Hacking Humans: The Social Engineering Threat
When most people think of cyberattacks and the social engineering threat, they picture a scene from an action movie in which a teenage computer whiz spends thirty seconds furiously typing on a computer keyboard and gaining complete access to the Pentagon’s databases. In the real world, this isn’t how hacking actually works.
The good news is that hacking the Pentagon is a lot harder than Hollywood makes it look. The bad news is that hacking is still effective and is increasingly more lucrative.
For these reasons, hackers have developed an arsenal of tools and techniques to defeat organizations’ defenses and have learned to stick with what works.
What is Social Engineering?
One of the most effective methods for breaking through a company’s cyber defenses is social engineering. Often organizational cyber defenses are technology-based, focusing on identifying and protecting the holes in a company’s cyber defenses created by programming flaws or misconfigurations.
Social engineers target the holes in corporate defenses created by human beings. Humans can be lazy and typically doing the “right thing” from a security perspective is hard. Social engineers capitalize on this and take advantage of the way people’s minds work to get past a company’s defenses. Since this is usually easier than bypassing technology-based barricades, it’s one of the most common types of cyberattacks.
How the Social Engineering Threat Works
There are basic impulses and instinctive reactions that most people share. Social engineers know this and take advantage of core human psychology to manipulate people into doing what they want.
In the February 2001 issue of Scientific American, Robert Cialdini published an article called The Science of Persuasion in which he described the six basic principles of persuasion.
According to him, a person is more likely to comply with a request if:
- It’s made by someone in a position of authority
- The requester has established a rapport with their target
- The requester gives or promises something of value in return
- The target has publicly endorsed the requester in some way
- Complying with the request seems like the popular thing to do
- If the requester is making a limited time offer or offering something in short supply
Out of context, it may seem easy to resist these impulses, but social engineers are experts at deceiving people.
If a request comes from someone in management, it’s probably legitimate, right? But do you really know all of management by sight? Or would you assume that someone in a suit that you just saw chatting with the CEO was legitimate? Probably. However, that could just be a social engineer who “accidentally” ran into the CEO at the coffee shop around the corner and struck up a conversation that lasted until they made it back to work. All that it took to breach company security was putting on a suit and hanging around drinking coffee until an opportunity presented itself.
Social engineers are good at what they do and what they do is find inventive ways around your company’s security.
Are Social Engineering Attacks Successful?
Social engineering attacks are some of the most successful types of cyberattacks in existence.
Phishing attacks, social engineering attacks over email, are the most common method of delivering malware to a user’s computer. The fact that the attacker uses technology makes it easier to mass produce.
According to research, 93% of data breaches are linked to phishing and other social engineering incidents. With the number of successful data breaches reported recently, this means that phishing, and social engineering, is a wildly successful attack vector.
The 2018 Phishing by Industry Benchmarking Report explains this threat, if your industry is at risk, and how to protect yourself. Download it now!
Protecting Yourself from Social Engineers
In the end, social engineering comes down to someone making a request that they are not authorized to make. No matter what pretext the social engineer is using, they’re trying to get their target to do something that they’re not supposed to do. Nor would they normally agree to do it.
If they were authorized to make the request or give the order, then there is no problem.
This means that defeating social engineering attacks is actually straightforward:
- Before complying with a request, make sure that the person making the request is authorized to do so.
- If you know that you’re talking to your supervisor and they are making a request for something that is within the scope of your job, then do it.
- If you’re not sure who the requester is or whether they’re authorized to make a request, take the extra step to verify this.
Worst case, you cause a minor delay and inconvenience. Best case, you may have protected your company from a major cyber incident.
Protecting Your Workforce from Social Engineering
Recognizing and reacting appropriately to the social engineering threat takes testing and training. Sword & Shield analysts work with you to create customized and targeted social engineering campaigns and improve employee awareness through our security awareness training. Request a free consultation to learn more.