Social Engineering as A Business Risk

National Cyber Security Awareness Month 2021

In information security, social engineering is the use of deception to manipulate individuals into disclosing confidential or personal information that may be used for fraudulent purposes. It refers to the methods cybercriminals use to get victims to take some sort of questionable action (defying common sense), often involving a breach of security, the sending of money, or giving up private information. If cybercriminals use malware and viruses to hack our computers, then social engineering is how they hack our minds.”

There are dozens of stories about successful social engineering attacks, and a significant threat to businesses. Although social engineering attacks are not technically cyber-crime by themselves, most cyber-attacks involve social engineering tactics. While a business may spend money on firewalls, cameras, locks, and other security systems, it cannot ignore the human element. Without addressing the human component of the security system, a business may be at significant risk of cyber-crime. Businesses of all sizes are affected. Previously, it used to be that only larger businesses had to deal with cyber-crime, but this is no longer the case. Small businesses are being attacked and at a growing rate.

Social engineering is always part of a larger con, taking advantage of the fact that the perpetrators and their victims never have to meet face to face. The main objective usually involves getting the victims to give up usernames and passwords; install malware on their device; send money via electronic fund transfer, money order, or gift cards; authorize a malicious software plugin, extension, or third-party app; act as a money mule for the purpose of laundering and transferring illicit funds.

Examples of social engineering range from phishing attacks where victims are tricked into providing confidential information through fraudulent emails, claiming to be from a reputable and trusted source; vishing attacks where an urgent and official-sounding voice mail convinces victims to act quickly or suffer severe consequences; or physical tailgating attacks that rely on trust to gain physical access to a building. Many have suffered some form of social engineering over the period through phone calls, lured to end up transferring funds from their mobile money or bank accounts.

The one common thread linking these social engineering techniques is the human element. Cybercriminals know that taking advantage of human emotions is the best way to steal. As companies focus on the technical aspects of cybersecurity, it is time to take a people-centric approach to cyber security awareness. Social engineering happens because of the human instinct of trust. Cybercriminals have learned that a carefully worded email, voicemail, or text message can convince people to transfer money, provide confidential information, or download a file that installs malware on the company network.

Since 2020, the number of scams, threats, and malware campaigns taking advantage of public concern over the coronavirus has been increasing. There are many instances of phishing campaigns that impersonate organizations such as the World Health Organization (WHO) and promise the latest on “corona-virus.” The incorrect use of a hyphen in “coronavirus” in the subject line should alert users with a critical eye for grammar. However, since WHO is often touted as a trustworthy resource, many will be tempted to open such emails. In such a campaign, for instance, threat actors use the fake e-book as a lure, claiming the “My Health E-book” includes complete research on the global pandemic, as well as guidance on how to protect children and businesses. The criminals behind this scheme try to trick victims into opening the attachment, contained in a zip file, by offering appealing content within the body of the email. The email content tells readers they can download and access the e-book from Windows computers only. As soon as they execute the file inside the “MyHealth-Ebook.zip” archive, malware will be downloaded onto their computers–this act successfully steals information.

Businesses need to understand the risk posed by social engineering attacks. Business email compromise (BEC) can expose an organization to ransomware, email spoofing, and related threats, as mentioned in the above paragraph. It is important therefore that, C-level employees and executives get to understand the nature and extent of such risks to their businesses, and need to be more vigilant than regular employees, as executives are valuable targets since their accounts are more likely to hold sensitive information. In most cases of BEC, cybercriminals would find critical/confidential data inside the emails of C-level victims.

C-level employees and executives are not regular employees; they are the most prominent employees, and they are supposed to be the most protected individuals in the company. They may need more reminders to lead the cyber security initiatives by example and not to be the exception. However, executives sometimes take security shortcuts, putting themselves (and their organizations) at risk. They are more likely to change technology and more likely to insist on breaking the rules. Hence, they require in-depth strategy, training, and education about these risks, essential for preventing these attacks.

Besides training employees to be on the lookout for social engineering attacks, organizations should also require multi-factor authentication (MFA) in case an attacker gets their hands on a password. Complementing that with technical controls, implementing things like MFA on email prevents or restricts attackers from authenticating if they get credentials.

To protect against social engineering attacks requires a focus on changing behavior. When company employees understand how easy it is to be tricked or scammed by a social engineering attack, they are more likely to be vigilant and suspicious of emails, voicemails, texts, or other cyber-attack approaches.

Executives and boards understand business risk. Cyber threats that operate through social engineering can be considered as matters of personal risk. However, they represent a clear business risk, and often the business risks that an organization’s leaders are well-positioned to manage. Framing the risk of social engineering as a business risk is an important first step in managing that risk. While the threat actors are improving on the campaign’s sophistication by building reputable-sounding content within the body of the email, cybersecurity awareness training for executives and businesses will help avoid falling for targeted social engineering attacks, and actively monitoring emails to flag threats and making sure other users are protected are equally important control measures.

 

Author: Richard Kafui Amanfu–(Director of Operations, Institute of ICT Professionals, Ghana)

For comments, contact richard.amanfu@iipgh.org or Mobile: +233244357006