A technology security firm conducted a survey of security industry experts on current security risks.
Over 70 percent of those surveyed say the biggest security threat comes from inside the organization, and the most popular way for hackers to get inside is through social engineering.
Gaining insider access is attractive to hackers since they can often remain unnoticed for long periods of time.
Hackers, who recently breached the U.S. Department of Justice, employed social engineering tactics and were able to collect contact information for over 22,000 FBI employees.
Phishing emails are the prime tactic in social engineering attacks. Cybercriminals target low-level employees, using deception to obtain their passwords. Once inside, even at a low level, hackers can broaden their access to the network without much difficulty.
The second most popular type of attack, according to the survey, is hacking into user accounts directly. Web-based application attacks are the third most common. Warwick Ashford "Social engineering is top hacking method, survey shows," www.computerweekly.com (Feb. 11, 2016).
Human error is widely viewed as the weakest link in cybersecurity, and social engineering takes advantage of this weakness.
Social engineering is defined as influencing an individual to act in a specific way. In the cyber world, phishing emails are the social engineering tactic of choice, and are used by criminals to manipulate users and exploit their natural level of trust.
Hackers will typically send large numbers of phishing emails to random users hoping to get a few to fall for their scheme. They create what looks like a legitimate message from a well-known business, often using the organization’s logo or something very similar. The message will include a link that contains malware or takes the user to an official-looking website that “fishes” for personal information.
Another more targeted method is spear-phishing emails. In this type of attack, the hacker will send fraudulent messages to a smaller group of users that have something in common. For example, the hacker will send emails to the employees of a specific organization, impersonating their IT manager and asking to verify user names and passwords. The victims will find it logical that their IT staff wants this information, so will likely comply. Conversely, a hacker may pose as an actual new hire and email the IT staff with a request to reset their login credentials, claiming to have forgotten it.
Even more effective attacks are spear-phishing emails to subordinates, purporting to come from superiors (but are really from criminals) asking for information, like bank account information. Subordinates get hooked by believing they need to please their superior and provide the information without thinking about security.
The amount of background information on businesses and employees that is readily available on the Internet is valuable to the cybercriminal who is looking to craft an effective spear phishing email campaign. Names and titles allow for criminals to craft their message more specifically. This is often a much more successful type of attack than dumping mass emails.
The risk to employers from social engineering attacks is real. When employees reply to suspicious emails, they expose your organization’s network to cyberattacks, leaving all the personal identifying information of other employees, customers, and business partners at risk.
Every email that contains a link or asks to provide usernames and passwords should immediately raise a red flag. Advise employees to carefully read and thoroughly examine any link contained in the email. Hovering your cursor over the link will often show the actual web address associated with the link.
In the past, phishing emails were easily identified by their use of poor English and frequent grammar and spelling mistakes. This is no longer the case, as today’s phishing messages are more sophisticated and realistic. Here is a list of some of the features that are likely to be part of a phishing email:
- An offer that seems too good to be true.
- A message from a legitimate business that arrives unsolicited or "out of the blue;"
- A vague greeting like, "Dear Valued Customer;"
- A message that suggests urgent action is necessary or makes illogical threats;
- A request for username and password;
- A link embedded in the email that is provided to assist you in carrying out the requested action;
- An attached file with extensions like .exe or .zip;
- Few details about the signer or contact information;
- spoofed brand or display name in the header, or a misleading URL domain name