Introduction
Social engineering is a real threat to the security of our digital lives. From email phishing scams to phone calls, social engineering is not only a serious crime but also an effective means of accessing your personal information. It’s important to know how social engineering can be used against you, as well as how you can protect yourself from being victimized by it.
In this blog post we’ll explore the ways that social engineering attacks can take place, including through email and text message scams. We’ll also discuss prevention techniques that might help those who have fallen victim to such scams recover their identities and prevent future attacks from happening. This will cover effects and remediations on Businesses, the IT team and you, a normie who may just have happened to stumble upon this.
What is Social Engineering
Social engineering is a form of hacking that uses human interaction to gather information. It’s used to gain access to data or systems and can be carried out by either a hacker or an employee of the company.
Let me reproduce a simple social engineering attack starring threat actor and victim. The threat actor’s goal is to learn things about the victim that could be used to create a list of passwords to try on the victim’s social media accounts:
The threat actor seems to have used a friendly approach to gather information about its victim and it has proven effective. Of course, this is a very simplistic form of social engineering.
A social engineer might try to trick you into giving them sensitive information, like:
- Your passwords
- Your credit card number
- Your SSN (social security number)
- Your mother’s maiden name
- For the sake of it, even wanting to know what kind of movies you watch
- Your pet’s name (because why not)
Once they have your password, they can use it on your computer or phone and log into other accounts associated with it. This means that if you’ve forgotten your password but have written it down somewhere, there’s no way for you to change it without giving away more personal details about yourself — unless someone tries this method of attack on them first!
What is multi-factor authentication?
Multi-factor authentication (MFA) is a system that uses two or more of the following factors to provide an extra layer of security.
- Something you know: This refers to a password, PIN code, or other secret information you know. A common example of something you know would be your email address and password combination.
- Something you have: This refers to something physical such as a token device or smartcard. Common examples include Google Authenticator and Yubikey devices that can generate one-time passwords when needed. Another example is Microsoft Azure AD multi-factor authentication (MFA) which would typically a resource used by small to mega businesses alike. You must have both factors in order for this type of MFA method to work properly because it requires both physical devices as well as digital ones — and only one will work at any given time!
Social engineering and multi-factor authentication.
Social engineering is a term that describes the use of psychological manipulation to convince a person to reveal confidential information or perform actions they would not otherwise have done. Social engineering is the most common form of cyber-attack and is becoming more sophisticated as technology advances.
Social engineers often use a mix of psychology, persuasion techniques and technology to gain access to sensitive data or systems. The goal for social engineers is usually financial gain with little regard for personal safety or privacy concerns.
Effect of Social Engineering in Businesses.
There’s no doubt that even businesses are affected by this. While, admittedly, there’s been many notable cases regarding companies taking a hit, Uber, a mobility as a service company recently got attacked and as you may have guessed, Social Engineering was the main attack vector.
The company was right about the attacker being a member of LAPSUS$ and it was a 17 year old. For apparent reasons, we do not know his identity. Just goes to show how easy it is to bring a mega company worth billions of dollars to its knees.
Why is this important to you as a Business Executive? Well, I’m no business man, but I’d win a lot of money if I bet not losing money is your top priority. After the recent cyber attack, it was observed that Uber’s stock market took a dip by about 6% of pre-market value. What that means is the cyber attack Uber faced scared away investors. People do not want to put their money in an asset that shows even the faintest crack in confidentiality.
The exact same thing happened to other companies such as Rockstar Games recently, a game publishing company which has produced the GTA game series. Again, the same individual who attacked Uber took blame. Its parent company, Take-Two had stocks slump a bit more than 6%.
Hopefully, I was able to make you think; instead of lose money to a random 17 year old messing around with a low budget PC, invest in a security team. Have them train your employees on how to avoid social engineering attacks which may be resource damaging to your company.
Shadow IT in Organisations
One of the most ominous signs that your company is vulnerable to social engineering attacks is when you see employees using their own devices or apps in a workplace. This can be a sign of shadow IT, where employees are using non-approved apps and software that they have downloaded from the internet.
Shadow IT isn’t just limited to laptops; it’s also happening on smartwatches, tablets and even telephones! In fact, according to research conducted by Pew Research Center in 2017, more than one-third of Americans between 18–29 years old use their smartphone while at work — and this number continues to rise every year.
This is a problem that many companies are facing today, and it can be extremely detrimental to your business. Why? Because employees using their own devices at work could create security risks, privacy concerns and even HIPAA violations.
Security Risks: If you’re using a device that isn’t approved by your IT team, there’s no way to know if it has been compromised by hackers. This could mean that sensitive data, like employee information or customer details, is at risk of getting stolen. Privacy Concerns: Another issue with shadow IT is the fact that employees might be posting sensitive information on their personal social media accounts. This includes pictures from work parties or events and even photos of confidential files! HIPAA Violations.
Why multi-factor authentication is not enough.
Multi-factor authentication (MFA) is a great way to prevent social engineering attacks, but it isn’t enough. Social engineers can still use their knowledge and skills to gain access to your system.
Social engineers are trained in deception, manipulation and trickery. They know how to get what they want by using these skills on unsuspecting victims. Social engineers are often able to create fake IDs or passports as well as impersonate individuals who have access only through MFA methods such as two-factor authentication (2FA).
The threat of social engineering to businesses/organisations and its users must be taken seriously by both the IT team and end-users.
Social engineering is a serious threat to organisations and its users. The IT team needs to understand the threat and educate end-users on how they can protect themselves from this type of attack.
The social engineering threat can be easily avoided by using multi-factor authentication (MFA). MFA is a secure method of authenticating users who enter their login credentials into an application or website. It requires more than one factor before you gain access, such as having something physical that identifies you like your phone or tablet, or having something electronic like an app on your phone that sends out notifications when it’s activated via bluetooth connection with another device nearby (such as an employee wearing their badge).
Two-factor authentication
Two-factor authentication is a security process that requires two independent pieces of information to log in to an account. The first factor is something you know, like a password or PIN. The second factor is something you have, like a smartphone that scans your fingerprint or voice print when you turn it on.
Two-factor authentication is a way to add an extra layer of security to your accounts. It’s especially useful if you use the same password for multiple accounts, since it means even if someone guesses one password, they won’t be able to access your other accounts.
Weak password, poor password management.
Even though password management is a good security practice, it’s not enough to protect against social engineering attacks. Social engineers will use multiple methods to gain access to your accounts and can often succeed by asking you questions that seem logical but are actually designed to trick you into giving them information they need.
If you’re using a single factor authentication service like Google Authenticator or Authy (which allows users to generate their own unique codes), the chances of someone being able to get into your account are small because they would have no way of knowing the code until after they’ve already been given access. But what about those times when we forget our phone numbers or passwords?
Many people don’t realize that if someone knows one part of your identity — like an email address — it’s possible for them also know another piece: perhaps even from something as simple as having met someone at an event years ago who once gave me theirs! This means that even though we may feel safe using two-factor authentication systems like SMS text messages sent via Short Message Service (SMS) codes generated by our devices once every 24 hours at set time intervals during specific periods throughout each day/night cycle…the reality is there could still be ways around such measures if hackers were able take advantage.”
Mishandling of authentication credentials, such as phones and physical tokens
Physical tokens are not as secure as they seem. A physical token can be lost or stolen, and if it’s your only form of authentication, you may have no way to recover it. The same goes for phones; if someone steals your phone while you’re on a trip and accesses all the information stored on it (including passwords), they will be able to use that information against you when logging into their own accounts. In addition to these risks, phones can also be cloned by someone who gains access to them through other means (like stealing them) or even being infected with malware that gives them control over your device when entering text messages/contacts/photos etc., which ultimately allows them access into all kinds of other personal data stored within those devices!
How to protect against social engineering attacks.
Social engineering attacks are often successful because employees do not know that they are being attacked. To prevent your employees from falling victim to social engineers, you need to educate them on the dangers of this type of attack. You should also ensure that your employees are aware of the risks associated with social engineering attacks and what steps they should take if they fall victim to one.
- Through training and education, you can help your employees recognize social engineering attacks.
- Educate your staff on what a social engineering attack is and how to recognize it.
- Make sure that all of your employees know not to share sensitive information over the phone or email.
- You should also ensure that your employees are aware of the risks associated with social engineering attacks and what steps they should take if they fall victim to one.
Social engineering is at the root of many attacks where multi-factor authentication is employed.
Social engineering is the most common method of attack. This can be done by tricking people into giving out their passwords, or other confidential information. It’s a form of hacking, but it doesn’t involve breaking into computers or networks.
Social engineering attacks are effective because they target the human element in cybersecurity: trust between you and your organization’s employees. When you’re dealing with sensitive data like log-in credentials, social engineering takes advantage of your co-worker’s tendency to feel comfortable around others — and therefore more likely to disclose sensitive information when pressured by a hacker who knows them well enough (or has been able to identify them)
Conclusion
I believe that multi-factor authentication is a good way to secure access to your network. But it’s not perfect and can be vulnerable to social engineering attacks. We need to protect ourselves against this threat by thinking and planning ahead.
Summary
The best solution to social engineering is a combination of educating your users and taking the necessary steps to protect against these attacks. Make sure that your employees know how to identify phishing attempts, don’t give out sensitive information over the phone or email, and always verify any request for sensitive data by directly contacting IT.
Managing a business is no easy task. Although, there are many challenges that comes with this, not losing money is certainly top priority. Invest in a security team,
And as for an end-user , the most important thing to remember is that you can’t believe everything you read except this article of course. Always think twice before clicking on a link or taking action on an email request for information.
References:
