Even the world’s most secure systems have the same common vulnerability as every other secure system in the world — people. Most cybercriminals target humans, not systems, to gain access to your most sensitive data.
Social engineering and phishing are among the most commonly used cyberattack strategies in the world for good reason: they work really well.
Social engineering is a cybersecurity threat that uses the manipulation and deception of authorized users to gain unauthorized access to your secure data. By posing as a vendor, coworker, customer or authority figure, criminals gain physical or virtual access to your system and data. These convincing criminals may also perform extensive research, using publicly-available information, and social media to develop a convincing and successful angle.
Phishing is a technique in which a fraudulent email (like common spam) is used to obtain the recipient’s usernames, passwords, payment card information or other personal details. These emails are often designed to appear as though they came from a trusted source such as a bank, auction site, popular social networking platform or IT administrator.
The consequences of social engineering are both staggering and devastating:
110 million customers' payment card information was stolen. Target's CEO and many of its IT security staff were fired over this breach.
Over $100 million disappeared, routed by wire transfer to offshore bank accounts until the U.S. Department of Justice captured the perpetrator.
Cybercriminal Ryan Collins sent celebrities fake warnings of security breaches, collected frantically-entered login credentials from credulous recipients, then downloaded more than 500 private digital photographs.
100 million payment card numbers and other personal details were stolen and placed for sale on dark web marketplaces.
The Belgian bank lost $75 million as a result of the well-known “CEO Fraud” phishing attack.
Criminals tricked buyers into making purchases, then collected security credentials when the buyers tried to correct a "processing error" in the sale.
Understanding how and why social engineering works can help users and employees learn to spot attempts and protect their credentials more vigilantly. A good grasp on today’s most popular social engineering strategies may also help users spot evolving future techniques.
Spear phishing is a more targeted type of phishing. Rather than sending mass emails, the criminal sends highly-targeted, personalized emails to specific individuals or companies based on research ahead of time using publicly available information like social media.
This growing threat is costing some companies millions of dollars in losses. Essentially, sophisticated criminals target specific employees like controllers and accountants (often when the CEO is away) to request an immediate wire transfer to what appears to be a trusted vendor or familiar account.
The criminal engages the victim with a made-up story or scenario. Previously-acquired personal details like the target's social security number or date of birth might be used to increase trust and gain more information.
The criminal builds confidence with a courier or parcel carrier to divert them to an alternate delivery location.
Like herding animals to a trusted water-hole, many consumers return to the same sites repeatedly. "Water-holing" involves identifying those sites and laying cybertraps for the user.
Baiting involves dangling something of interest in front of the victim such as a digital content download or even a physical object, like a data stick labeled "Q1 Layoff Plan." Once an employee opens it out of curiosity, it could infect the system.
In this scheme, the cybercriminal comes in a trusted guise and offers something beneficial in exchange for sensitive information. A caller could pretend to be IT support, for example, and offer a quick fix or update if the target briefly disables security protocols or shares a password.
An extremely low-tech tactic is simply following authorized personnel through a locked door to gain access to private facilities. Many employees or visitors do not question people following them through secured doors, assuming they have a legitimate reason to be there.
This method relies on a sexually attractive, possibly fictitious, character manipulating a user for confidential information or unauthorized access.
A criminal accesses the profile of a friend or celebrity (or makes a lookalike profile) and tries to get the target to click on a link.
A criminal might alter the content of a website, redirecting users to a phishing page.
The phisher attempts to put low-cost products or services at the top of searches, collecting payment card details from the "purchase."
The criminal builds a replica of a legitimate website, collecting confidential data from transactions the target attempts.
The phisher inserts him or herself between the target and a real website, collecting details from a legitimate transaction.
Common in CEO fraud, the criminal emails the target from what looks like a legitimate email address within the domain of the company the criminal is impersonating.
A reputable-looking link that redirects to a different site, exposing the computer to malware. This deception can usually be detected by hovering the cursor over the link before clicking, allowing the browser to identify where the link actually goes.
Malware prompts the user to perform an action that looks legitimate but allows unauthorized access through the local machine.
Phishing over the phone, with bad actors calling employees under false pretenses in order to gain unauthorized access to your system or sensitive information.
Phishing by SMS (phone-based text messages) or other text messaging services.
This type of breach to the physical security of companies is actually a very effective way of gaining access to your workstations, data centers, and more.
The odds are stacked against data security. Fortunately, security education can significantly reduce an organization's risk of becoming a victim to social engineering attacks. Train employees to better identify these attacks, understand how they work and the proper process for reporting them.
Options for social engineering and phishing security training are available for virtual and in-person training, for every size organization around the world. While the methods, vendors and information covered will vary, high-quality training programs will share the same basic elements.
Mandatory employee training on phishing is easy enough to implement. Making a lasting, measurable impact on your users is a different story.
Our training begins on a kick-off call with your security team, so we’re aligned with your goals and focused where you need us most. Then, we begin testing your employees without them knowing what’s coming.
The Truvantis red team of cybersecurity experts will attempt to phish and manipulate your users, in the same way a criminal might, in order to show them real criminal strategies and just how susceptible they really are. During training periods, our social engineering team can be deployed to phish a company’s users as often as monthly, until we’re no longer successful in getting access to your data.
After testing, we’ll meet with you to discuss our successes, failures, and to provide expert recommendations for the most relevant and effective training strategies. Then, we’ll help you to harden your system where it matters most with hands-on user training that’s among the best in the industry.