5 minute read
THE RISE OF SOCIAL ENGINEERING ATTACKS
from The Need For Speed
by cxoinsightme
DUANE NICOL, CYBERSECURITY AWARENESS EVANGELIST AT MIMECAST, TALKS ABOUT THE NEW SOCIAL ENGINEERING TACTICS THREAT ACTORS USING TO GAIN ACCESS TO DATA.
How are cybercriminals exploiting human behaviour?
Advertisement
Cybercriminals tend to capitalise on basic human nature, for example by sending emails to people announcing that they’ve won a prize and simply need to click on a link to redeem it, or by sending fake offers on highvalue items in mails that look like they come from legitimate brands.
These types of attacks are effective even when end-users are aware of the potential risks. In Mimecast’s latest Brand Trust research, 82% of consumers in the UAE and 80% in
KSA said they understand the risks of phishing and 81% in both markets agreed anyone can be a victim of cybercrime. However, three-quarters (75%) in the UAE and more than half (57%) in KSA admitted to still opening a phishing email, and twothirds (67%) of UAE and half (48%) of
KSA respondents said they received a phishing email forwarded from a friend or family member.
Our natural excitement at winning a prize or gaining access to an amazing deal on a product or item we really like creates gaps for cybercriminals to exploit.
Our research found that the most common phishing emails or texts that people in the UAE receive include notices of prize winnings (39% in UAE and 58% in KSA), too-good-to-betrue special offers (26% in UAE and 27% in KSA) and, unsurprisingly in light of the pandemic, notices that the person now qualifies to receive the COVID-19 vaccine, reported by 28% of respondents from the UAE. Although only 12% reported the same in KSA.
In addition, messages from trusted suppliers such as banks or insurance
ONCE IN, THE CYBERCRIMINAL CAN DO UNTOLD DAMAGE TO THE BANK’S NETWORK, ACCESS CONFIDENTIAL FILES, IMPERSONATE KEY STAKEHOLDERS WITHIN THE ORGANISATION, COMMIT FRAUD ON A MASSIVE SCALE AND EVEN INFECT THE NETWORK WITH MALWARE THAT COULD TAKE SERVICES OFFLINE AND LEAD TO CATASTROPHIC FINANCIAL LOSSES AND SEVERE DAMAGE TO THE BANK’S REPUTATION.
firms that highlight supposed issues with the security of one’s account or issues with account payment are also common. Around one third (30% in UAE and 34% in KSA) of respondents to our research have received phishing mails about someone supposedly trying to access an account, while 27% in UAE and 36% in KSA received a message telling them to check their account immediately.
Unfortunately, many consumers simply react to the message by clicking on the link provided and give the cybercriminals a welcome gap to exploit, with sometimes devastating consequences for the consumer and often their employer.
Do you see an increase in phishing attacks during this pandemic?
Cybercriminals thrive on disruption and confusion, and with the initial impact of the pandemic and its subsequent lockdowns, organisations across the region have experienced higher volumes of attacks across all types. As organisations start transitioning workers back to the office on a full-time or part-time basis, threat actors again sense an opportunity to capitalise on uncertainty by launching waves of phishing, ransomware and impersonation attacks.
In Mimecast’s State of Email Security 2021 report, three-quarters
of organisations in the UAE said they expect an email-borne attack to damage their business in the next twelve months.
The most common types of emailrelated attacks in the region include phishing with malicious links or attachments (reported by 55% of organisations), impersonation fraud or business email compromise (47%), and fraudulent use of a company’s brand via spoofed email (40%).
Can you give us some examples of social engineering in action?
Social engineering attacks can take several weeks or even months as criminals need time to get to know their victims. However, the more information you share the easier you make it for cybercriminals.
The recent excitement over people getting their COVID-19 vaccinations and then posting their vaccine record cards to social media offer a good example of how cybercriminals can use the information you put in the public domain for social engineering.
Let’s say Mr Cybercriminal wants to target a bank. He goes to LinkedIn to see who works there, finds a few candidates, and goes onto their Facebook and Twitter accounts to get more information.
One of the candidates, let’s call him Bob, recently posted a photo of his vaccine record with his name, date of birth, first vaccination date, vaccine manufacturer and date of the second scheduled vaccination.
From here, Mr Cybercriminal sends an email to Bob’s work address asking him to confirm his second vaccination date. The email appears to be coming from a trusted source such as the health authority or service responsible for vaccine administration in his region. The link in the email seems legitimate, the branding is on point and the information about his vaccination record is all accurate, so Bob goes through the steps to set up an account.
Bob, who easily forgets passwords, uses the same password he uses to log in to his company network. What he doesn’t realise is that he’s entering his personal information into a fraudulent website. Now Mr Cybercriminal can use Bob’s credentials to access the network of the bank he’s targeting.
Once in, the cybercriminal can do untold damage to the bank’s network, access confidential files, impersonate key stakeholders within the organisation, commit fraud on a massive scale and even infect the network with malware that could take services offline and lead to catastrophic financial losses and severe damage to the bank’s reputation.
What are some of the prevention techniques against social engineering?
Organisations need layers of protection, including regular and effective cybersecurity awareness training to equip employees with the knowledge they need to avoid risky online behaviour. Cybersecurity awareness campaigns should also extend to an organisation’s customers and partners to keep them from being duped by opportunistic cybercriminals.
The accessibility of personal information on social media also arms cybercriminals with tools they can use in the service of fraud and other crimes. Even simple likes and comments can provide criminals with important information that makes the victim – and ultimately their employer - vulnerable.
End users in the region need to take heed and maintain safe social media habits to limit the opportunities for cybercriminals.
