In 2016, 60 percent of enterprises were victims of social engineering attacks, resulting in losses of $3.1 billion as of May 2016. From financial losses to data breaches, social engineering attacks are considered the “fastest growing security threat for enterprises today.” This is why in March 2000 Congress convened a hearing with Kevin Mitnick, the notorious computer hacker, to learn about his tactics and how to prevent the proliferation of this form of cyberattack. In his testimony, Mitnick stressed the importance of understanding social engineering and the human element in cybersecurity. “I was so successful in [social engineering] that I rarely had to resort to a technical attack," Mitnick explained. He added that “employee training to recognize sophisticated social engineering attacks is of paramount importance."
In cybersecurity, social engineering refers to any malicious digital act that tricks people into giving out information without considering the negative consequences. Attackers persuade victims, using fraudulent information, to open an attachment, install a program, click a link, or download a file.
Three Types of Social Engineering Attacks to Watch
- Phishing: This is the leading form of social engineering attack typically delivered via email, chat room, web ad, or website. This type of attack is “crafted to deliver a sense of urgency or fear with the end goal of capturing an end user’s sensitive data. A phishing message might come from a bank, the government, or a major corporation." A type of phishing attack is the business email compromise (BEC). The scam is carried out by compromising "legitimate business email accounts through social engineering or computer intrusion techniques to conduct unauthorized transfers of funds."The FBI’s latest public service announcement on BEC reports between October 2013 to August 2015:
- 7,066 in the U.S. were victims of business email compromise.
- a 270 percent increase in identified victims and exposed loss.
- $1.2 billion in global fraud losses from these crimes.
- Malicious Apps: “People willingly download more than 2 billion mobile apps that steal their personal data.” When users bypass the security warnings in the download process, their equipment and their enterprise become vulnerable to attacks. Furthermore, users who bypass security warnings are four times more likely to download a malicious app. These downloads affect two out of five enterprises.
- Baiting: The difference between phishing and baiting is baiting attacks employ the use of promises of items, money, events, etc. to entice the end users to give up information. Once the bait is taken, malicious software is deployed to the user’s system. Baiting attacks can take both digital and physical form. Both are equally effective in penetrating an organization’s infrastructure and exposing critical information to attackers.
The Defense against Social Engineering
According to the security firm Proofpoint, “In 2015, social engineering was the #1 attack technique. People replaced exploits as attackers’ favorite way to beat cybersecurity.”
Attackers know that we are cognitive misers, that is to say we expend the least amount of energy and time to solve problems, relying instead on our intuition and mental shortcuts. Therefore, we don’t engage in fully disjunctive reasoning, spending little to no energy validating the information we receive from colleagues, authorities, and seemingly harmless organizations.
In the workplace, we open emails and download attachments without ever assuming that they can be malicious. Our lack of fully disjunctive reasoning transforms us into enablers for attacks of all sizes. Proofpoint reports “99.7% of documents used in attachment-based campaigns relied on social engineering and macros, rather than automated exploits. At the same time, 98% of URLs in malicious messages link to hosted malware, either as an executable or an executable inside an archive. To work, these files have to be opened by the user. So attackers trick users into double-clicking them and infecting themselves.”
To combat this, we have to make users aware of the types of social engineering attacks and credential-phishing schemes. Simply put, a user who employs fully disjunctive reasoning is the best defense to ever-growing social engineering attacks.