X
Število kibernetskih napadov se je v zadnjem letu podvojilo. Vas zanima, kako se jim lahko izognete? Postanite del naše skupnosti.
In the last year, the number of cyberattacks doubled compared to the year before. Do you want to repel potential threats? Join our community.
  • Skip to primary navigation
  • Skip to main content
  • Skip to footer
Carbonsec – Cybersecurity Consultancy Services Company

Carbonsec - Cybersecurity Consultancy Services Company

Cybersecurity services for businesses to be hackerproof, because it sucks to waste unnecessary time dealing with cyber criminals instead of focusing on business.

  • Services
    • DDoS test
    • Penetration test
    • Red Teaming
    • ICS Security
    • Cybersecurity Consulting
    • Secure Static Code Review
  • Solutions
    • Pentera Automated Penetration Testing Solution
    • Breach and Attack Simulation (BAS)
    • Simulated phishing attacks
    • Free Tools
  • Training
    • Security Awareness Training
    • Security for Developers
    • Purple Team Coaching
  • News
    • News
    • Blog
  • Company
    • About Us
    • Leadership Team
    • Careers
    • Partners
  • Contact
  • SLO
  • Email
  • Facebook
  • LinkedIn

Social engineering – spot and act!

Online shopping has contributed to the proliferation of cyber-security attacks.

24. November, 2021 by Carbonsec Team

Christmas time is approaching, and we are being hit with ads for e-shopping on every step we take on the internet. Covid-related restrictions have contributed to the change of shopping habits: many consumers tend to prefer online shopping to on-site shopping. However, the bloom of online shops highly correlates with increasing social engineering: fishing attacks, fake online stores, ransomware, and many other types of scams.

Online shopping and social engineering

Have you ever bought an attractive product from a well-known brand at a market stall, but you later realised that it is fake and of poor quality? Or maybe has a skilled salesman convinced you into buying something unplanned that you didn’t even need?

The same, only on a wider scale, is happening to us online. With one essential difference. We approach the market stall when the desire to buy something has already emerged. On the other hand, online ads are displayed everywhere; even where there is no online store at all. They tear us out of a completely different “stunt” when we for example read the news or look for information from a completely different field. In a moment of recklessness, a momentary impulse can lead us to a fake online store where we (unconsciously) empty our wallets.

What is social engineering?

The European Union Agency for Cybersecurity defines social engineering as a group of »techniques aimed at talking a target into revealing specific information or performing a specific action for illegitimate reasons.”

This is not just about attacks in the digital world. Social engineering can also take place in person or over the phone (vishing). Whenever people ask you to share data that they have no access to, you can claim this is social engineering.

Digital social engineering

The most common social engineering techniques are:

  • phishing,
  • fake web pages with trojans,
  • whaling attacks targeting the C-level and board members,
  • fake identities to convince users they personally know the attacker,
  • tailgating.

All types of social engineering have one thing in common: victim manipulation. The attacker uses various techniques to inspire confidence or a sense of authority. Once this is achieved, the success of the attack is almost guaranteed.

When you receive a suspicious message …

Imagine you receive the following message from your manager:

Hi Marko,
I’m just between two meetings.
I have to make a purchase at www.licenceupdatepremium.com 
urgently. Please go to my secretary and ask her for the business credit card.

It’s really urgent to make a purchase in half an hour. I need the licence at the next meeting. 

Bye,
Tom

Phishing attacks

If online shopping for a business is one of your usual tasks, you probably won’t even think there was anything wrong. If not, you may be a little suspicious and you will probably check the sender’s address. It looks real. And the secretary indeed keeps the credit card. Still, it may not be entirely clear to you why the boss needs license for the meeting, but you never know. He didn’t give you much time to re-think since you must solve the matter in half an hour. You should hurry up and make up your mind.

Scenario A: You ask the secretary for the credit card and make a purchase. If the secretary is aware that keeping a credit card is a great responsibility, she will probably insist that you make the purchase in her presence. You click on the link and enter the card details. The next moment, a message appears on the screen stating that you have been the target of ransomware that has encrypted all documents available on the network. A staggering amount is requested to obtain the encryption key. You get shivers down your spine. Now what?

Scenario B: You read the manager’s message again. Something is bothering you and you decide to send an SMS to your boss to check exactly when the purchase should be made. Your boss doesn’t know what you are talking about. Your heart rate rises, and you give yourself a pat on the back for having the wisdom to double-check the situation. You were the target of social engineering, but you successfully avoided it.

How do you spot a social engineering attack?

It is true that fishing attacks and online scams are becoming more and more sophisticated, but we can still identify them by some key elements.

  1. Check the address the message is sent from. Do you know the sender? Is the e-mail correct? 
  2. Before you click on a link, check the URL by hovering over the link. The real URL is displayed in the lower-left corner of the screen. 
  3. Is the style of the message the style of the sender? 
  4. Did you expect this message? 
  5. Did you expect some e-mail attachments from this sender? 

When in doubt, call or use any other means of contact to check if the sender really sent the message.

And consider the following which can also be a sign of a cyber-attack:

  • a sense of urgency (short response time),
  • message with bad grammar and spelling mistakes,
  • message was sent at an unusual time, e.g., in the middle of the night.

How common social engineering really is?

According to several studies, social engineering is the most common technique of cyber-attack. This is confirmed by reports from ISACA, Verizon, and PhishLabs. The latter cites a 22 % increase in social engineering attacks in 2021 compared to 2020. Furthermore, Verizon reports that as many as 85 % of attacks target the human factor of cyber security.[1] This confirms the established saying that the user is the weakest link in the cybersecurity chain.

Social engineering - who's at risk?
KnowBe4 – Phishing by Industry 2021 – Benchmarking Report

We usually follow the principle that in business you should not be prejudiced by your own believes. However, when estimating the frequency of social engineering attacks, our own experience can be a good indicator of this phenomenon. How many scam emails, Facebook messages, Viber messages, text messages, or maybe even attempts of physical social engineering attacks have you experienced in the last year? There must have been plenty.

The best defence is user awareness

We claim the user is the weakest link. Therefore, this link has to be strengthened the most. But how? 

Security awareness training is the best way to do it. Traditionally, such training was conducted once or twice a year, in some companies perhaps when a new employee started a job there. But as attack techniques are evolving at the speed of light, such a way of education has long been out of date.

It is far more sensible to constantly train your users. We intentionally use the term “training” and not “education”. Why? Because constant awareness is like any athlete’s training. The more you train, the better you are. The more attacks you receive, the sooner you will be able to recognize them.

User awareness training

Make your employees face a variety of attacks in a controlled environment– in the form of text messages, ads, maybe even video content. A wider range requires more attention in the everyday use of the web.

It might happen that your users will become over-sensitive and will recognize completely legitimate messages as fake. But this is much better than not recognizing fake messages when it is absolutely necessary.

How do you design security awareness training?

There are various solutions you can use to perform security awareness training. Some come as a part of larger software packages, others act as standalone platforms.

Given that the goal of a training is the participation of all users, it makes sense to choose a solution that can be run without installation on individual devices. This saves a lot of time and makes the solution more invisible to users.

It is also important to monitor the awareness progress. Platforms differ in data processing and reports, and you should find one that best suits your needs and goals.

Improvement with KnowBe4 security awareness training
KnowBe4 – Phishing by Industry 2021 – Benchmarking Report

We consider the KnowBe4 platform with its multitude of different tests the market leader. You can try the Security Awareness Training for free and make sure for yourself. The main advantage of this platform is that you can also perform tests in Slovene.

Designing a security awareness training may sound like a tough task. But we are happy to help you design a program that will best suit your needs. We are just one click away, contact us.

Download a Free Holiday Tool-Kit to help you stay secure during the holiday season

[1] Source: https://www.csoonline.com/article/2124681/what-is-social-engineering.html

Blog,  News,  Security Awareness security awareness,  social engineering

Let’s work together

Get in touch with us and send some basic info about your project.

Get Quote

Footer

ABOUT

Cybersecurity services for businesses to be hackerproof, because it sucks to waste time dealing with cyber criminals instead of focusing on business.

  • Email
  • Facebook
  • LinkedIn

CONTACT

CARBONSEC Ltd.
Hacquetova ulica 8
1000 Ljubljana
Slovenia

info@carbonsec.com

QUICK LINKS

  • Join our community.
  • Blog
  • Terms & Conditions
  • Privacy Policy
  • Cookies

SERVICES

  • DDoS test
  • Penetration test
  • Red Teaming
  • ICS Security
  • Cybersecurity Consulting
  • Secure Static Code Review
  • Training

Copyright © 2022 Carbonsec · Created by mod.si

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Cookie settingsACCEPT
Privacy & Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Non-necessary
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
SAVE & ACCEPT