Human error is often cited as an excusable reason for problems created outside of a company's control. But what happens when a mistake made by an employee (tricked by criminals into revealing sensitive information) causes a major security breach for a company?
Across the threat landscape, experts recognize that “social engineering” is firmly on the rise. It is an increasingly popular tactic, in which attackers breach an organization's cybersecurity defenses by taking advantage of an employee's failure to detect that he or she is being deceived.
Social engineering can take many forms, including:
- Identity fraud – often in the form of emails that purport to be genuine but include malicious links to click on.
- wishing – voice calls made to trick people into revealing passwords or security information, sometimes called telephone-targeted delivery attacks (TOAD).
- crushing – a phishing attempt made via SMS text message.
- Whaling – an attempt to use a genuine-looking email that causes a senior executive to take a specific action, such as transferring funds.
The problem is revealed in Proofpoint 2023 Voice of the CISO Report. It found that more than three-quarters (78%) of UK CISOs considered human error to be their organization's biggest cyber vulnerability, up from 65% in 2022.
“To some extent, everyone is vulnerable to all forms of social engineering,” says Thea Mannix, research director at Praxis Security Labs. “Most successful social engineering attacks are very sophisticated and require an individual to be Be very alert and pay attention at the time of the attack to detect any problems.
“We can't pay attention to everything all the time, this goes against our own biology, so it's inevitable that at some point the right circumstances will arise and people will make mistakes.”
Mannix, who has a doctorate in neuroscience, suggests that it is not possible to make people completely immune to cyber deception, but that, at best, leaders can improve their defenses.
He adds: “Most organizations dedicate all their resources to preventing an attack and dedicate very few to mitigating and planning for the impact of an attack.”
Develop a more realistic tone
According to research by Egress, for its Phishing Threat Trends Report 2023a fifth (19%) of phishing emails are based solely on social engineering, up from just under 7% in 2021.
James Dyer, the company's threat intelligence leader, explains that social engineering and phishing have combined to form the most sophisticated threat to businesses yet.
“Gone are the days of grammatically questionable phishing attacks; Social engineering, with the help of a chatbot, can imitate the tone of voice and some personalized comments extracted from social networks to impersonate them effectively… and extremely quickly.”
It is not surprising then that Renske Galema, area vice president for northern Europe at CyberArk, warns that education is essential. He highlights the company's recent Threat Landscape report, which shows how security leaders have identified security awareness training as one of the three most effective components of a defense-in-depth strategy.
“Teaching employees about the real-world ramifications of risky behavior is key to improving safety,” he advises. “Methods that focus on team collaboration to solve problems, rather than shaming individuals who fail, will also go a long way to promoting a team-play mentality for greater safety.
“C-Suite executives are responsible for implementing a security strategy based on education, awareness and collaboration. Their role is to ensure that the company's approach to security is not about blaming anyone, but about teaching employees how to find and stop attacks quickly.”
Social engineering attacks have many end goals. These could aim to gain human trust and use it to unintentionally install malware that can steal sensitive financial information and customer data, or they may use an attack to access a system and take it offline; The objective then is to blackmail a company into paying a ransom to make it work properly again.
Industries that are often targeted include law, public sector and healthcare, as well as national public services. Kelly Indah, security analyst at Increditools, adds: “I have seen how organizations sometimes underestimate this risk. People tend to be more knowledgeable about financial phishing, but less aware of work-related manipulation.
“Social engineering will likely continue to prevail unless countermeasures evolve alongside manipulation methods. Compliance and clear policies must also be embodied in more than just words. By adopting evidence-based approaches, we can all work to close vulnerabilities and deny attackers their all-too-frequent victories through human deception.”
The new vectors include QR codes and PDF files.
Experts have warned that the growing availability of artificial intelligence tools will fuel a new wave of social engineering attacks. Heather Hinton, chief information security officer at PagerDuty, believes this will make the problem worse in the coming years because it will be “easier and cheaper to set up.”
“This will enable sophisticated attacks against lower-level employees, especially those in support roles,” Hinton suggests. “We will continue to see sophisticated social engineering attacks through these individuals targeting their employers' customers.”
He adds that the technology should be implemented as a positive, and that AI cybersecurity should be used as a measure to counter AI-driven attacks.
“Automation within digital operations management is a game-changer, helping incident responders quickly make the right decision under pressure. The right tools can revolutionize security processes and reduce human error during incidents,” explains Hinton.
“To mitigate human errors, the end point becomes the center of attention as a technical control point. “Enterprises will renew their interest and implementation of secure endpoints, including endpoint locking, secure configuration, and data exposure management.”
The consequences of social engineering do not only refer to its attack on the company's results: they also have personal consequences. On departure Email Security Risk ReportResearchers found that once the dust settled on an inbound email incident, nearly three-quarters (74%) of the employees involved were disciplined, fired, or voluntarily left.
Threat actors are also improving their tactics. New versions of social engineering involve fake QR codes, taking advantage of the increasingly common practice of users scanning them to access a website or payment portal. PDF files are also another more common vector.
Attackers also send emails designed to imitate real CEOs or managers, with the goal of tricking employees into believing a request is official. This is known as pretexting, when a false scenario is set up, and this can also include messages purporting to come from the police or ordinary co-workers.
To overcome this, some IT departments are trying to get ahead of the problem by sending social engineering-style messages to their employees and then seeing who fails them. Failure to address risks could result in fines or even legal action if a violation occurs.
Kevin Curran, a senior member of the IEEE and professor of cybersecurity at the University of Ulster, suggests that since social engineering attacks often exploit human psychology, the only way to address the problem is through ongoing employee training and simulated attacks. .
“Sadly, only a few will listen and learn,” Curran admits. “It usually takes people making a mistake before they learn, but it may be too late.”
