precursor to other more technical cyberattacks is widely undercounted.
- Hackers leverage social engineering in as much as 90% of all cyberattacks.
- Social engineering is effective because it relies on the human tendency to trust, fear, or oblige to orders. Two of the biggest cyberattacks of 2023 were caused by social engineering.
If the recent MGM and Caesars hacks are any indication, social engineering is still one of the biggest challenges for organizations to overcome. Securing the IT infrastructure with the latest tools updated to thwart newly adopted cybercriminal tactics, techniques, and procedures (TTPs) certainly matters.
But humans continue to be the weak(est) link in cybersecurity. Verizon noted in its 2023 Data Breach Investigations Report that 74% of total breaches were caused by human error. Of the 16,312+ security incidents Verizon analyzed, 5,199 resulted in data breaches. 10% and 17% of security incidents and data breaches, respectively, were driven by social engineering.
As one can imagine, the issue is more psychological than technical. So, much like humans’ repeated inability to fend off social engineers, let us take a jog down the basics of what social engineering constitutes again.
What Is Social Engineering?
Social engineering is the exploitation of the trust, deception, and manipulation of a person’s psyche by convincing them to click on a malicious link or attachment through phishing or to reveal credentials. The success of social engineering largely depends on the weakness of the ‘Human Firewall,’ so to speak.
Roger Grimes, data-driven defense evangelist at KnowBe4, explained to Spiceworks, “Social engineering attacks have been the number one most successful attack type since the beginning of computers, and that doesn’t seem likely to change anytime soon. Social engineering attacks get around most technical defenses, work with all platforms and all languages, and usually allow the attacker to get inside the perimeter like the technical defense wasn’t even there.”
Types of social engineering attacks:
- Phishing
- Pretexting
- Vishing
- Smishing
- Spear phishing
- Whaling
- Tailgating
Why Is Social Engineering Successful?
Grimes believes social engineering as a function, basis, or precursor to other more technical cyberattacks is widely undercounted. “Social engineering is involved in 50% to 90% of attacks, yet no company spends even 5% to fight it. This fundamental misalignment is why hackers and their malware creations are so successful,” Grimes noted.
Social engineering is effective because it relies on human qualities (read: vulnerabilities). This includes trust, fear, obligation to authority, FOMO, reciprocation, etc.
Dror Liwer, co-founder of Coro, explained that since social engineering requires ”almost no technical skills – practically anyone can initiate a social engineering attack.” He added that the “payoff is relatively large, as it’s a con game and the stakes can be very high.”
For instance, Scattered Spider compromised MGM in September by impersonating an employee they found on LinkedIn and vishing for credentials through a phone call to a customer help desk executive.
The catastrophic fallout has climbed to $100 million in losses, according to an 8-K filing with the Securities and Exchange Commission (SEC). And that does not include the ransom, as MGM decided against paying the threat actors.
It also disrupted the operations of thousands of rooms, ATMs, slot machines, restaurants, websites, and more for several of its properties. It further led to the compromise of personally identifiable information of its customers from before March 2019. Data impacted includes the names, contact details, gender, date of birth, and driver’s license numbers.
However, there are negative aspects to social engineering. “As a highly personalized attack, it requires targeted intelligence and a high degree of customization. Both take time and effort, unlike a ‘spray and pray’ mass phishing attack,” Liwer said. “While the success rate might not be high, it is balanced by a relatively higher-than-average payoff.”
See More: Cybersecurity Awareness Month 2023: Expert Perspectives To Defend the Digital Realm
Motives Behind Social Engineering Attacks
Financial gain is the primary and most significant motive for threat actors to breach corporate and individual systems through social engineering. For instance, Caesars, which was victimized following MGM in September 2023, paid approximately half of the $30 million ransom demanded from it.
“Though no one has any firm statistics on this, financial incentives are likely to be involved in over 90% of cyber attacks. Nothing else comes close,” Grimes said.
While each cyberattack may not be as lucrative as the one against Caesars, an incentive of a few thousand dollars can also be enough for most cybercriminals. Grimes added that other motivations for social engineering may include corporate espionage, nation-state attacks, insider attacks, gaming, resource theft, hacktivism, hobbyism, and adware.
Common Tools Used in Social Engineering
Social engineering can be highly dynamic and unrestrained to the limitations of technical-driven attacks. A high degree of interpersonal skills on the part of threat actors can go a long way in socially engineering their way into where they have no business being.
“The human mind and email phishing kits. Phishing kits allow an attacker to create a phishing campaign, spread malware, infect computers, and then manage the entire process,” Grimes said.
Still, threat actors rely on certain tools to widen their nets and learn as much as possible about their potential victims. “Email is almost always the main entry point, but the attacker will do a lot of research before the attack using publicly available data on social networks, the company website, government registrations, news outlets, etc.,” Liwer said.
Disconcertingly, people across the organizational fabric, whether top-level C-suite executives or the average employee, are at risk. “We have seen everyone being attacked by social engineering. From lower level employees being sent an email by ‘their HR department’ asking them to verify their bank account information for payroll purposes, to CFOs being engineered into diverting funds,” Liwer said.
Grimes added that any infiltration, be it at the top or the bottom, can lead to a takedown of the entire company.
How To Minimize the Threat From Social Engineering
Considering the highly subjective human mind is the first line of defense against social engineering attacks, experts agree that elimination is a distant possibility. However, users can train themselves to identify signs of the pervasive attack method.
Users must consistently watch out for the telltale signs, including fear-, curiosity-, anger- or any other emotion-inducing pleas. Creating a sense of urgency is also a red flag. For example, an email that prompts users to quickly renew their subscription to an antivirus service, lest they fall victim to a cyberattack, is a classic phishing attempt through social engineering.
Attackers can also leverage natural disasters, economic despair, sporting, holiday, political events, and healthcare crises, among other events, to bait targets into acting on something they ought not to.
Yet another important aspect of social engineering is unsolicited communication, be it email, phone call, SMS, or anything else that requests personal or financial information.
Grimes highlighted how most organizations fall short of imparting adequate education. “Use the best, defense-in-depth combination of policies, technical defenses, and education to defeat. Out of those three mitigations, most companies don’t educate their employees enough on how to spot, mitigate, and appropriately report social engineering,” Grimes said.
“Most companies train employees once a year to spot social engineering. That’s not nearly enough. We recommend that organizations do monthly training and at least monthly simulated phishing tests to help educate their employees.”
Liwer emphasized the need to establish trust between those corresponding by verifying they are indeed who they claim to be. “Since the vast majority of social engineering attacks are financially motivated, it should be part of any organization’s DNA to verify requests via a trusted method,” Liwer said.
“If HR asks you for information, call your trusted HR person to ask if it’s a legit request. If a vendor asks you to change their account information for payment, call them and ask why. Social engineering is the oldest game – it’s a con game. It has existed since humanity existed; the only difference is the medium. The only way to prevent a con is to trust but verify.”
Beyond education, organizations can undertake several technical measures, including antivirus software, firewalls, email filters, and multi-factor authentication.
How else can organizations fend off social engineering? Share with us on LinkedIn, X, or Facebook. We’d love to hear from you!
Image source: Shutterstock
MORE ON CYBERSECURITY
