Social Engineering: Stop Falling Into Their Traps!
Social engineering cyber attacks constitute a significant threat to businesses. According to a recent study, 71% of IT professionals say they know employees who have been victims of this attack. Cybercriminals are increasingly skilled and learn how to practice the art of illusion to trap us. What are “social engineering attacks”? Why are we more sensitive to it? How not to fall into the trap again? In this article, we’ll answer these questions and provide actionable tips to boost security against this threat.
What Is Social Engineering?
Social engineering cyber attacks are defined as “psychological attacks”. Cybercriminals use various manipulation techniques to persuade individuals to give them valuable information or act in their best interest. The information obtained can be sold on the Dark Web or allow them to launch new, more destructive attacks.
This cyberattack exploits human weaknesses and, more particularly, the failings of cognitive functions. Computer hackers play on different factors (emotions, curiosity, urgency, etc.) to trigger automatic and unconscious responses from victims.
Why Is It Used So Much By Cyber Criminals?
Today, more than 90% of cyberattacks rely on social engineering. For a simple and good reason: it is easier to penetrate a system or a network this way. Indeed, current security technologies are very efficient and are more difficult to “hack”. They require more effort and resources from cyber criminals
With social engineering, they circumvent the securities put in place by using an individual as a bridge, as a catalyst. Thanks to the information provided by their victim, they can more easily break into a system or a network. No more need for advanced hacking techniques!
Why Do These Attacks Claim So Many Victims?
Social engineering attacks owe their success to weaknesses in human cognitive functions. Cybercriminals exploit factors such as stress or surprise, making individuals more vulnerable and more easily influenced. Messages or calls received by victims are usually unexpected. They may contain an urgent request (often related to security or finance) or an alluring gain.
According to Bruno Teboul, cognitive science specialist and doctor at Paris Dauphine University, stress and cognitive load considerably reduce an individual’s ability to detect malicious clues. Both impair rational decision-making and significantly reduce alertness. In addition, they increase the use of automatic information processing, which leads to dangerous behaviors for a company’s cybersecurity.
Social engineering attacks are more successful when an individual lacks cybersecurity knowledge and good IT practices. A person sensitized on the subject will decide based on the reasoning. Otherwise, the decision will be made based on emotions.
Which Cyberattacks Use Social Engineering Techniques?
Many cyberattacks use manipulation techniques to achieve their end. We have selected the five most common social engineering cyber attacks for you:
This is one of the most common attacks. The hacker sends an email with a redirect link to a malicious site or a booby-trapped attachment. The goal is to get the victim to enter sensitive data on the site or launch a malicious program (malware) by clicking on the wing. Most often, the cybercriminal impersonates a known brand or organization. The messages of phishing emails are generally designed to cause a sense of urgency.
This is a variant of phishing. The goal is to persuade a person to divulge confidential or personal information or perform an action that will compromise the company’s network. Spear phishing is a targeted attack. It presupposes conducting a preliminary investigation of the company and the persons concerned. The contained message is highly personalized to deceive the recipient further.
The cybercriminal also pays particular attention to falsifying the name and address of the sender to make his email even more credible. He can pretend to be someone you know, a colleague or even your bank advisor. For example, the cybercriminal can impersonate an employee and request that a file containing confidential information be sent to a new email address. Unfortunately, this file will fall into the wrong hands.
This attack is based on the same technique as phishing, except that the victim receives an SMS, not an email. As with phishing, the text message encourages the recipient to send sensitive information or click a redirect link. Generally, smishing attacks are emitted from mobile phone numbers starting with 06 or 07.
The President Scam
This is a widespread fraud, which also relies on identity theft. A malicious person contacts an employee of a company pretending to be the President or the General Manager of this company. The scammer asks him to make an unplanned, urgent, confidential transfer to a bank account often located abroad. This scam is usually carried out over the phone or by email. There are other variants where the fraudster usurps, this time, the identity of an administration or a supplier.
Baiting (Or Baiting)
Baiting traps individuals by exploiting their curiosity and greed. It differs from other cyberattacks in the content of its message. The cybercriminal seduces his victims by promising them a gift or the possibility of obtaining a reward. The goal is to trick them into opening a booby-trapped attachment, downloading malicious software or even providing sensitive information. Baiting can reach you through email, a message on your social networks or an advertisement on a website.
How Not To Fall Into Their Traps?
As you have understood, cybercriminals are very creative in tricking you. They have many tricks so that their attacks go unnoticed. But rest assured, and it is possible to detect some warning signs. First, always have the “culture of doubt”. When something seems unusual or surprising to you, take the time to question yourself before acting. Do not succumb to stress or greed.
Then Carry Out Several Checks
For an email: pay attention to the sender’s email address. Check that the domain name and extension (.com,.fr,.gouv…etc.) correspond to the company or organization contacting you. You can also analyze the redirect links contained in the email. Please select it and copy it to a link-checking site. Be careful not to open it!
- For a call or an SMS: Check that the number used corresponds to the company or the person contacting you by going directly to the website or the yellow pages. Beware of text messages beginning with 06 or 07 pretending to be a business or public service.
- For a website: first look at the URL of the site. Make sure it matches the official site URL and contains the HTTPS indicator. Then, consult the legal notices of the site; they will be able to teach you more about the site’s reliability. You can also check its reliability through sites like Trustpilot or FranceVerif. Do not hesitate to consult the opinion of Internet users.
- The request made by your interlocutor can also guide you. When asked for personal or confidential information or to give your bank details, there is a good chance it is a scam. A bank, for example, will never ask you to provide such information over the phone.
- The urgency of the request should also alert you. Take the time to verify the request with the company or person concerned by contacting them directly on their number or official website. Do not respond directly to the email or the number displayed.
How To Protect Your Business From Social Engineering Attacks?
Different actions can be taken internally to protect your company from social engineering attacks.
Awareness And Training
First of all, raising awareness and training your employees on the subject is essential. It is important to understand what these attacks are and what risks they pose to the business. They must be continually informed of the techniques used by cybercriminals to deceive them. Do not hesitate to use specific and concrete examples to show the dangerousness of these attacks. Your training programs must also provide them with the best IT practices to adopt daily. Effective awareness raising will increase their vigilance in the face of this threat and eliminate automatic trust reflexes.
Train them to deal with social engineering attacks through regular phishing and spear phishing simulations. They will allow you to put your employees in a natural condition, who will thus be able to apply the best practices they have learned. Your simulations must use the codes used by cybercriminals to be as realistic as possible.
These simulations will also make it possible to assess the degree of vulnerability of your employees to these attacks and to measure the impact of your training. You will be able to observe the behavior of your teams in real-time and see any additional training needs.
Dark Web Monitoring
Have continuous dark web monitoring to identify exposed employee data. Identifiers, email addresses, passwords… Millions of sensitive data are stolen and sold on the Dark Web every year. This data is often reused for new rounds of targeted, more destructive cyberattacks. Some service providers, such as BA INFO, conduct in-depth searches for you to detect the data included. You are alerted when your data is exposed again, and you can then act accordingly.