The term “social engineering” is used to describe a wide variety of fraudulent actions carried out by manipulating human interactions. It employs deception based on psychological techniques to trick users into failing to take proper security precautions or into disclosing confidential information.
When it comes to the methods of social engineering, humans represent the greatest point of vulnerability. There are many examples in our immediate environment that contributed to the success of this attack despite the presence of a number of cybersecurity defence solutions. The fact that firms have prioritized investment in technologies over employee awareness training is a big contributor to the problem. Today’s weakest link is the employee who checks and replies to emails.
Introduction to Phishing
A Phishing attack falls under social engineering and occurs when an attacker attempts to dupe an unwary target into disclosing sensitive information such as passwords, credit card information and personal information.
A typical phishing attack is usually carried out by using emails but is not limited to email, they are various forms such as smishing (SMS) and vishing (voice).
Types of Phishing attacks:
1) Mass Scale Phishing
2) Spear Phishing
3) Whaling Phishing
What is Mass Scale Phishing?
Mass-scale phishing is when cybercriminals send out a lot of phishing emails at once. This is a common way for them to trick people into giving up sensitive information. Attackers will often pretend to be real businesses in order to get sensitive information like passwords or bank information.
Ubiquiti Networks (Vardi, 2015), a computer networking business based in the United States, lost $46.7 million due to an attack in 2015 and intended to recover at least $15 million. A hacker successfully completed a covert takeover of a corporation by posing as the head honcho and legal counsel, respectively, and ordering the chief financial officer to initiate a series of wire transactions. In a span of 17 days, the corporation sent a total of 14 payments to locations in Russia, Hungary, China, and Poland. Ubiquiti didn’t know out their Hong Kong bank account had been hacked until the FBI informed them. Since the corporation could now prevent further transfers, it could focus on recovering as much of the $46.7 million about 10% of its cash that had been taken.
What is Spear Phishing?
Phishing attacks with a specific target in mind are called spear phishing, and they aim to steal sensitive information, such as login passwords, from their victims. The recipient may click on a malicious link or open a malicious attachment, allowing the attacker to get access to the victim’s computer and potentially sensitive data. Spear phishing is apart from standard phishing due to its more specific focus.
Twitter (Leswing, 2020) recently revealed that its employees have been phished via their mobile devices. The exploit allowed the attackers to impersonate celebrities and read their direct messages on Twitter. Bill Gates, a pioneer of Microsoft, Joe Biden, a Democratic presidential candidate, and Kim Kardashian West, a reality TV celebrity, all had their accounts hacked. Supposedly, the crooks made over $100,000. Following the incident, questions have been raised regarding how much access Twitter employees and the hackers ultimately had to user accounts.
What is Whaling Phishing?
Whaling phishing attacks are a form of cyber threat in which hackers target high-ranking individuals such as CEO, CFO and Senior Management team members in an effort to gain the trust of their intended victims and steal money or sensitive data.
Belgium’s Crelan Bank (Zorz, 2016) fell for a business email compromise (BEC) scam that cost the company about $75.8 million. In this type of attack, the phisher takes over the account of a high-level executive in a company and tells the executive’s employees to send money to an account that the attacker controls. During an internal audit, Crelan Bank found out about the phishing attack. The bank was able to cover the loss because it had enough money saved up.
Homograph Attack and Email Spoofing
Homograph Attack is a type of Scam in which a harmful domain is registered with characters that look identical but are actually quite different. For Instance, Homographic deceit can be as elementary as switching the letters “7” and “J” (or vice versa). Homograph Attack is also considered to be a social engineering attack because it manipulates the elements to make it look like a real one.
Email spoofing is traditionally considered a threat that involves sending emails from a fake sender address. Additionally, email spoofing is a form of social engineering attack. Email protocols can’t tell where an email came from on their own. Because of this, it’s not too hard for spammers or other bad people to change the metadata of an email. So, the protocols will think the message came from the real sender.
How to be safe?
These are the common methods for reducing the risk of social engineering in an organization:
1) Security Awareness Training
Implementing a well-designed, engaging cybersecurity or data privacy training curriculum in your organization is vital. This education shouldn’t just involve reading, listening, and clicking. Instead, use interactive examples. If employees don’t dread security training, they’ll learn and use the material. Employees must be educated on how to tell which emails are legitimate and which are not, as well as the fundamentals of what to click and what not to click. For instance, they must confirm the link by hovering over it to see if it is the same destination address or not.
2) Restriction of Employee Access to Data and Information
In order to prevent human error, you must restrict access to your critical company information. Only those systems and pieces of information should be made available to employees that are absolutely necessary for them to accomplish their tasks. The moment an employee quits your company or moves to a new location, you should promptly delete passwords and accounts from all systems, as well as collect ID badges and entrance keys from the company’s facilities.
3) The importance of ongoing evaluation
Compliance is important, but it’s a snapshot. As cyber threats change, you must regularly review your security landscape. You’re compliant today. A new threat could arise tomorrow. Internally, focus on people, procedures, and technology. People are your business’s weakest link and biggest cybersecurity risk. Each new team member poses a new danger, thus it’s important to establish a cyber-aware culture. Your supply chain could be a weakness that threatens your operations and cybersecurity. Your cybersecurity assurance programme shouldn’t be static, either. A dynamic, continuous-improvement-focused approach ensures that your strategy moves and adapts to handle your organization’s biggest threats.
The Condition Zebra IT Security Awareness Program is the most effective method of teaching employees to recognize and avoid dangerous online threats such as social engineering, phishing, and ransomware. In order to provide an integrated platform for phishing simulation and updated security education, Condition Zebra has partnered with KnowBe4.
Your Preferred Cybersecurity Partner!
Condition Zebra is a CREST-certified and ISO 27001:2013 company that offers Professional Cybersecurity Solutions and Cybersecurity Training for SMEs in various industries, including Financial Services (Banks & Insurance), Government Ministries & Agencies, and Government-linked companies.
If you’re looking to leverage our expertise, that is to get the best solutions that demonstrate the highest levels of knowledge, skills, and competence, then reach out to us today!
How we can help:
1) Free Phishing Security Test
The purpose of this Free Phishing Security test is to provide a safe space for IT teams to implement email phishing simulations for all the employees in the company.
Find out what percentage of your employees are at risk and how many of your users are clicking on phishing links.
2) Train your users
Introducing, KnowBe4 Security Awareness Training Platform, the world’s largest library of security awareness training content, including interactive modules, videos, games, posters, and newsletters. Automated training campaigns with scheduled reminder emails
The significance of cybersecurity awareness training for employees cannot be overstated. If they are well taught and aware of the types of attacks they may face, they will know what action to take. This will protect them against any type of attack, regardless of its severity.
Vardi, N. 2016. How A Tech Billionaire’s Company Misplaced $46.7 Million And Didn’t Know It. Available at: https://www.forbes.com/sites/nathanvardi/2016/02/08/how-a-tech-billionaires-company-misplaced-46-7-million-and-didnt-know-it/
Leswing, K. 2020. Hackers targeted Twitter employees to hijack the accounts of Elon Musk, Joe Biden and others in digital currency scams. Available at: https://www.cnbc.com/2020/07/15/hackers-appear-to-target-twitter-accounts-of-elon-musk-bill-gates-others-in-digital-currency-scam.html
Zorz, Z. 2016. Belgian bank Crelan loses €70 million to BEC scammers – Help Net Security. Available at: https://www.helpnetsecurity.com/2016/01/26/belgian-bank-crelan-loses-e70-million-to-bec-scammers
Zebra, C. 2022. IT Security Awareness Program – Condition Zebra | Cyber Security Company Malaysia. Available at: https://condition-zebra.com/security-awareness-program/