Why go through the hassle of smashing down a door when you can ask someone to hand over the key? This scenario is the analogy that describes why social engineering has become the most used cyber attack technique.
The 2021 Verizon Data Breach Investigation Report has noted an upward trend in the use of social engineering since 2017. Another report identified a 270% increase in social engineering-based cyber attacks in 2021.
It is so difficult to spot the signs of social engineering because it works by manipulating the day-to-day behaviour of our daily lives. So how can an employee know if they are a target of a social engineering scam?
What Is Social Engineering?
Understanding the various elements used during social engineering helps people to spot the signs of a social engineering attack.
Cybercriminals are always looking for ways to access a corporate network or manipulate a business process to harm. These harms vary, including Business Email Compromise (BEC) scams and malware infection.
Both of these types of cyber attacks are on the increase: BEC scams cost global businesses more than $43 billion in the five years to 2021, with a 65% increase in losses between July 2019 and December 2021; research found that 71% of companies were victims of a malware malware attack in 2021. Sophisticated and complex social engineering scams are behind these increases.
Social engineering exploits human behaviour, so individuals carry out actions that benefit the fraudster. In other words, fraudsters get individuals to do their dirty work for them unwittingly. The tactics used during a social engineering attack are based on manipulating behaviour, deception, and psychological tricks. This manipulation is helped by a lack of knowledge on behalf of the individual target.
Social engineering is a subtle, intelligence-led attack method. Researchers Abid, et al., have identified the typical lifecycle stages of a social engineering attack:
- Information gathering: reconnaissance to identify patterns of behaviour, apps used, and business processes that can be exploited. This allows a level of trust to be established with the target and intelligence to exploit that trust.
- Developing relationship: this trust is used to develop relationships in preparation for the next stage.
- Exploitation: the malicious task is carried out, for example, clicking on a link in a phishing email or activating a bank transfer of money.
- Execution: the last stage where the hacker receives money or gains access to login credentials to install ransomware, etc.
With the stages of a social engineering attack in mind, how can you spot a social engineering attack before it’s too late?
Five Signs You Are Being Socially Engineered
Some of the most obvious signs are also the most difficult to spot as they masquerade as regular events. However, the art of spotting the unexpected or when something is just ‘not right’ is something that regular Security Awareness Training helps to establish.
Here are five typical signs of social engineering:
An Unexpected Attachment or Link
Phishing emails and smishing (mobile phishing) often contain either an attachment or a link to a malicious website. The email itself will contain typical behavioural motivators, such as urgency, emotional pressure, curiosity, fear and threats, and other concerning statements, such as a security threat. The phishing message will encourage the recipient to open an attachment or click on a link using these emotional pressures.
Think before you click, before you open an attachment. Does the message look legitimate? Check for signs of phishing, such as ‘does the email address of the sender match the expected domain name? Is the language and grammar of the email a little off?
Check out the MetaCompliance Ultimate Guide to Phishing for more phishing email tell-tale signals.
An Unusual Request
Fraudsters may give themselves away by asking for something a little unexpected. This is especially noticeable if the fraudster is impersonating another person in the business, perhaps a CFO or CEO.
BEC scams, for example, may involve employees in the accounts department being sent a spear phishing email that appears to be from a C-level executive asking to make an immediate and urgent money transfer. Other phishing emails may ask the recipient to open a voice recording attachment, and so on.
If a request seems out of the ordinary and unusual, stop and think, could this be a scam? Then, perform a simple check – call the person who supposedly sent the request and ask if it is legitimate.
An Urgent Request or Demand
Urgency is a prime example of a tactic used to manipulate human emotions. If an urgent request also looks like it has come from upper management or the C-level, then take a moment to check the request’s legitimacy.
Business Email Compromise (BEC) often involves the emotional manipulation of employees who work in the finance department. For example, a BEC fraudster will attempt to pressure an employee to wire money using a threat of loss of business if they don’t act quickly.
Double-check the request, and call the person who supposedly made the request.
An Offer Too Good to Be True
Cybercriminals sometimes use blackmail or coercion to extract information, especially during the information gathering stage of a social engineering attack.
Think twice if you receive an offer of money or a prize for sharing company or personal information.
A Request on Social Media From Someone You Don’t Recognise
In the six months to June 2021, LinkedIn removed over 66 million spam and scams on the platform, with 232,000 removed after a user complained. Hackers create fake social media accounts and then reach out to make connections. Fraudsters use social media to collect information and build relationships with targets and targets’ contacts.
If you receive a connection request on a social media platform, check out the requestor’s profile and look for signs that it may be fake. For example, do they have a complete profile and work history, do they have legitimate recommendations, etc.?
Social engineering works and will continue to do so until we learn to spot the signs. Security Awareness Training that incorporates education in social engineering tactics empowers employees with the knowledge to stop scammers from exploiting their behaviour.