In this first of a series of articles, let us share some insight around all things ‘social engineering’. Firstly you need to know what it is. Put simply social engineering is the act of tricking someone into divulging information or taking action, usually via technology. It’s a simple idea, intended to take advantage of a potential victim’s natural tendencies and emotional reactions.
Once upon a time mischief making, in the world of IT, was much more about college students writing computer code i.e. a virus, to cause as much chaos as possible within an organisation, or looking for kudos from their peers by hacking a household name and getting through supposed impenetrable security. Financial gain for the hacker was rarely the motivation.
Now we live in a world where it’s all about the financial gains. Ransomware, data encryption, bank fraud, password harvesting, the list is extensive and make this one of the most lucrative revenue streams in the underworld. As an example, the WannaCry ransomware attack left the NHS with a £73m bill and the Independent newspaper reported in April 2019 that nearly half the businesses in the UK have fallen victim to cyberattacks or security breaches in the last year with an average financial impact of £3,100 for UK businesses alone.
Current Antivirus and SPAM filters are often less than 40% effective against this type of attack. Here’s a an example of how a firm can easily be ‘caught out’. An email is sent, on first name terms, to a solicitor, stating they had been personally recommended and would they be able to help with an impending divorce. Nothing suspicious so far, the solicitor responds advising they would be delighted to help and ask for more details, so they can quote for the work. At this point there is a relationship already forming between the scammer and the solicitor. The scammer replies back to the email suggesting they have included a link to their “Dropbox” account with all the relevant details required. The email suggests they have used Dropbox to ensure confidentiality and no personal data is being sent via email. You should now be able to see where this is going but there is a trust starting to build and a potential new client on the horizon. The die is cast and in the eagerness to secure the new client, the link is clicked. It should come as no great surprise that the link does not take the solicitor to a file as described but instead takes them to a location where some malware was waiting to be downloaded onto their systems, encrypting their data and then requiring a fee to decrypt that data.
There are hundreds of ways to interact, gain trust and deliver a crippling piece of malicious software to internet connected PC’s regardless of antivirus and firewalls just by leveraging people’s natural tendencies.
So, what can you do about it?
Firstly, it’s all about education. UK firms need to make their staff aware of the multitude of email scams (Phishing) targeted emails scams (Spear Phishing) voice scams (Vishing) and mobile text scams (SMSishing) and others so that levels of vigilance is far greater than they are currently. We often work with clients to create an artificial threat and actually test how susceptible your staff are to these kind of threats and attacks. The results are sometimes frightening for the business owners and leaders!
Secondly there are technologies available which can reduce the risk, providing extra layers of security.
Finally, no protection is 100% fool proof and the human factor inevitably plays its part in mishaps occurring. That’s why companies are increasingly turning to solutions which allow them to take much better care of their data and recover quickly the event of worst case scenarios.
Talk to us about how we can help you reduce the risk of falling victim to this increasingly serious threat.