Christmas time is approaching, and we are being hit with ads for e-shopping on every step we take on the internet. Covid-related restrictions have contributed to the change of shopping habits: many consumers tend to prefer online shopping to on-site shopping. However, the bloom of online shops highly correlates with increasing social engineering: fishing attacks, fake online stores, ransomware, and many other types of scams.
Have you ever bought an attractive product from a well-known brand at a market stall, but you later realised that it is fake and of poor quality? Or maybe has a skilled salesman convinced you into buying something unplanned that you didn’t even need?
The same, only on a wider scale, is happening to us online. With one essential difference. We approach the market stall when the desire to buy something has already emerged. On the other hand, online ads are displayed everywhere; even where there is no online store at all. They tear us out of a completely different “stunt” when we for example read the news or look for information from a completely different field. In a moment of recklessness, a momentary impulse can lead us to a fake online store where we (unconsciously) empty our wallets.
What is social engineering?
The European Union Agency for Cybersecurity defines social engineering as a group of »techniques aimed at talking a target into revealing specific information or performing a specific action for illegitimate reasons.”
This is not just about attacks in the digital world. Social engineering can also take place in person or over the phone (vishing). Whenever people ask you to share data that they have no access to, you can claim this is social engineering.
The most common social engineering techniques are:
- phishing,
- fake web pages with trojans,
- whaling attacks targeting the C-level and board members,
- fake identities to convince users they personally know the attacker,
- tailgating.
All types of social engineering have one thing in common: victim manipulation. The attacker uses various techniques to inspire confidence or a sense of authority. Once this is achieved, the success of the attack is almost guaranteed.
When you receive a suspicious message …
Imagine you receive the following message from your manager:
Hi Marko,
I’m just between two meetings.
I have to make a purchase at www.licenceupdatepremium.com
urgently. Please go to my secretary and ask her for the business credit card.
It’s really urgent to make a purchase in half an hour. I need the licence at the next meeting.
Bye,
Tom
If online shopping for a business is one of your usual tasks, you probably won’t even think there was anything wrong. If not, you may be a little suspicious and you will probably check the sender’s address. It looks real. And the secretary indeed keeps the credit card. Still, it may not be entirely clear to you why the boss needs license for the meeting, but you never know. He didn’t give you much time to re-think since you must solve the matter in half an hour. You should hurry up and make up your mind.
Scenario A: You ask the secretary for the credit card and make a purchase. If the secretary is aware that keeping a credit card is a great responsibility, she will probably insist that you make the purchase in her presence. You click on the link and enter the card details. The next moment, a message appears on the screen stating that you have been the target of ransomware that has encrypted all documents available on the network. A staggering amount is requested to obtain the encryption key. You get shivers down your spine. Now what?
Scenario B: You read the manager’s message again. Something is bothering you and you decide to send an SMS to your boss to check exactly when the purchase should be made. Your boss doesn’t know what you are talking about. Your heart rate rises, and you give yourself a pat on the back for having the wisdom to double-check the situation. You were the target of social engineering, but you successfully avoided it.
How do you spot a social engineering attack?
It is true that fishing attacks and online scams are becoming more and more sophisticated, but we can still identify them by some key elements.
- Check the address the message is sent from. Do you know the sender? Is the e-mail correct?
- Before you click on a link, check the URL by hovering over the link. The real URL is displayed in the lower-left corner of the screen.
- Is the style of the message the style of the sender?
- Did you expect this message?
- Did you expect some e-mail attachments from this sender?
When in doubt, call or use any other means of contact to check if the sender really sent the message.
And consider the following which can also be a sign of a cyber-attack:
- a sense of urgency (short response time),
- message with bad grammar and spelling mistakes,
- message was sent at an unusual time, e.g., in the middle of the night.
How common social engineering really is?
According to several studies, social engineering is the most common technique of cyber-attack. This is confirmed by reports from ISACA, Verizon, and PhishLabs. The latter cites a 22 % increase in social engineering attacks in 2021 compared to 2020. Furthermore, Verizon reports that as many as 85 % of attacks target the human factor of cyber security.[1] This confirms the established saying that the user is the weakest link in the cybersecurity chain.
We usually follow the principle that in business you should not be prejudiced by your own believes. However, when estimating the frequency of social engineering attacks, our own experience can be a good indicator of this phenomenon. How many scam emails, Facebook messages, Viber messages, text messages, or maybe even attempts of physical social engineering attacks have you experienced in the last year? There must have been plenty.
The best defence is user awareness
We claim the user is the weakest link. Therefore, this link has to be strengthened the most. But how?
Security awareness training is the best way to do it. Traditionally, such training was conducted once or twice a year, in some companies perhaps when a new employee started a job there. But as attack techniques are evolving at the speed of light, such a way of education has long been out of date.
It is far more sensible to constantly train your users. We intentionally use the term “training” and not “education”. Why? Because constant awareness is like any athlete’s training. The more you train, the better you are. The more attacks you receive, the sooner you will be able to recognize them.
Make your employees face a variety of attacks in a controlled environment– in the form of text messages, ads, maybe even video content. A wider range requires more attention in the everyday use of the web.
It might happen that your users will become over-sensitive and will recognize completely legitimate messages as fake. But this is much better than not recognizing fake messages when it is absolutely necessary.
How do you design security awareness training?
There are various solutions you can use to perform security awareness training. Some come as a part of larger software packages, others act as standalone platforms.
Given that the goal of a training is the participation of all users, it makes sense to choose a solution that can be run without installation on individual devices. This saves a lot of time and makes the solution more invisible to users.
It is also important to monitor the awareness progress. Platforms differ in data processing and reports, and you should find one that best suits your needs and goals.
We consider the KnowBe4 platform with its multitude of different tests the market leader. You can try the Security Awareness Training for free and make sure for yourself. The main advantage of this platform is that you can also perform tests in Slovene.
Designing a security awareness training may sound like a tough task. But we are happy to help you design a program that will best suit your needs. We are just one click away, contact us.
[1] Source: https://www.csoonline.com/article/2124681/what-is-social-engineering.html