Social engineering, the psychological manipulation of people into performing actions that are against their best interest, has become one of the most common attack vectors, used in 82 percent of all successful data breaches, according to Verizon’s 2022 Data Breach Investigations Report (DBIR).
Unlike other threats, such as viruses, ransomware, and Denial of Service (DoS) attacks, it doesn’t exploit the weaknesses in physical and cloud-based infrastructures. Instead, its target are human weaknesses, which is why social engineering is sometimes called human hacking.
Unfortunately for organizations of all sizes, human weaknesses are generally more difficult to address than technical or digital system vulnerabilities because people often repeat the same mistakes over and over again. That’s why the following social engineering assumptions are still so widespread, making it easier for cybercriminals to breach their victims’ defenses.
Avoid the Following Social Engineering Assumptions:
In reality, an employee of a small business with less than 100 employees typically experiences 350 percent more social engineering attacks than an employee of a larger enterprise, as revealed in a report published by researchers at cloud security company Barracuda Networks.
But not all social engineering attacks are as primate as the Nigerian Prince Scam. Spear phishing messages, for example, are meticulously crafted to appear to come from someone the victim already trusts, and they’re often supported by weeks or even months of research and reconnaissance. Such messages are becoming significantly more common, and those who are not aware of their existence are most likely to fall for them.
Social engineering attacks that come in the form of a text message and frequently include a malicious link are called smishing. There’s also vishing, which involves fraudulent calls or voicemails that solicit personal information from a victim.
Popular social media platforms like LinkedIn, Twitter, and Facebook are also being used to execute social engineering attacks, with attackers pretending to be customer service representatives or employees of partner companies.
Some social engineers are not afraid to get up close and personal with their victims and use deception to obtain access to restricted areas, such as an office building. They may go as far as to dress as delivery drivers or HVAC technicians, create fake IDs, and do other things to make their intrusion seem legitimate.
Once these physical social engineers obtain access, they can install hidden cameras to spy on people, steal sensitive documents, set up keyloggers, and more.
That’s exactly what happened when a bank manager was in 2020 into transferring $35 million to an attacker-controlled account by an attacker pretending to be a company director using deepfake technology.
Because of recent advances in artificial intelligence and machine learning, as well as the growing accessibility of solutions based on them, voice deepfake attacks are becoming more and more common, so even phone calls can’t be trusted anymore.
The Bottom Line: Assumptions Can Be Dangerous
Social engineering attacks show that the cybersecurity chain is only as strong as its weakest link. To strengthen it, it’s important to stop making the social engineering assumptions described in this article because their consequences can be extremely costly.
Cybersecurity awareness training remains the best protection against the latest and most widespread social engineering threats, especially when combined with sound cybersecurity policies, detection and response capabilities, and other protective measures.
To learn more about them, get in touch with us at TechGen.