Despite the continued hard work of companies and their cybersecurity partners, the number and losses of cyberattacks continue to grow at staggering rates. This year alone, over 5 billion malicious emails have already been sent, along with 200 million attachments and 1.7 billion suspicious SMS messages.
Part of this surge in malicious conversations stems from – ironically – increasing investment in security defenses. Whilst applications and servers receive the lion’s share of cybersecurity defense funding, criminals are increasingly making the most of an unpatchable, deeply flawed weakness: your brain. Humans are now the most reliable source of vulnerability within a company. Without strong vishing attack prevention, human exploitation remains a persistent, lurking threat.
What is Social Engineering
Social engineering describes the process of victim manipulation. In these attacks, the victim is goaded into acting in the cybercriminal’s best interest. Impersonation is the cybercriminal’s best friend. This is how the malicious actor is able to frame themselves as a trusted individual; either as someone that the victim knows, or an employee of a relevant organization.
The first component of a successful social engineering attack is the attacker successfully imitating their legitimate counterpart. When a victim believes that the person on the other side of the screen is genuinely from Microsoft, or representing a previous client of theirs, then the attacker is one step closer to success.
Once the victim has been lured in, the next phase will entail them acting under the attacker’s duress. This could be handing over sensitive information such as passwords, or bank account details. In less direct forms, the victim could be sent to a website that is loaded with malware. Once visited, the site stealthily initiates a download process that lends access to the device. In the worst scenarios, the malicious website strips sensitive information from the device and takes command of the device entirely.
Phishing is one of the most well-known and effective forms of social engineering attack. Typically underestimated, many people jokingly assume that these attacks resemble a particularly generous member of the Nigerian royalty. However, what many misunderstand is the sheer potency of phishing. Even those stereotypically typo-ridden, barely legible emails continue to drain the pockets of the particularly vulnerable, surpassing $700,000 in losses every year.
Modern Phishing: A Force to Be Reckoned With
Nowadays, cybercriminals have honed their craft to such a degree that even governmental departments are at risk. In 2017, Russian state actors gained access to multiple US organizations in the energy, construction, water and nuclear sectors. The Department of Homeland Security and the FBI worked together to find and fix the source of the breach, and were surprised to find not a direct attack – but a complex web of spear phishing attacks that led up to large scale compromise. First, the Russian actors gained access to smaller suppliers – such as solar panel part suppliers and excavation companies. A particularly popular method was “waterholing”: where attackers alter critically important websites, allowing them to collect login information and relay it back to the attackers.
Once small-scale compromise was achieved, they then progressed to the next phase. Building on the implicit trust placed between a company and their suppliers, the Russian attackers then stealthily commandeered the email accounts they’d gathered the emails and passwords of, and reached out to the larger power grid organizations under the guise of existing business partners.
Trojan documents became particularly successful in the second phase of the attack, as attackers continued leveraging supply chains against themselves. No damage or sabotage was committed by the state actors – their mission was one of close surveillance.
The Most Dangerous Misconceptions
Social engineering is a threat to individuals, companies, and national security alike. Why, then, are there so many misconceptions surrounding it?
Social engineering attacks are defined by their unassuming nature. One of the most dangerous assumptions made in everyday life is that existing email conversations are safe. After a genuine conversation has begun, the human brain is particularly vulnerable because it assumes that conversations are continuous. While true for all the IRL discussions that have occurred over the last 1.9 million years, digital communication has significantly broken up this process. Now, a message from a month back can be replied to as if it were sent mere minutes ago. The sense of trust is retained, however: the recipient of your reply is expected to remain the same.
All attackers need to do is access a legitimate users’ inbox. Verified login credentials are accessible even to attackers with no tech know-how; deep web marketplaces are thriving hubs of stolen passwords. This is how social engineering attacks are self-replicating: once one account is compromised, their entire web of contacts becomes suddenly very vulnerable. Threat actors can also hijack email servers and automatically send replies from attack-controlled botnets.
Another broad misconception is that email is the only threat to look out for. Cyber criminals present an ever-evolving attack threat, and a growing number of attacks are stemming from multiple sources. Throughout 2021, there was a significant increase in the joint use of email and call-center attacks. Here, victims would receive emails without any malicious links or attachments, which merely pointed them in the direction of a fake customer service number. Calling this number would then lead the victim directly to the threat actor.
Within this attack type, there are two further categories of call center threat activity – one using legitimate remote assistance software to steal money; the other deploys malware disguised as a document to compromise a computer. Both entail telephone-oriented attack delivery (TOAD), and these affect both individuals and organizations alike.
Managing the Threat of Social Engineering
With social engineering attacks willing to take advantage of your every move, it’s vital to proactively manage the threat – before you’re hit. Anti-phishing protection takes the element of human error out of the equation, able to identify and eliminate potentially harmful emails. Impersonation attacks, which are wholly dependent on spoofed and mimicked email addresses, can be blocked and reported, helping you keep a finger on the attack surface’s pulse. Cross-platform compatibility is a must, in order to handle the combined threat of social engineering and vishing. Support your team and protect profits by cutting criminals out of your inbox.