Cybersecurity is never far from the top of the agenda for IT teams, and social engineering presents a growing and evolving risk. 98% of all cyberattacks now use some form of social engineering, with phishing attacks regularly deployed in an effort to manipulate unsuspecting users.
The fallout from a successful social engineering attack can be significant– as well as any direct commercial impact, attackers can leverage successful breaches to harvest credentials or secure access to systems with a view to launching future attacks.
With this type of attack becoming more prominent, how can you defend yourself against social engineering? We’ve laid out why social engineering is such a unique threat, and the steps you can take to help shield yourself and your users from an attack.
What is social engineering?
When we think of cyberattacks, we tend to think in terms of tech – hacking into databases, installing malware, or encrypting files to demand a ransom. Social engineering, however, takes a more unique and low-tech approach seeking to manipulate users rather than code.
As a term, social engineering can apply to a broad range of similar tactics, all of which use some degree of persuasion to achieve their goals. The most common of these attack vectors is phishing, where attackers will attempt to trick a user into clicking a malicious link. The social engineering element is delivered through subtle deception, using a cloned email design, fake credentials from a colleague, or even relevant personal details to try and catch an unsuspecting user off guard. Knowledge of a regular supplier, an out of office mentioning a recent holiday, or even details of personal events on a user’s social media page could provide the ammunition needed for a cybercriminal to create familiarity. The end goal is to drive an action from a user, potentially clicking a link or approving a transaction, to harvest details, deliver an attack or make a financial gain.
Should the attack be successful, attackers can use this foothold to launch further attacks. Stolen credentials can lead to business email compromise (BEC) attacks, open backdoors for malware, or even let an attacker install malicious programs directly on to a user’s device or network.
What is the risk?
Only 2.9% of phishing links are actually clicked on by users, which may lead you to underestimate the danger that these attacks can pose – but this seemingly low success rate is still hugely profitable for cybercriminals.
To understand why phishing attacks can be so dangerous, let’s do some quick maths: if it takes 60 seconds for an attacker to compose and deliver an email, then they can send 60 malicious links in an hour. With a 2.9% click rate, an attacker will receive an average of 1.74 clicks in an hour – meaning it takes less than an hour to successfully compromise a target.
But attackers seldom work alone, and almost never without tools to help them. Mass emailing allows bad actors to deliver these attacks at a much larger scale, and new tools and services offer emerging opportunities. Malicious actors looking to deliver large scale attacks can now do so without the resources or skillset previously required thanks to the availability of ransomware-as-a-service and other similar cybercrime offerings.
Following a successful attack, hackers will often take a land and expand approach, especially those looking to access and interact with internal systems. This often sees a move beyond phishing attacks to more sophisticated BECs, which can offer them a much higher return on investment – $2.4 billion was lost through BEC attacks in 2021. Additionally, access to internal systems makes it easier to launch conventional follow-up cyberattacks, such as ransomware.
How can you defend against social engineering?
What makes social engineering a unique and dangers attack vector is that it targets the human element of your organisation, rather than the technology you deploy as part of your defence. As a result, successful protection against these attacks places an onus on the actions and behaviour of your users. Most organisations spend a little over an hour a year on cybersecurity training, with some only dedicating a matter of minutes. With social engineering attacks continually evolving and cybercriminals finding new ways to manipulate their targets, it’s crucial that your employees receive regular cybersecurity training to ensure preparedness.
Our experienced team, in conjunction with our world-class security partners, can assist with the deployment of dedicated awareness training to help your users identify attacks, and better understand how to resolve and report these incidents to stop potential breaches. We can also conduct regular phish testing to help assess the current readiness of your team and identify potential vulnerabilities and those users in need of additional support. If you’d like to know more about the tools available to help shield your business from the threat of social engineering, simply get in touch with our team.