Social engineering, an invisible threat: trends and developments

How do cybercriminals use social engineering to target businesses?

What is social engineering?

Social engineering is one of the most insidious threats to businesses, particularly to small and medium-sized enterprises (SMEs). Unlike conventional computer attacks, which exploit technical vulnerabilities, social engineering targets human psychology to gain access to confidential information and IT systems, and compromise corporate security. Social engineering is an attack approach that relies on the manipulation and deception of individuals to gain access to sensitive information or computer systems. Cybercriminals use a variety of techniques to abuse users’ trust, inducing them to divulge confidential information or perform harmful actions. Social engineering is one of the most widespread and effective methods of gaining access to confidential information. Statistics show that attacks combining social engineering and phishing are extremely effective, resulting in considerable financial losses for companies. Here are a few figures illustrating the scale of social engineering:

• Social engineering is behind 98% of all computer attacks.
• Over 70% of data breaches begin with phishing or social engineering attacks.
• In 2021, Google counted more than 2 million phishing sites.
• Some 43% of phishing e-mails impersonate well-known entities, such as Microsoft.
• SMEs with fewer than 100 employees are 3 times more likely to be the target of social engineering.
• A study by the Cyber Security Hub revealed that 3 out of 4 cybersecurity professionals considered social engineering or phishing attacks to be the “most dangerous” threat to their company’s cybersecurity.

What are the main social engineering techniques used by cybercriminals?

This mainly human-based strategy takes many different forms. Here are some common examples:

• Phishing and spear-phishing: Phishing is one of the most common techniques used by cybercriminals to carry out social engineering attacks. They send fraudulent e-mails or messages that appear to come from a legitimate source such as a bank, company or government institution. These messages entice recipients to divulge confidential information, such as login credentials or financial data. It is constantly evolving, making detection and prevention increasingly complex. Cybercriminals use a variety of techniques to make these phishing e-mails convincing, including copying logos, creating fraudulent websites that mimic those of targeted companies, and writing emergency messages to urge immediate action. According to the Federal Bureau of Investigation’s annual report on cyberattacks in 2022, it causes an average of $2.7 billion in losses per victim. It’s the most expensive threat.
• Vishing or smishing: other variants of phishing, which rely on voice and sms. Hackers pose as trusted people, such as technical support agents or human resources to steal confidential information.
• Pretexting: Pretexting is another commonly used social engineering technique. Cybercriminals pose as trusted individuals, such as co-workers, company employees or even suppliers. They create a false identity and invent scenarios to deceive victims and obtain sensitive information. For example, an attacker could pretend to be a human resources manager and claim to need employee information. Victims, thinking they are talking to a trusted colleague, could disclose personal data without suspecting the scam
• Baiting: Baiting is about offering something attractive to victims to encourage them to disclose sensitive information. This can take the form of files like business documents, videos or software, but actually contain malware. Once the victims open them, their systems are compromised.
• Whaling: the target of this technique is precise, hackers seek to attack the highest leaders to give them privileged access to the most confidential information of an organization.

What are the potential risks for a company of a social engineering attack?

A social engineering attack can have serious consequences for a company.

1. Leakage of sensitive data: Social engineering attacks are often aimed at obtaining confidential information. If successful, this can lead to the leakage of sensitive data, such as information on customers, employees, company finances or trade secrets.
2. Financial loss: Cybercriminals can use social engineering to defraud the company of money, whether through fraud, unauthorized fund transfers or payments to fraudulent suppliers.
3. Reputational damage: Successful social engineering attacks can seriously damage a company’s reputation. Customers and business partners may lose confidence in the company if sensitive data is leaked or if it is involved in scams.
4. Disruption of operations: Some social engineering attacks aim to disrupt company operations. This can result in service disruption, loss of productivity and significant costs to restore normal operations.
5. Legal liability: Companies can be held liable for breaches of their customers’ privacy, or for the financial consequences of a successful social engineering attack. This can lead to legal action.
6. Infiltration of networks and systems: Social engineering attacks can enable cybercriminals to break into corporate networks and systems, which can lead to cyber espionage, intellectual property theft or other forms of intrusion.
7. Malware propagation: Attackers can use social engineering to induce employees to download malware, which can compromise the security of IT systems and data.
8. Loss of financial or accounting data: Social engineering attacks can target employees responsible for finance or accounting, leading to the loss of crucial financial data or fraudulent manipulation.

Why does teleworking increase the risk of social engineering attacks?

Telecommuting has dramatically changed the way employees interact with their company’s information technology and IT systems. Teleworking has many advantages, but it can also increase the risk of social engineering attacks, for a number of reasons.bWhen employees work remotely, they are often alone, and may be more vulnerable to social engineering attacks. The absence of nearby colleagues to seek advice or verify information can make it more difficult to detect attempted scams. In addition, some employees may use their personal computers for remote working, which may be less secure than company-supplied computers. Cybercriminals can exploit these devices to launch attacks. Virtual meetings, e-mails and online messages are the main means of teleworking communication. Cybercriminals use these channels to send social engineering attacks, such as phishing e-mails, fraudulent meeting invitations, or malicious collaboration messages. Telecommuting employees often have less access to IT security training and threat awareness. This makes them less prepared to identify and report social engineering attempts. Finally, telecommuting employees may use public or unsecured Wi-Fi networks, increasing the risk of communications being monitored or intercepted.

To mitigate these risks, companies need to implement telecommuting-specific security measures, such as security policies for personal computers, telecommuting-specific security training, and e-mail security solutions to detect and block social engineering attacks. Employee awareness of cybersecurity risks and best practices remains essential to prevent social engineering attacks, whatever the workplace.

Some examples of attacks in recent years

• In 2022 , a social engineering attack at Uber: The individual told the New York Times that he had used social engineering: a common phishing method that preys on human nature by manipulating individuals into sharing personal and confidential information. The hacker contacted an employee via WhatsApp, claiming to be from Uber IT, and convinced the person to log in to a fake Uber web page. This allowed the hacker to retrieve the employee’s password, then trick him into authenticating access with the company’s Multi-Factor Authentication (MFA) application.
• In 2020, Twitter was the target of a vishing attack: The attack resulted in the theft of over $118,000 in bitcoins from platform users. Around 130 Twitter accounts, all certified and belonging to famous personalities, were compromised. Personalities such as Elon Musk, Barack Obama, Kim Kardashian and Warren Buffet were affected. The attackers orchestrated a phishing campaign enticing subscribers to make bitcoin payments to a specific wallet, promising a doubling of the sums transferred. To obtain the administration information for these certified accounts, the fraudsters followed a two-step process. First, they used a “vishing” technique, targeting lower-level employees at Twitter who did not have access to the administration tools. These employees divulged their credentials, enabling the hackers to contact higher-level employees with permissions to use administration tools. This enabled the fraudsters to penetrate the company’s internal systems.
• In 2017, Facebook and Google fell victim to spear-phishing / “BEC” (Business E-mail Compromise) attacks. A Lithuanian hacker succeeded in defrauding Facebook and Google. To carry out his deed, he posed as an employee of Quanta Computer, a Taiwanese electronics company with which the two companies regularly collaborated. Using false contracts, invoices and reminders to accounting departments, the hacker managed to obtain $100 million. To avoid arousing suspicion, he even opened bank accounts in Taiwan.

The future of social engineering: trends and developments

Deepfakes are multimedia content, such as videos or audio recordings, created using artificial intelligence to imitate people or scenarios in a highly convincing way. Cybercriminals use deepfakes to create falsified recordings of company executives or colleagues, inciting employees to take damaging action, such as transferring funds or disclosing sensitive information. To counter deepfakes, it is essential to implement rigorous verification protocols to confirm the authenticity of media, and to raise employee awareness of the risks associated with falsified multimedia content.

Artificial Intelligence-based attacks: AI has become a powerful tool for cybercriminals, who use it to automate and personalize their attacks. AI-based attacks can generate sophisticated phishing e-mails, specifically targeting individuals or organizations, using information gathered from social media and other sources. Detecting these attacks requires state-of-the-art security solutions, capable of spotting AI-based attack patterns and blocking threats before they reach users’ inboxes.

How can you identify and protect your company from these attacks?

Detecting social engineering is essential to protecting organizations, particularly VSEs, SMEs and SMBs, against cyber-attack threats. There are several tools and technologies designed to detect and counter social engineering attacks. By combining advanced e-mail security solutions with training and awareness programs, companies can strengthen their security against social engineering. Continuous vigilance and preparation for emerging threats are essential to protect data and systems against subtle social engineering attacks.

Advanced e-mail security solutions like Altospam’s Mailsafe are one of the pillars of defense against social engineering. :

• Intelligent filtering: These solutions use advanced algorithms to analyze e-mails for malicious content, suspicious attachments or attack patterns.
• Behavioral analysis: Some solutions monitor the behavior of users and incoming e-mails to detect abnormal activity.
  • Early detection: These solutions identify abnormal behavior before an attack occurs.
  • Adaptability: They can adapt to new threats by constantly analyzing behavior patterns.
  • Reduction of false alarms: By focusing on abnormal behavior, these solutions reduce false alarms.
• Phishing protection: These solutions are designed to detect phishing attempts by examining e-mail content and links.
• Employee training and awareness: Some solutions offer training and awareness features to help users recognize social engineering attacks.
  • Signal recognition: Trained employees are more likely to recognize social engineering attempts.
  • Reduced human error: Training helps to reduce the human errors that can lead to security compromises.

The future of social engineering presents challenges, with a combination of phishing awareness and advanced technologies like Altospam’s Mailsafe (anti-phishing, anti-spearphishing, anti-malware and anti-ransomware), companies can strengthen their security and guard against emerging threats. Keeping abreast of new trends and adapting quickly is essential to protect data and systems against social engineering attacks.