Unlike traditional forms of cyber-attacks, by which a network or device is directly infiltrated using technology to harness data, social engineering is a method used by malicious actors to gain information and personal/valuable data using psychological manipulation.
No matter how technically savvy, anyone in any industry can be a target. This is because the attacker focuses on what makes the target human and takes advantage of their character using manipulation techniques.
A range of methods will be uses to acquire the information to access desirable accounts and/or data that can be used to hold the business to ransom, sold, destroyed, or tampered with, or used to access other organisations in a supply chain attack.
Popular Manipulation Methods Used in Social Engineering
‘Before an attack is made the assailant will have found out all they can about the target company and/or the targeted individual. They will know that Mike works in the IT department (from LinkedIn), they will know that Lisa is on vacation (from her posts on social media), they will know the recent product launches you were involved in, (from the company website), they will know the books you like (public forums like Goodreads), all your dislikes and loves will be stored to create a file on you.’ – Eleanor Barlow, Content Manager, SecurityHQ
This makes it far easier to use the following 3 exploitation methods.
Exploiting Authority.
Say the attacker knows that Tom is a new intern in the technical team. They also know the name of a manager that works in a different department. They have Tom’s number, and they call him pretending to be this manager, or even the CEO, asking for information. If a sense of authority was given on the call, Tom might feel like he must provide this information. Especially if he is new and does not yet know all the relevant people.
This sense of authority can also be used in emails pretending to be CEO’s, managers, financial organisations, with malicious links saying things like ‘Update your information here by the end of the day’.
Sense of Urgency
Next is a sense of urgency. If, on this call, the fraudulent manager emphasises how he needed the information last week, has limited time before he goes into his next meeting, or puts blame on the new intern for not providing the information quickly enough, then Tom may feel even more pressure to comply quickly and hand over the information. By placing urgency, many may feel pressure to bypass the usual processes.
Building Likability and Relatability
People usually like to help people, especially ones they find common ground with, are attracted to, or have the same goal as. If someone was calling to ask for information, but first joked with you about the football match (already knowing you went to the match on Saturday) or pretends to have children in the same school as yours (from a quick google search of your family’s social media), then you are more likely to want to go out of your way to help them.
Mitigation Against Insider Threats for Organizations
As an organisation, you must have in place steps to detect insider threats and train your employees to know what to look for.
Sometimes an employee themselves may be the bad actor, but a lot of the time your employees can be manipulated without being aware of that fact.
‘Internal teams pose as much of a threat as external attacks, and both malicious and accidental internal security breaches are regular occurrences. With ‘66% of organizations considering malicious insider attacks or accidental breaches more likely than external attacks.’ (TechJury).
This is what User Behaviour Analytics (UBA) is for, as part of Managed Extended Detection & Response (XDR). UBA is used to detect account compromises and mitigate and detect malicious or anomalous insider activity.
Find out more about how XDR can help increase your security and provide insights into the threats within your working environment, here.