There is a human element in all cybersecurity failures.
Organizations utilize various forms of technology to protect their data and networks. Yet some of the weakest links in any security effort ultimately involve vulnerabilities in human beings and their behaviour.
Those are the cases when another person purposely dupes you into taking a course of action that directly leads to your IT security being breached. Someone tricks you into clicking on that phishing link, opening that malware-infested attachment or giving out your password over the phone. It’s a form of deliberate deception that later leads you to exclaim, “Man, I can’t believe I fell for that.”
But so many of us have fallen for it. Social engineering is used in 66 per cent of cyber attacks by hackers, hacktivists and nation states, according to research compiled last year by Social-Engineer.org, a non-profit group that provides social engineering education, training and consulting services. Even scarier, Social-Engineer.org says that during client audits and training exercises its team carried out over a five-year period:
– 90 per cent of people provided their email addresses and the spelling of their names without confirming the identity of the researchers
– 67 per cent gave out their birthdates, social security numbers or employee numbers without verifying the team’s authenticity
So it’s not surprising that security vendor RSA issues a warning about social engineering in its latest quarterly report on cyber fraud.
A whole section of the global study is devoted to the creative, creepy ways hackers use social engineering tactics to trick British victims. RSA researchers discovered various underground online marketplaces selling the birthdate, passport and address data of UK citizens. (You can buy the scanned image of a real UK passport for around $11USD or pay just $4USD for the full name, address, birthdate and mother’s maiden name of some unlucky Brit.)
Hackers use that personal data in “social engineering to get past authorization and authentication measures, and reach their goal of monetizing stolen credit card data and compromised online accounts,” RSA researchers write.
In other words, fraudsters need passwords and PIN codes to make money off all that passport, birthdate and address data – and they use social engineering to obtain them from the victims themselves. In the unsuspecting targets’ minds, only a legitimate bank or credit card rep would already know all that personal info about them, right? Wrong, unfortunately.
Social engineering crops up in other sections of the RSA fraud report: the Trojans now being directly embedded within Word documents as email attachments; the 126,797 phishing attacks recorded by RSA during Q2 of 2015; (Canada was targeted by five per cent of all attacks, making us the world’s fourth most popular phishing target after the U.S., China and UK); the “fully customized fake online stores with connections to payment gateways for e-commerce fraud”; the fraudsters giving “tips on improving stolen credit card data by social engineering”; and the new malware variant that uses Facebook as a distribution method.
How many of those did you recognize as social engineering tools and tricks?
Of course we need to constantly develop and update technology to foil cyber criminals. But when it comes to tracking the most vulnerable security end points, are we including ourselves on that list? The experts at Social-Engineer.org don’t think so. They urge organizations to go beyond arming their employees with an IT policy and a password. They want them to educate workers specifically about what social engineering looks like.
When you realize how easily the good people inside your organization can be fooled into letting bad outsiders inside your network, it might be worth the effort.