Social Engineering: 11 tips to avoid the risk
By Helen C
Imagine your business has had a cyber leak and you have lost the data of nearly 70,000 customers exposing them to the risk of social engineering. The cause of this is most likely human error and the hole in your security system has been ominously lurking, unchecked, in cyber space waiting for the moment when an opportunistic cyber criminal will attack.
Case Study: Welsh Rugby Union
That is exactly what happened to the Welsh Rugby Union (WRU) this week, who allegedly had a hole in their security system which was exposed by cyber criminals. The hole was a publicly accessible Amazon Web Services (AWS) Simple Storage Service (S3) bucket. This is by default locked and private, but it can also be made publicly accessible without much prompting from the source that this change was being made and the potential impact this change could have.
Misconfiguring the settings on an account, often a human error which is the result of an absent-minded click or uncertainty in what to click, leads to the creation of holes in cyber security which can then be exploited. Data suggests that 95% of all data breaches result from human error, but investigations are still currently underway to investigate what the cause was for this hole in the WRU’s security.
Reports suggested that the exposed information held 1419 text files holding the personal details of 69,317 of WRU’s members. These are the fans who have subscribed to the WRU, who support and maintain the Union by purchasing memberships which provide perks such as exclusive content and priority tickets for matches.
Inconvenient timing
In a discussion two weeks ago with BBC Wales Scrum V discussing the state of the sport this season, former Wales centre Tom Shanklin, stated: “We have to be careful at the moment otherwise we are going to have fans turning away from watching rugby and they are going to be finding another sport.”
With a string of defeats under their belt, the timing of the WRU cyber attack could not be worse. That’s the problem with a cyber attack though, you never know when it will happen and the impact it can have on a business can be catastrophic.
What can happen to a business?
- Loss of sales
- Loss of customer faith
- Loss of customers
- Long and short-term damage to reputation
- Negative feedback across social media and media channels which can be difficult to manage
- ICO fines
- Business closure
Although business closure is an extreme response, it is possible if fines are imposed, and consumers loose compete faith in the business. The average cost of a cyber-attack in the last year to a small business is estimated to be £1,100 and £4,960 to a medium or large business.
Imagine having to release a statement to your customers to reassure them that their data is safe now to mitigate the damage of a cyber-attack. The WRU statement said: “No other vulnerabilities or suspicious activities have been found in WRU systems after a thorough review of all systems and processes.”
As a business, it is better to follow procedures and keep data secure through regular reviews and by having good cyber security protocols and tools in place to protect the confidential data you hold. The importance of good cyber hygiene cannot be emphasised enough. Offering reassurance to customers that their data is now safe is positive, but for the customers who have had their data stolen they could now be facing cyber security threats of their own.
Although there are many different types of cyber-attack which could occur following a data breach, in this situation members of the WRU are most likely to be facing the threat of social engineering.
What is social engineering?
Social engineering is a manipulative tactic used by cyber-criminals to exploit people in a non-technical way. Attackers often exploit people into performing tasks, such as transferring money from their bank account, by conning them into believing they are talking to someone they can trust such as a bank manager or even friend. People are duped into breaking their own security practices during this kind of attack which plays on psychology and human emotion.
The types of data leaked in the WRU attack included email addresses, phone numbers, names and dates of birth; personal information which could be used by cyber criminals to convince unsuspecting victims that they are legitimate. Effectively modern-day con artists, attackers armed with confidential personal information can successfully dupe people into opening emails containing malware, con them into sending money, or even get them to divulge confidential business information.
The key danger with social engineering is that it enables an attacker to gain legitimate and authorised access to confidential information by employing tactics which play on human emotion.
To click or not to click; would these emails fool you?
Social engineering attacks are designed to be compelling and draw you in. Let’s look at a few examples of what may be used to emotionally grab your attention and call you to action.
An email from the boss
You could receive an email from your boss asking for information which you know should not be shared and seems uncharacteristic but looks legitimate. You may be asked to not follow protocol and chances are if you think it is from the boss you will feel emotionally compelled to do what is asked in order to retain job security.
An urgent call for help
An old friend needs money for a treatment which is not provided on the NHS, you were once close but have lost touch and you did know this person. Out of kindness you act and provide bank details to an account you are directed to, but in reality this is not a friend, but a criminal.
A trusted business who email you often
You often interact with this business and the email looks just like the others you have received before, so you open it. You ignore that uncharacteristic, small insignificant typo or overlook the name that you don’t recognise within the company. You are asked to provide personal information in order to complete verification and do so unwittingly because you trust the business. This was not the business, but rather an attack.
You have won
You receive an email telling you that you have won something, even though you can’t remember entering a draw, but the address seems legit, and you are excited to have finally won something. All you need to do is provide personal details and your bank account details and the prize will be yours.
You may think that you wouldn’t respond to the types of email described above and that your staff know better, but the tactic of appealing to your emotions is successful. The National Cyber Security Centre (NCSC) state that some professional hackers have skills similar to those of capable actors. It is predicted that social engineering attacks will continue to increase in number, particularly with the rise of AI as a tool for criminals to utilise.
9 different methods of social engineering
1: Baiting – where the intended victim is engaged by the offer of something tempting to them such as a free or discounted product.
Conflict creation is the emotional device used by criminals here and it takes many forms. There is no limit to their creativity. Exploits will take multiple hues and while you might not realize it until it’s too late, criminals may be socially engineering you to take steps that will be detrimental to your data.
3: Phishing – This type of scam occurs when an individual or business is approached by email from a business which looks legitimate but actually isn’t. They will be conned into providing confidential details.
4: Spear phishing / Whaling – Targeting specific individuals or companies with personalised emails which will request personal information or install malware on your system when opened.
5: Pretexting – Providing a plausible instance likely to convince victims to share their personal data. This will play on the human emotions of the victim.
6: Honeytrap – Specifically targeting those who are looking for love online. They create a fake profile to engage with victims and then extort money and personal information from the victim.
7: Quid Pro Quo – The attacker will request sensitive information from the victim in exchange for a service they need or want to sell that information on.
8: Smishing: SMS messages are used to engage a victim by asking them to click on a link which looks like it is from a reputable source.
9: Business Email Compromise (BEC) – The attacker poses as a trustworthy individual within the company who is allowed to deal with financial matters.
Although this list of social engineering attacks may leave you feeling a little unnerved, don’t worry as we are now going to share some of tips to protect yourself and your business against social engineering.
11 tips to protect against social engineering
There are many steps you can take to prevent social engineering affecting you and your business, some may seem obvious but it is surprising what an email which exploits your emotions can get you to do in the heat of the moment.
1: Pause
Firstly, when an email comes in that has that sense of urgency and requests immediate action, don’t respond. Stop for a moment and take a pause. The few minutes you take to calm your emotions are what cyber criminals bank on you not doing. Read the message carefully and never break with policy or procedure and do something rash. Read and validate any information before you before sharing personal information that belongs to you or the company you work for.
2: Have policies and procedures
All businesses should have policies and procedures in place for staff to follow when accessing confidential data and they should always use secure mailboxes which can be monitored. Procedures around the storage of passwords, where information can be accessed and by which staff members and how suspicious emails should be managed are all key to protecting your business online. Advise staff to never break with procedure.
3: Install Updates
Failing to install updates as they are provided can leave your system with holes where cyber attackers can get in and gain access to your confidential data. Keeping your systems fully updated is an essential part of any cyber security strategy.
4: Research that email
If an email looks suspicious, put it in a sandbox if you have one; if not, do a little research. If you don’t recognise the name on the email which appears to be from a trusted source, research will help you to ascertain whether you should trust this email. If you can find a phone number for the person or company, pick up the phone and ask to speak with the sender to see if they sent the email.
5: Strong passwords
If you have a weak password a hacker is more likely to be able to gain entry to your information. Strong passwords which are a combination of at least 20 characters containing numbers, symbols, upper- and lower-case letters are a must.
6: Use Multi-factored authentication (MFA)
Multi-factored authentication (MFA) is a must for individuals and businesses as it means that attempts to get into accounts containing your confidential information need more than one form of information from you to gain access.
7: Don’t download unknown documents
If you don’t know the source of the information you are being asked to download, don’t click on it. Always only download documents from trusted sources.
8: Free is not a word you should trust
If it is free the general rule of thumb is to avoid it, particularly if it has appeared in your inbox unprompted and you have not verified the source yourself.
9: Don’t click if you think you know them
If you receive messages from people you think you know, again don’t share your confidential information, no matter how compelling a reason they give for contacting you. Do a little research to be sure they are who they say you are and are genuinely someone you knew reaching out.
10: Winning something is unlikely
If you don’t remember entering a competition then don’t click on the link that says you have won something, as odds on this will not be legitimate. Laugh at the crazy attempt this hacker is making to fool you and delete the message.
11: Sandbox
As part of an email security service for your business you may have access to a sandbox where the computer can check the attachments with messages by opening them in a sandbox which is self-contained. A message opened in a sandbox containing malware will be contained and will not spread to your computer. When attachments are opened the information is also not shared so no one knows what is in attachments – it is a secure and sensible way to safeguard against accidentally clicking on a malicious attachment.
Conclusion
The government recommend robust cyber hygiene policies are implemented by businesses for all sizes and individuals. Their 2024 report shows a startling 50% of all businesses in the UK have reported some kind of cyber-attack, so it has never been more important to educate yourself and your teams on the importance of following good cyber practices.
Remember, social engineering plays in part in 98% of all cyber-attacks, so whether you are a business or an individual it is important to keep vigilant and be cyber secure.
If you are unsure about how to safeguard against social engineering, we can help with practical advice and guidance, so why not give us a call on 03303 130966 to chat with one of our friendly team.