How Social Engineering Threatens Your Business
In July, dozens of high-profile Twitter users, including Jeff Bezos and Elon Musk, announced they were “giving back to the community” and asked followers to donate money via Bitcoin. But it wasn’t that these figures were suddenly feeling charitable. It was a scam. And in the weeks that followed, Twitter revealed the hack had stemmed from a sophisticated social engineering attack on its employees.
Social engineering accounts for an estimated 98% of cyberattacks today, experts say. From deceptive spam emails to elaborate voice phishing, these attacks can infiltrate the most secure networks by exploiting your most unpredictable vulnerability: human error.
But what exactly is social engineering, and how does it work?
Here’s what you need to know.
What is social engineering?
Social engineering is a form of cyberattack that uses deception to obtain victims’ personal information, login credentials or other sensitive data. Unlike traditional cyberattacks, which exploit vulnerabilities in software and operating systems, social engineering relies on user manipulation.
In a typical social engineering attack, victims are fooled into divulging their login information by entering it into a fake login page. Often, users are initially deceived by an email that is designed to look like it’s from a trusted sender. When the user enters their login information on the bogus page, their credentials are captured by the attackers, allowing them to access the user’s account, often undetected.
However, this is only one of several types of social engineering used by hackers today.
What’s the purpose?
What happens after hackers pull off a successful engineering attack? What’s their objective?
Social engineering attacks can serve a few different purposes, beyond simply stealing a user’s login credentials. Some hackers may sell the credentials on the dark web to other cybercriminals. But more commonly, the attack lays the groundwork for hackers to launch a secondary crime.
This can include:
- Delivering malware or ransomware
- Data theft
- Cyber extortion
- Credit card fraud & other financial theft
- Malicious deletion and/or general havoc to disrupt a business for no specific reason
Another important purpose of social engineering is to conduct more social engineering! For example, let’s say a hacker uses an attack to gain access to a user’s G Suite account. From there, the hacker can send out additional deceptive emails and shared files to other employees, impersonating the initial victims to gain access to other accounts and systems. This impersonation is a specific form of social engineering called pre-texting.
If hackers manage to gain unrestricted access to your network, then it can put all your data at risk.
Why social engineering works
Social engineering is successful because it preys on people’s ability to be manipulated, rather than trying to break through technical cybersecurity barriers.
To an untrained eye, a social engineering attack can be extremely hard to distinguish from legitimate communications. Phishing emails, for example, are often disguised as messages from a user’s bank, a recognizable company or the government. The most effective emails are exact replicas of communications from the user’s most trusted senders, including logos, color schemes and layouts.
Often, the only difference is the URL for the call-to-action, which may simply be a button persuading the user to “log in” or “change your password.” Instead of linking to the legitimate login page, it goes to a bogus one, designed to look just like the real thing. If the user is on a mobile device, it’s even harder to notice that the URL is bad.
Common types of social engineering
Today’s hackers use a wide variety of methods to conduct social engineering attacks. As attacks become more targeted (toward individuals or businesses that can deliver more lucrative payoffs for hackers), the methods have become more sophisticated.
Here are some of the most common examples of social engineering:
- Phishing: This method uses deceptive emails, websites and other media to fool a user into providing their credentials. As the user enters their login information into a fake page, the credentials are captured by the hackers.
- Spear phishing: Spear phishing is much like traditional phishing, except more targeted. Hackers go after specific people by scraping data from company directories, websites or social networks like LinkedIn. The targeting allows hackers to personalize the deception even further, increasing their rate of success.
- Vishing: This method uses phone calls or voice messages to deceive victims, rather than email. Also known as voice phishing or phone spear phishing, this strategy convinces users to provide their sensitive information over the phone or directs them to a bogus website. This was the method used in the Twitter hack, as we outline further below.
- Baiting: Baiting is a type of social engineering that entices victims with free stuff. This can be in the form of a free Flash drive or a digital download, such as a movie, offered to the user for completing an action, such as filling out a survey or even simply logging into one of their services. But alas, the free items are often laced with malware, or the login process steals the user’s credentials.
- Quid Pro Quo: This method is sort of like a combination of phone spear phishing and baiting. Hackers entice victims with a free service, such as a complimentary network security review, in exchange for login credentials. But again, the whole thing is a scam.
- Piggybacking: Piggybacking is social engineering that happens in person. A hacker physically follows a victim into a secure area or uses deception to trick the user into letting them inside or allowing them to use their device. Also known as tailgating, this method is less common, but still a serious risk for any business, especially at larger companies that handle sensitive data.
- Spam: Everyday spam emails can be considered a social engineering attack whenever they’re meant to deceive recipients. Links to malicious sites, as well as malware-laced email attachments disguised as invoices and receipts, are prime examples.
So, what happened in the Twitter hack?
The Twitter hack that occurred on July 15, 2020, was the result of a social engineering attack that compromised the accounts of 45 users, including Barack Obama, Bill Gates, Joe Biden and other prominent figures. In total, 130 Twitter accounts were affected by the breach, but hackers only tweeted from 45 of them, promoting a Bitcoin scam.
The attack originated from a phone spear phishing campaign targeted at Twitter employees. Employees received phone calls from hackers posing as IT personnel, who tricked users into providing their login credentials for Twitter’s internal tools.
This alone wasn’t enough to complete the full hack. But with access to the internal tools, hackers were able to gather more information on Twitter’s processes and target additional employees who had more far-ranging access to Twitter’s account support tools. By deceiving those individuals, the hackers were then able to take control of users’ accounts.
What are the dangers of social engineering?
A great article by WIRED illustrated how the Twitter hack is not an isolated incident, but instead part of “a full-blown crime wave” of targeted social engineering attacks against businesses. And because these attacks have been so successful, experts say it’s only a matter of time before “foreign ransomware groups or even state-sponsored hackers” begin deploying these strategies on a more massive scale.
So, what are the dangers, exactly?
Aside from the compromised user accounts, Twitter lost $1.3 billion in market value following the attack and suffered a dent to its reputation. But in truth, it could have been a lot worse.
Social engineering can destroy businesses by compromising their data and operations. The most common delivery method for ransomware, after all, is spam email and phishing attacks. Ransomware brings operations to a screeching halt by encrypting data across a company network. The costs from operational downtime alone can range from $10,000 to millions of dollars for every hour of an outage. That doesn’t even include the recovery costs or the ransom demands, which have been skyrocketing in recent months.
Ransomware has literally put companies out of business, and more often than not, these attacks stem from social engineering methods.
How to prevent social engineering attacks
Preventing a social engineering attack requires a three-pronged approach:
- Periodic employee training to educate users how to identify and avoid common scams
- Strong cybersecurity solutions to block more threats from entering networks
- Robust data backups to ensure that any compromised or destroyed data can be quickly restored
Training is arguably the most important step for prevention. Phishing emails and other social engineering methods will inevitably slip through your firewalls and email filters. When they do, you want to be sure that users are ready.
Yearly (or more frequent) training helps employees know how to spot a potentially bogus email or other fake communication. This education is your most powerful tool for preventing users from being duped.
The need for better data backup
Even with the best training and cybersecurity in place, mistakes will still happen. That’s why it’s so important to have a dependable backup system as a failsafe.
Advanced BC/DR solutions from Datto help businesses maintain continuity by offering a backup frequency of every 5 minutes, as well as instant recovery options and hybrid cloud restores.
To be sure, backups are a last resort for minimizing the impact of a nasty social engineering attack, but they are an essential layer of protection for every business.
Request a free demo
Learn more about protecting your organization with disaster recovery solutions from Datto. Request a free demo or speak to our business continuity experts at Invenio IT today. Call (646) 395-1170 or email success@invenioIT.com.