The 5 biggest misconceptions about social engineering you should know
Social engineering is an attack strategy that uses human psychology to break into systems rather than technical hacking approaches. Although it is employed in the majority of cyberattacks, there are a few instances where it must be avoided. A misconception, according to security firm Proofpoint, is exacerbating the problem.
“Billions of dollars in intrusions occur every year, regardless of how well-established security features are,” said Sherrod DeGrippo, vice president of threat research and detection at ProofPoint. As the emphasis shifts to safeguarding individuals, the number of hacking assaults targeting relatively weak people grows, and related tactics become more sophisticated.”
In reality, hackers carry out social engineering assaults in unanticipated ways over lengthy periods of time, making it increasingly impossible to avoid them. Proofpoint debunks five fallacies about social engineering that you should be aware of.
Misconception 1: Hackers do not communicate with their targets
Many people believe that attackers do not take the time and effort to develop friendly ties with their victims. In actuality, this is not the case. To initiate a discussion, hackers send out a large number of polite emails. “Hackers induce social engineering victims to get intellectually immersed in harmful information,” according to the ProofPoint research. They write nice emails and create connections on purpose to make people feel safe.”
According to ProofPoint’s research, there are several cases of peacefully initiating business email compromise (BEC), malware dissemination, and advanced persistent threats (APTs) against the state. This was typically used by attackers such as TA453, TA406, and TA499.
Misconception 2: Legitimate services are not vulnerable to social engineering assaults
People prefer to utilize stuff that they are familiar with and believe to be safe. However, hackers regularly use legal services such as cloud storage and content distribution networks (CDNs), not only stealing personal information but also spreading malware.
“Hackers prefer to deliver malware via reputable services,” according to Proofpoint. It is a method of avoiding security technology by using regular email rather than mailing papers containing malicious code for attack. Of course, defending against hacking in a genuine service is difficult. This is due to the fact that it may be essential to build sophisticated threat detection technologies to discourage assaults or to policy ban services that have a direct impact on the business.
The service most commonly attempted by large hackers in the business, according to ProofPoint’s data, was Microsoft’s OneDrive. Following that, in that order, Google Drive, Dropbox, Discord, Firebase, and SandGrid were the most commonly hacked.
Misconception 3: The attacker only uses a computer, not a phone
Email is frequently assumed to be the source of social engineering assaults. Recent assaults on contact center-based email systems, on the other hand, have increased, and phone calls are also being utilized for hacking. Proofpoint refers to this type of assault as Telephone-Oriented Attack Delivery (TOAD).
Hackers, for example, insert bogus call center phone numbers into emails. The email itself does not contain any harmful links or attachments. The assault begins when the victim phones the bogus call center number. Every day, approximately 250,000 of these assaults occur, according to ProofPoint.
Call center assaults are classified into two kinds. The first is to steal money using free, genuine remote help software, and the second is to hijack your computer using malware disguised as a paper. It is related with the Bazaar virus, also known as BazaCall.
This sort of attack can cause damage worth tens of thousands of dollars. According to Proofpoint, a victim lost approximately $50,000 in an assault by a hacker posing as a Norton Liftlock technician.
Misconception 4: It is safe to reply to an existing email
Hackers steal information by taking advantage of the psychology of simply assuming that emails that already exist would be unaffected. “We naturally anticipate a response when we send an email,” Proofpoint explained.
Hackers obtain access to regular users’ mails in order to hijack existing chats. There are several options, with the most common being phishing, malicious code assaults, the use of personal information revealed to the hacker community, and brute force password recovery techniques. It may also be designed to respond to botnets formed by hackers by stealing whole email servers or mailboxes.
There were over 500 email data thefts in 2021, including 16 distinct forms of malware. Major threats such as TA571, TA577, TA575, and TA5423 often take email information unlawfully.
Misconception 5: Hackers exclusively exploit business data
Hackers frequently target business personnel, although they do not necessarily attack using corporate content. In reality, hackers frequently utilized current events, news, and cultural knowledge to entice victims. According to the ProofPoint research, the following connected assaults happened last year.
- Valentine-themed imagery, such as roses and lingerie, was utilized in the ‘BazaLoader’ assault.
- TA575 deployed a financial Trojan horse named ‘Dridex’ by exploiting the contents of Netflix’s ‘Squid Game’ and targeted US consumers.
- To collect an extra refund, a hacker impersonating the Internal Revenue Service (IRS) got numerous personally identifiable information (PII).
- In 2021, an average of 6 million hacking attempts were made using COVID-19 information.
Social engineering defense strategy, employee training is the answer
Given the prevalence of weird social engineering strategies and beliefs, businesses must properly educate their employees on how social engineering works. In other words, you can only respond to it by altering your employees’ mindsets.
According to the ProofPoint research, “the most effective strategy for any firm to protect against an attack is to instill in its staff the understanding that a hacking threat might occur at any time.” “We need to assist hackers get comfortable with the different sorts of material they utilize, and we need to explain what the content that causes hacking looks like on a regular basis,” he added.
Raf Muwije, a cybersecurity expert and author of How to Hack a Human: Cybersecurity for the Mind, explains that you should teach your team that the most believable social-engineering assaults appear as real as day-to-day business activity. “In the instance of the ‘Lapsus$’ attack, mobile two-factor authentication requests were delivered to workers via an internal security platform,” Muwije explained to the CSO in an interview.
According to Muwije, the greatest method to avoid social engineering within a firm is for employees to be vigilant and on the lookout for suspicious or troublesome circumstances. This is because if both occur at the same moment, there is a 99.99 percent likelihood that you have been assaulted by a social engineering attack. “Of course, training should be done appropriately,” Muwije said, “such as promptly contacting the security team when an issue happens and seeking a guide straight away if suspicious conditions are discovered.”
Finally, Mu Wei-je stressed that threats are not necessarily external. “We must not neglect the reality that a person in a given position can access and steal information deliberately.” We must continue to supervise our staff.” These sorts of attacks are rarely covered in the media, although according to statistics, there are quite a few of them. “There is a major vulnerability in social engineering where attackers may team up to elude monitoring if there is minimal history check, no anonymous reporting method, or even if there is an audit system,” claimed one expert.
Read Also: “Artificial Intelligence + Internet of Things” AIoT changes the business scene