Social engineering… again?

Headline-grabbing hacks of email accounts belonging to celebrities, businesses and government officials are commonplace. This is because there’s one major vulnerable flaw allowing cyber crooks to access systems, empty bank accounts, destroy reputations, or send someone into bankruptcy; human nature.

Social engineering is the act of manipulating people into taking a specific action for an attacker’s benefit. You might think it sounds like the work of a con artist – and you’d be right. Think of Social Engineering as a Ponzi scheme – it preys on our weaknesses, making it scarily effective and tricky to prevent. The problem is so widespread that even the most experienced IT professionals fall victim to Social Engineering and hand over credentials, confidential data, or even large sums of money. Some examples include:

• Phishing: Probably the most common and successful form of social engineering. Attackers mimic a company’s brand create convincing emails or websites that trick users into handing over credentials or other sensitive information. Examples include fake utility bills or emails purporting to come from the ATO. 
• CEO scam: where spear-phishers impersonate a CEO to hit up a company for sensitive information. That’s what happened to Snapchat, when an email came in to its payroll department, masked as an email from CEO Evan Spiegel asking for employee payroll information. Snapchat’s payroll department fell for it.
• Baiting: Humans love freebies and this technique preys on that characteristic. A malicious USB device or CD is left lying around and when inserted into a computer, the malware on these devices is unleashed.
• Quid pro quo: This attack occurs when crooks ask for private information in exchange for something desirable or some type of compensation. If it sounds too good to be true, it probably is.

Social engineering is a serious and ongoing threat for many organisations who fall victim to these cons. Education is the first step in preventing you from falling victim to savvy attackers employing increasingly sophisticated social engineering methods, so to help raise awareness, security vendors are offering a number of products and services companies can use to launch simulations – essentially phishing fire drills — which can show employees up close how easy it is to be duped by social engineering.

The end goal is to have systems in place that can sniff out phishing attacks and have warnings in place to really ensure that a person knows the risk they are taking when clicking on an email link or plugging in a USB.

Increasingly, the cybersecurity industry is turning to Machine Learning to combat social engineering. Some are using basic Machine Learning models such as decision tree learning while others are pushing down the route of Artificial Intelligence (AI) with the use of deep learning algorithms. This will enable security software and threat intelligence to identify cyber threats before they become a problem. Machine Learning makes the work of security researchers effective as it takes care of the arduous process of sifting through masses of data for errors and instead allows human cyber security specialists to tackle new threats.

As social engineering attacks continue to grow in sophistication companies should look to employee education as a first line of defence. Here are some tips to help employees learn how to recognise and avoid attacks:

• If an unknown individual calls and claims to be from a legitimate organisation, verify their identity directly with the company first. Similarly, if you’re unsure whether an email request is legitimate, try to verify it by contacting the company directly, but don’t use the contact information provided on a website connected to the request.

• Be suspicious of unsolicited phone calls, visits, or email messages from individuals asking about employees or other internal information, these are usually crooks.
• Pay attention to the URL of a website: Sites that start with ‘https’ and have the padlock sign are secure. Malicious websites may look identical to a legitimate site, but the URL may use a variation in spelling or a different domain.
• Install and maintain antivirus software, firewalls, and email filters.
• Take advantage of any anti-phishing features and drills provided by your security vendor.

David Sykes is the Business Security Expert at Sophos