Social engineering, the psychological manipulation of people into performing actions that are against their best interest, has become one of the most common attack vectors, used in 82 percent of all successful data breaches, according to Verizon’s 2022 Data Breach Investigations Report (DBIR).
Unlike other threats, such as viruses, ransomware, and Denial of Service (DoS) attacks, it doesn’t exploit the weaknesses in physical and cloud-based infrastructures. Instead, its target are human weaknesses, which is why social engineering is sometimes called human hacking.
Unfortunately for organizations of all sizes, human weaknesses are generally more difficult to address than technical or digital system vulnerabilities because people often repeat the same mistakes over and over again. That’s why the following social engineering assumptions are still so widespread, making it easier for cybercriminals to breach their victims’ defenses.
Avoid the Following Social Engineering Assumptions:
1. SMBs Are Rarely Targeted by Social Engineering Attacks
Perhaps the most dangerous assumption commonly made by small and medium-sized businesses is that cybercriminals only target the big fish—large enterprises that store and process massive quantities of sensitive data and can afford to pay millions in ransom. This assumption is simply not true.
In reality, an employee of a small business with less than 100 employees typically experiences 350 percent more social engineering attacks than an employee of a larger enterprise, as revealed in a report published by researchers at cloud security company Barracuda Networks.
2. Social Engineering Attacks Prioritize Quantity Over Quality
It would be difficult to find anyone who hasn’t been on the receiving end of the infamous Nigerian Prince Scam, also known as a 419 scam, whose premise hasn’t changed much since the 1990s. Phishing messages in which scammers pose as wealthy royalty in need of assistance with an urgent money transfer are generally sent in large quantities, and their quality ranges from laughably bad to poor.
But not all social engineering attacks are as primate as the Nigerian Prince Scam. Spear phishing messages, for example, are meticulously crafted to appear to come from someone the victim already trusts, and they’re often supported by weeks or even months of research and reconnaissance. Such messages are becoming significantly more common, and those who are not aware of their existence are most likely to fall for them.
3. Email Is the Only Channel for Social Engineering Attacks
It’s true that most social engineering attacks occur through email, but they’re certainly not limited to it. Because organizations have been training their employees to be on the lookout for suspicious messages, cybercriminals are increasingly often exploring other communication channels beyond email.
Social engineering attacks that come in the form of a text message and frequently include a malicious link are called smishing. There’s also vishing, which involves fraudulent calls or voicemails that solicit personal information from a victim.
Popular social media platforms like LinkedIn, Twitter, and Facebook are also being used to execute social engineering attacks, with attackers pretending to be customer service representatives or employees of partner companies.
4. Social Engineering Attacks Are Limited to the Digital Realm
The digital nature of modern work and the ubiquitous use of email allows cybercriminals from around the world to launch a variety of social engineering attacks on individuals and organizations alike. But social engineering doesn’t always involve digital technology.
Some social engineers are not afraid to get up close and personal with their victims and use deception to obtain access to restricted areas, such as an office building. They may go as far as to dress as delivery drivers or HVAC technicians, create fake IDs, and do other things to make their intrusion seem legitimate.
Once these physical social engineers obtain access, they can install hidden cameras to spy on people, steal sensitive documents, set up keyloggers, and more.
5. You Can Always Trust a Phone Call
When cybersecurity-savvy employees receive an unusual email message from a superior, they verify its legitimacy—or at least they should. But when the same employees receive an unusual phone call, it almost never occurs to them that the person on the other side could actually be someone else.
That’s exactly what happened when a bank manager was in 2020 into transferring $35 million to an attacker-controlled account by an attacker pretending to be a company director using deepfake technology.
Because of recent advances in artificial intelligence and machine learning, as well as the growing accessibility of solutions based on them, voice deepfake attacks are becoming more and more common, so even phone calls can’t be trusted anymore.
The Bottom Line: Assumptions Can Be Dangerous
Social engineering attacks show that the cybersecurity chain is only as strong as its weakest link. To strengthen it, it’s important to stop making the social engineering assumptions described in this article because their consequences can be extremely costly.
Cybersecurity awareness training remains the best protection against the latest and most widespread social engineering threats, especially when combined with sound cybersecurity policies, detection and response capabilities, and other protective measures.
To learn more about them, get in touch with us at TechGen.