The Role of Social Engineering in Cyberattacks

October 13th, 2017 by Rocket IT

A quarter of all security breaches are inadvertently caused by employees, according to IBM’s 2016 Cyber Security Intelligence Index.[i] With phishing continuing to rise and more industries at risk of cyber-attacks, how does social engineering factor in?

There are four primary types of cyberattacks: ransomware, phishing, spearphishing, and spoofing. Three of these rely entirely on social engineering in order to be successful.

Phishing emails throwback to the messages from foreign nobility with too-good-to-be-true offers, but now contain risks from the traditional attempts to get personal information from its recipients to malicious links in disguise.

Spearphishing, as the name implies, are phishing attempts that are curated to their audience. These cybercriminals research their intended target, be it company, vendor, or individual, and use that knowledge to convince their victim to click a link, enter login information, or otherwise compromise their security. They use a number of methods to do this, sometimes including spoofing.

Spoofing is a malicious campaign that mimics the sending information of a trusted source, i.e. makes it look like their spearphishing email is a legitimate one because it’s coming from a real person’s email address (including people you may know personally whose accounts have been compromised). People are significantly more likely to open emails or click links from individuals or companies with whom they’re familiar, even if they shouldn’t.

All of these methods rely heavily on social engineering which means it depends on making the end users believe something – that they need to click a link to track a package or open an attachment to view an invoice – that will then cause a security breach. And these hackers can be very convincing!

So how can you protect your end users from this psychological manipulation?

By training them.

Unfortunately, spammers are constantly finding new ways to make it past even the best filters, so the odds that one will eventually make it through to your end users are pretty high. That’s not to say you shouldn’t bother with a strong firewall and spam filter, but you need to be sure those aren’t your only lines of defense. Prepare your employees so they can be security stewards for themselves and your organization.

Teach your end users what to look for in suspicious emails. Find out who your habitual clickers are by sending your own phishing campaigns to see who may need additional security training.

And if you need any help with your organization’s security or employee training, we’d be happy to provide you the peace of mind to sleep well at night.


[i] http://ibm.biz/2016CyberIndex

 

About the Author-

Jason Hand loves making music, serving his church and getting people excited about technology tools. He currently lives in Georgia with wife and two adopted sons.  Jason is the Systems Administrator at Rocket IT.