Thanks to Ryan Pullen, Head of Security, Stripe OLT for this guest blog on the dangers of social engineering.

We’ve witnessed an unprecedented increase in cybercrime in recent years, so much so that the European Union Agency for Cybersecurity (ENISA) went as far as to say that “we are observing the golden era of ransomware”.

Much of this shift has been enabled by the advancement and growing sophistication of tools in the arsenals of threat actors. Yet not all cybercrime is about exploiting technical vulnerabilities such as misconfigurations, unsecured APIs or outdated or unpatched software. 

Today, many attacks focus on exploiting a different kind of vulnerability – human trust.

The vast majority of us are empathetic. It’s in our nature to want to help each other, and cybercriminals know that, playing on it through social engineering attacks.

Defined as the psychological manipulation of people into performing actions or divulging confidential information, social engineering is extremely prevalent as an attack vector today. According to the World Economic Forum’s 2022 Global Risks Report, as many as 95% of cybersecurity incidents involve human error in some way.

For many threat actors, the simple fact of the matter is that it’s much easier to exploit people than it is to find a network or software vulnerability. And they can do it in a variety of ways.

Phishing is perhaps the most renowned social engineering tactic. Indeed, according to the UK Cyber Security Breaches Survey 2022, the most common threat vector among businesses that identified an attack in the 12 months ended March 2022 was phishing attempts (83%).

Here, a malicious party will send a fraudulent email purporting to be a trusted source, such as a family member, colleague or recognised regulatory body, with the intention of tricking the recipient into sharing sensitive information or clicking a link that leads to the installation of malware.

Baiting is another example of social engineering that promises an item, commodity or reward in order to attract victims. Do messages like “Congratulations, you’ve been chosen as the winner of an iPhone 13! Click on this link to claim it” sound familiar? Often, they’re too good to be true for a reason. 

Why it’s such a danger to business

While social engineering attacks primarily target one person, specific individuals are rarely the end target that threat actors have in mind. Instead, these vectors are usually just the first step in planned larger campaigns that aim to infiltrate the wider system or network of an organisation and inflict much more significant damages. The bigger the target, the greater the reward.

At the same time, the challenge for businesses is that each and every individual is potentially another vulnerability. While some employees may be wise to social engineering tactics, others may not be so savvy, and could potentially be liable for putting the entire organisation at risk.

I’ve previously worked with a company that suffered from a ransomware attack. The incident cost nearly £5 million, took 14 months to recover from, and had immense human impacts. Multiple people who worked for the firm were signed off sick due to stress, while others simply were unable to continue doing their job day to day. And all of this happened because one individual made one mistake by unknowingly clicking one malicious link.

It might seem like a severe example, but it’s not uncommon for attacks to be quite this catastrophic. According to the 2022 cost of a data breach report by IBM and the Ponemon Institute, the average cost of a data breach recently reached a record high of $4.35 million (£3.92 million).

Often the reason that the costs are so high is that social engineering will lead to the triggering of ransomware, something that can be extremely costly to recover from owing to multiple factors. It is not simply a case of paying a ransom. Equally, organisations suffer from downtime, network costs, people hours, lost opportunities, fines or penalties, and more.

The challenge of spear phishing

Cybercriminals are increasingly recognising the value to be extracted from pursuing people as a gateway to organisational networks, and are in turn becoming savvier about how they target them.

Cybercriminals are now focused on spear phishing, finding out unique information to build a perception of credibility. This means that not all individuals are approached in the same way. A person in accounting will receive a different hook to someone in logistics, for example.

Further, threat actors are leveraging publicly available information into order to bridge the gap between the personal and the corporate. 

I recall an interaction with a threat actor that not only knew my address and mother’s maiden name – they had also built a fake LinkedIn profile and were able to provide me with a fake crime reference number.

Why are they doing this? Well, according to recent password reuse findings, 51% of people use the same password for their work and personal accounts. If threat actors are successful in getting individuals to give up the credentials for their personal accounts, they will likely have a greater than one in two chance of accessing the same individual’s associated corporate accounts.

You may ask, how is this possible? Why is it so easy? How can someone contact me and build an incredible picture to trick me? It’s because data has a value in different pockets. It’s as easy as looking at someone’s social media – with small bits of information, you can build quite a narrative. 

There’s no problem using social media, of course. All I ask is that you consider who you’re sharing that information with. The reason being that information is valuable. Even if it’s not to you, it could build a picture and land you in a difficult situation. 

Offensive, defensive and advisory security

Moving forward, it is likely that cybercriminals will only continue to become smarter, we see the evolution first hand. Deepfake technology, for example, is allowing cyberthreat actors to improve social engineering ploys, proliferate disinformation and wreak societal havoc.

Given the threats, it’s critical that organisations address their human weaknesses as a priority. Moreover, they must deploy 360-degree solutions in order to prevent successful attacks. Organisations with a sophisticated cyber security strategy may opt for an “assume breach” approach where its primarily targeting anomalous behaviours already with access to your systems and heuristic analysis.

Indeed, there are some obvious and basic things that you can do, such as making sure you’re not using the same passwords for different accounts and enabling multi-factor authentication where possible.

Yet for true continuous protection, organisations should be looking to implement a security strategy driven by a combination of offensive, defensive and advisory techniques to cover multiple angles.

The first, offensive security, takes a proactive approach to protecting business networks from attacks by testing security postures from the viewpoint of an adversary or competitor. Penetration testing carried out via an ethical hacker is a common example – by proactively attempting to get into a network, potential vulnerabilities can be unearthed and remediated.

Alongside this, defensive security measures should be implemented. This, conversely, is focused on well informed and reactive measures. For example, an Incident Response Plan would provide a business with the information they need to prepare for and respond to cyber incidents. However, with the prevalence of cybercrime over the past few year, many businesses are now implementing fully managed security solutions to prevent, detect and respond to ever-growing malicious activities.

Finally, firms should also approach security from an advisory perspective, working with industry experts and seasoned professionals to identify new threats, trends and developments that would be of interest. Many organisations are now additionally training their employees via phishing simulation solutions and education days. In building a security-first culture internally, organisations are able to turn their number one weakness, into their first line of defence.

By embracing this trifecta of approaches, firms will be well placed to mitigate, respond to and recover from new and evolving social engineering tactics as and when they arise.

For more information, Watch Ryan Pullen’s TEDx here to find out more information about the dangers of social engineering.