Date: 30 November 2021
The vast and complex field of cybersecurity is full of threats and risks that every business owner or senior business executive must be aware of. Protecting the personal information of customers and critical business data is a mandatory requirement today - both from a regulatory and a business perspective. Therefore, understanding the various types of cyber-attacks and threats is key.
Social engineering techniques are one of the many nefarious types of tactics employed by cyber criminals today to compromise confidential information, gain access to victim computers and unleash ransomware infection.
Here’s a look at what digital social engineering attacks are, how they can impact your business and some tips to avoid becoming a victim.
Overview of Social Engineering Attacks
Social engineering attacks come in many forms. The term is used to describe a broad range of malicious activities carried out through human interactions. Basically, criminals exploit human nature and basic human tendencies - instead of technological vulnerabilities or technical lapses - to attack an organisation.
Cybercriminals use a step-by-step approach to plan their attack. Here are the basic steps:
- Investigation: Identify the victims, gather background information and select the attack methodology.
- Hook: Engage the target, create a story, take control of the interaction.
- Play: Execute the attack, gain more information over time, disrupt business or siphon data.
- Exit: Remove traces of malware, cover tracks and close the interaction without raising suspicions.
These targeted attacks can be hard to identify — what seems like a legitimate interaction on the surface can often turn out to be an elaborate attack.
Often, attackers will use various forms of digital communication to carry out their plans, whether it’s through email or social media platforms. They create a sense of urgency and fear in the victim, resulting in them turning over sensitive information - often including details of their bank accounts, social security numbers, email accounts or other personal data.
Types of Social Engineering Attacks
Let’s now take a look at some examples of social engineering attacks that criminals use commonly:
Phishing
Phishing scams harvest credentials from employees and spread malware through emails or links to malicious websites. There are multiple types of phishing attacks — angler phishing, pharming, spear phishing, business email compromise (BEC) and whaling, to name a few.
Phishing is the most common social engineering attack that takes place digitally, and the COVID-19 pandemic sparked an uptick in cases of phishing related data breaches across the country.
Baiting
When a cybercriminal persuades someone to inadvertently compromise their security, they’re engaging in baiting. Someone may enter login credentials to receive a free giveaway or access a fake website that ends up stealing their data.
Honey Trap
Attackers execute this strategy by pretending to be sexually or romantically attracted to the victim in an attempt to have them yield sensitive information. These attacks can often start via innocuous-looking text messages and can lead to massive system compromises.
Scareware
Scareware is a form of malware that often shows up as a pop-up, warning you about necessary security updates for your device. Victims are persuaded to visit malicious websites or purchase worthless products they think have value.
Avoiding Social Engineering Attacks
What can be done to avoid falling victim to these malicious, digital attacks?
Like any other cyber crime, the only real protection against a social engineering attack is preparation.
Many businesses start their preparation towards building resilience by creating a cyber incident response plan. You can use this free Cyber Incident Response Plan template to create yours.
The commonly-followed steps in a Cyber Incident Response Plan are:
- Prepare: Employees get ready to deal with a cybersecurity incident through cyber incident response training and cybersecurity awareness efforts.
- Identify: This includes figuring out who is responsible for the incident, the extent of the breach, if it’s affecting operations and the source of the compromise.
- Contain: What can be done to deal with the aftermath of the incident?
- Eradicate: This may include making patches, removing malicious software or updating old software versions.
- Recover: This involves getting affected systems back online after an incident. If it was a ransomware attack, you’ll have to figure out whether it’s worth paying the ransom. (Remember that in many cases, even after the ransom is paid, there’s no guarantee that you’ll get the data back).
- Lessons learned: In this stage, the key business leaders and management discuss and evaluate what happened, why it happened and how to move forward.
Do remember that merely having a Cyber Incident Response Plan is not enough. You also need to ensure that all key decision-makers in the organisation are familiar with what’s in the plan or the Ransomware Response Checklist and have rehearsed these over and over again. The one sureshot way to build muscle memory for responding to social engineering attacks is conducting a Ransomware Tabletop Exercise.
Here are some other tips that may help you if your organisation is facing a cybersecurity incident:
- Use multifactor authentication (MFA) or two-factor authentication (2FA)
- Never open emails or attachments from unknown sources
- Install and frequently update antivirus software
- Back up data frequently
- Destroy sensitive documents that are no longer needed regularly
- Download our Ransomware Response Workflow for any easy visual guide on what to do in case of a crisis.
Protecting Yourself From Social Engineering Ploys
Social engineers use malicious tactics to take advantage of innocent victims and make them hand over sensitive information. They will go to any length to execute their ploy.
The only protection you truly have against them is building awareness, preparing for the worst and rehearsing your plans and checklists over and over again.
