Understanding the current threat landscape for social engineering

We’re excited to bring Transform 2022 back in person on July 19 and pretty much July 20-28. Join AI and data leaders for insightful conversations and exciting networking opportunities. Register today!


The weakest link in the security chain is not our processes or our technology: it is us. On the one hand, there is human error. A large number of security incidents (40%, according to conservative estimates) are caused by human behavior, such as clicking a phishing link. On the other hand, there is the role of social engineering in causing this human error.

Social engineering is a term used for a wide variety of malicious activities performed through human interactions. It uses psychological manipulation to exploit our emotional vulnerabilities and trick users into making security mistakes or giving away sensitive information. Often it involves time-sensitive opportunities and urgent requests to convey panic to the victim.

The most commonly used social engineering tactic: phishing

The most dominant form of social engineering attacks are phishing attacks. Phishing is a type of fraud where an attacker impersonates a person or company known to the target and sends them a message requesting access to a secure system in the hopes of misusing that access for financial gain. The most famous example of this type of attack is the “419” scam, also known as the “Nigerian Prince” scam, which claims to be a message from a Nigerian Prince, asking your help for a large sum money from their country. It is one of the oldest scams around, dating back to the 1800s when it was known as ‘The Spanish Prisoner’.

While the modern version – the “419” scam – first hit email accounts in the 1990s, the world of phishing has expanded over the decades to include methods such as spam phishing, a general attack targeting multiple users. . This type of “spray-and-pray” attack relies on quantity over quality because it only needs to deceive a fraction of the users who receive the message.

spearfishing

Spearphishing messages, on the other hand, are targeted, personalized attacks targeting a specific individual. These attacks are usually designed to appear to come from someone the user already trusts, with the aim of tricking the target into clicking a malicious link in the message. Once that happens, the target unknowingly reveals sensitive information, installs malicious programs (malware) on their network, or runs the first stage of an advanced persistent threat (APT), just to name a few of the possible consequences.

Whale phishing or whaling

Whaling is a form of spear phishing that targets high-profile, high-profile targets such as celebrities, business executives, board members, and government officials.

Fisherman phishing

Angler phishing is a newer term for attacks typically carried out by the target. The attack begins with a customer complaining on social media about the services of a company or financial institution. Cyber ​​criminals troll accounts of large companies looking for these kinds of messages. Once they find one, they send that customer a phishing message using fake corporate social media accounts.

to wish

Vishing – also known as voice phishing – uses the telephone or VoIP (voice over internet protocol) technology. This type of attack is becoming more and more popular, and cases have increased by a whopping 550% in the past 12 months alone. In March 2022, the number of vishing attacks experienced by organizations reached the highest level ever reported, surpassing the previous record set in September 2021.

Vishing tactics are most commonly used against the elderly. For example, attackers may claim to be a family member who needs to transfer money immediately to get out of trouble, or a charity seeking donations after a natural disaster.

Bait and scareware

In addition to the many categories and subcategories of phishing, there are other forms of social engineering, such as ad-based and physical. Take bait, for example – where a false promise, such as an online ad for a free game or heavily discounted software, is used to trick the victim into revealing sensitive personal and financial information or infect their system with malware or ransomware.

Scareware attacks, meanwhile, use pop-up ads to scare a user that his system is infected with a computer virus and that he should buy the antivirus software on offer to protect himself. Instead, the software itself is malicious and infects the user’s system with the viruses they were trying to prevent.

Tailgating and Shoulder Surfing

Forms of physical social engineering attacks, including tailgating – an attempt to gain unauthorized physical access to secure areas on company premises through coercion or deception. Organizations should be particularly sensitive to the possibility of recently laid off employees returning to the office with, for example, an active keycard.

Similarly, eavesdropping or “shoulder surfing” in public spaces is a remarkably easy way to access sensitive information.

Ultimately, as technologies evolve, the methods used by cybercriminals to steal money, damage data and damage reputations will also change. Companies may have all the tools in the world at their disposal, but if the root cause is driven by human action that is not protected or controlled, they remain vulnerable to a breach. It is therefore critical for companies to adopt a multi-layered approach to their cybersecurity strategy, incorporating a mix of staff training, positive corporate culture and regular penetration testing utilizing social engineering techniques.

Ian McShane is Vice President of Strategy at Arctic Wolf

DataDecision makers

Welcome to the VentureBeat Community!

DataDecisionMakers is where experts, including the technical people who do data work, can share data-related insights and innovation.

If you want to read about the very latest ideas and up-to-date information, best practices and the future of data and data technology, join DataDecisionMakers.

You might even consider contributing an article yourself!

Read more from DataDecisionMakers