Targeting the individual: How Social Engineering Has Evolved - Phishing Isn't Going Anywhere
Despite existing for over 30 years, phishing attacks are on the rise and cybercriminals are finding new and ingenious ways to deceive companies and individuals into revealing private information and personal details - leading to some very costly consequences. No matter how secure your systems are, the use of social engineering tactics to manipulate users by relying on human error means that you're only as protected from cyberattacks as far as your team is aware of how to act in a given situation.
Social engineering threats are constantly adapting to trick more people into disclosing confidential information through innovative attack strategies. So how has the dark art of social engineering evolved? And in what ways can you protect yourself from the ever-increasing threat from bad actors online? Read this blog to find out.
What is Social Engineering?
Social engineering is a type of fraud that involves manipulating people into divulging confidential information or performing actions that compromise security. Unlike hackers who target technological infrastructures to commit cybercrime, social engineering preys on human emotions and behaviours.
Techniques can involve impersonating trusted figures, creating a sense of urgency, or exploiting human curiosity and are usually done via email or social media platforms in the form of phishing. For instance, an attacker might pose as IT support and request login details from an unsuspecting employee.
Alternatively, they might send an email baiting the receiver into opening a malicious attachment or clicking on a harmful link. The essence of these attacks lies in deception, persuasion, and psychological manipulation.
What This Means For Cybersecurity
Humans, unfortunately, are cybersecurity's weakest link. And this a fact not lost on cybercriminals, with a staggering 98% of cyber attacks employing some form of social engineering to exploit the end user. A 2021 report revealed that the average organisation faces over 700 social engineering attacks a year. Despite significant investments by companies in cybersecurity, minor human errors can cause serious security breaches.
Even the most robust security systems can be sidestepped by deceiving someone into sharing a password or confidential information. As digital communication expands, so do opportunities for cybercriminals – be it through emails, social media, or other platforms.
While traditional cybersecurity focuses on creating barriers like firewalls and antivirus programs, the rise of social engineering means there needs to be a bigger emphasis on employee training, awareness initiatives, and simulated attack drills to further protect organisations and individuals from these types of attacks. Successful social engineering breaches can lead to data leaks, financial setbacks, and reputational damage, all of which can be extremely costly for companies with the average cost of a data breach hitting a record high of $4.45m this year.
The Continuing Rise of Phishing
Despite being one of the oldest tricks in the cybercriminal book, phishing remains incredibly effective. In fact, 79% of UK businesses that suffered a cyber attack between 2022-2023 reported that phishing was used as part of the attack.
The rise of phishing is primarily due to it targeting human psychology rather than technological vulnerabilities which companies are routinely improving through more enhanced cybersecurity. Whether through email, messages, or even phone calls, scammers can easily lure victims into providing personal information or clicking on malicious links without the need to hack any software or computer systems. But how has it managed to remain so effective in an era where awareness about cyber threats is at an all-time high?
As people have become more technologically savvy to cybercrime, phishing attacks have adapted and evolved. Modern-day phishing has become more sophisticated, often mimicking legitimate communications from banks, social networks, and even colleagues with incredibly convincing imitations.
You might think phishing emails are easy to spot — they often have dubious sender addresses, poor grammar, and questionable links. And while many people and organisations have become adept at identifying these red flags, attackers are continually upping their game.
Plus, methods aside from email are often preferred by attackers in this modern digital age. This year, over half of US businesses have experienced phishing attacks delivered via LinkedIn. There has also been a stark rise in attackers using telephone calls to strike their victims - often referred to as “vishing” - turning what was once a traditionally secure form of communication into a potential vehicle for delivering the latest threats.
The specificity of modern attack methods also sets them apart from their predecessors. Previously cyber scammers would cast a wide net, sending generic phishing emails to as many people as possible in the hope of at least one person falling victim. These days, phishing attacks are highly targeted to specific individuals or organisations in what is known as “spear phishing”. The scammers spend time researching their victims and harvesting any personal details that can make their trap more enticing and believable. This can include impersonating the CEO of an employee's company or sending a bogus invoice from a legitimate client in the hope it will get paid.
By personalising their attacks, they significantly increase their chances of success in stealing private data. There has also been a rise in 'whaling' — a form of spear phishing aimed at high-profile targets like CEOs or CFOs of organisations to extract highly confidential financial information.
How to Prevent Phishing Attacks
Recognising the threat of social engineering is only half the battle. Taking proactive steps to defend against these attacks is crucial for both individuals and organisations. The best defence against social engineering is awareness. Regularly educating employees about the latest tactics used by cybercriminals is a must. Simulated phishing exercises can be beneficial, allowing staff to experience firsthand how these attacks can appear.
Implementing clear procedures for verifying identities over the phone, via email, or in person can also help ward off attacks. For instance, sensitive information requests should always be confirmed through a secondary communication channel. Two-factor or multi-factor authentication adds an additional layer of security. Even if a cybercriminal obtains login details, without a second verification method – be it a text code, biometric data, or a hardware token – they can't gain access. Often, social engineering tactics involve exploiting software vulnerabilities. Ensuring regular software updates to fix these vulnerabilities will make it harder for attacks to succeed.
Additionally, cybercriminals often gather information from social media and other online sources. So limiting the amount of personal or company information that is shared publicly is key. A seemingly innocuous social media post can provide attackers with the very details they need to craft convincing phishing scams. By integrating these measures into cybersecurity strategies, you can significantly reduce the risk of falling victim to social engineering scams.
If you want to find out more about the threat of social engineering and how to protect yourself against cybercrimes like phishing then join us at UK Cyber Week 17 - 18 April 2024, where you will hear from over 100+ cybersecurity experts, hackers and disruptors sharing their perceptives from across the industry, as well as a host of exhibitors, helping to create one of the UK's most innovative cyber security conferences.