There are dozens of example of common social engineering tactics of varying sophistication, including:
• Scarily commonplace: An employee clicks on trustworthy-looking but malicious email and lets in a ransomware attack on their entire company.
• Stupidly embarrassing: Pathé executives pay over $21M to a fraudulent recipient before realizing the source of their email instructions was not actually their CEO.
• Futuristic: Criminals impersonate a CEO’s voice using AI-enabled deepfake audio technology to direct fraudulent wire transfers of $250K.
Success of social engineering attacks
To understand how phishing and other social engineering tactics have become so successful, it’s useful to highlight a few current trends in the business and cybercrime worlds:
• The boom in credential theft and resale. An estimated 8.8 billion sensitive credentials were exposed by breaches in May 2020 alone, per ITgovernance.co.uk. When used in credential stuffing attacks (exploiting the too-common practice of password reuse across applications and websites), cybercriminals can often make their first successful steps inside an organization, where social-engineering attacks can be employed to further escalate their privileges and access to sensitive systems and data.
• The sheer volume of messages (SMS, chat, email, voice, collaboration app, etc.) that a typical worker must process every day. The law of averages, fatigue, and deadline pressures practically guarantee that somebody, somewhere is going to make a mistake and click on a link or open an attachment that they shouldn’t.
• The difficulty that many organizations, particularly SMBs, face in trying to keep up with the cost and complexity of a complete cyber protection regime, including backup, behavioral anti-malware, vulnerability scanning, patch management, URL filtering, security configuration management, and other planks of a solid defense-in-depth strategy.
• The industrial scale and ingenuity with which modern cybercriminals prosecute their attacks, from cheap, effective ransomware-as-a-service operations to the clever introduction of malware into companies via a variety of tactics, from carefully crafted and targeted phishing emails to giveaways of malware-delivering USB sticks and cables.
How to stop phishing attempts
Businesses and public institutions seeking to defend themselves against the current onslaught of social engineering attacks should follow some best practices and recommendations from the world of cyber protection:
• Reduce access to privileged accounts, and add multi-factor authentication to them first if not throughout the organization
• Monitor users, applications, and networks for anomalous behavior, including suspicious failed logon attempts and uncommon network traffic patterns
• Conduct regular security awareness training, including exercises that test users’ ability to spot phishing emails and voice attacks, and don’t forget to include price targets like your C-suite executives
• Assume that eventually a social-engineering attack will get through, develop a cybersecurity incident response plan, and rehearse its execution it regularly
• Make sure that any employee authorized to transfer major sums of money is regularly briefed on tactics like whale phishing, voice impersonation, etc., and equip them with additional measures for out-of-band verification of payment instructions
• Consider shrinking the social-media footprint of privileged executives like your CFO to limit intelligence-gathering opportunities for black-hat social engineers.
As with any cyberattack, no single solution will ever be enough to fend off the phishers or overcome the susceptibility of humans to the wiles of modern social engineering. Businesses must deploy defense-in-depth solutions that reinforce the weakest link in the attack chain (i.e., people) and buttress them with AI-enabled countermeasures and automation to detect, contain, and recover from phishing-based incursions.