Social Engineering is the use of deception or psychological manipulation of people into performing actions or divulging confidential, personal information that may be used for fraudulent purpose.
This article focuses on creating a basic awareness that outlines different social engineering methods and gives the reader a basis on how to protect themselves against social engineering attacks in the rise of remote work. As cybercrime continues to rise, the innovation in IT security technology is increasing and driving ease-of-use and effectiveness and also representing great value. And, true to the nature of technology, these attributes will continue to increase with time. As cyber security professionals are finding ways to protect against old techniques, cybercriminals are also working so hard on the other hand to create solution that enhances their operations in other to infiltrate business defences.
Cyber-attacks, perhaps more so than any other type of crime, follow trends and one of the most prevalent trends in cybercrime in the world right now is social engineering and psychological attacks which may also be referred to as, human or emotional hacking. According to Steve Morgan, editor-in-chief of Cybercrime Magazine, published in November 2020, “cybercrime is expected to cost the world $10.5 trillion annually by 2025!”
Social engineering attacks are typically more psychodynamic in nature than they are technologically. Instead of using sophisticated hacking techniques or in-depth knowledge of computers, they rely on tricking people into giving away information using psychological and deceptive techniques, and the rise of remote working due to the covid-19 pandemic has created the easiest access point for cybercriminals to carry out their attack smoothly.
According to the 2021 Cyber security breach report, 80% of the successful attacks was due to Human and not technology and Social Engineering was the successful approach for carrying out this attack.
So what make Social Engineering a very effective attacks and why is very easy to target people and compromise a system or a company more easier, instead of spending long time trying to attacks technology with no results.
Information: Security awareness is the main part of any cyber security program for all kinds of an organization; however it seems that Information Security awareness is not enough to alleviate human risk according to the 2021 cyber security breach report. So what is the main flow in human awareness?
Hackers follow two (2) different approaches to conduct a Social Engineering attack, Intimidation, and enticement.
Intimidation: This technique depends on threatening the user by an action that would be taken against one of his important assets like his email account or Social Media Account by convincing the user that his computer activity is monitored and logs are captured and will be sent to his contacts, and they way is much more successful if it would be associated with the evidence.
For example, the scammer tries to convince the user that his email account will be blocked due to utilization of storage, since user email is a very important asset used to follow up with his activity or login to his social media accounts or bank accounts. So if the user loses the email, it will for sure affect him and this is the point the hacker focus on.
Enticement: This is a different techniques that depend on promising the victim with a big fortune and a large amount of money and try to convince the victim with a story about corruption or money laundry. This technique is kind of old and was used in the beginning as a scam to get money from the victim but the technique has been developed to be used for phishing or system compromising by attaching a malicious file to the email as a proof of the story.
Another technique is the email coming from an official entity like a post office or IRS or any entity that will provide some kind of trust to the victim and convince him to click on the link to know about a package that was shipped to him/her or an IRS report with the tax return.
Solution:
From the use cases I showed above, human is still the weakest link of the security chain and conducting awareness session is not enough, as many employees attend to email and messages without giving proper attention which is mandatory in most companies as pressure often detract employees. It is important to evaluate awareness effectiveness by doing a questionnaire and reporting the results to the managements so that they will give attention to the subject also if possible to conduct social engineering campaign to employees after the annual awareness campaign.
Read also: Cybercrime: FEC approves N1.8bn for equipment to detect fraudsters
Device protection should include remote management features that eliminate the need for user input or behavioural modifications. Real-time antivirus, browser and application protections, and the host of defences standard with most high-quality solutions, are essential.
Password management applications should work seamlessly across mobile device platforms, and the enterprise should sponsor software purchases and training for all employees. Automatic updating and patching of operating system software and other, vulnerable third-party applications such as Adobe and Java. Increasingly, collaborative threat intelligence resources are coming to bear for actionable, real-time, pre-emptive defences.
Algorithms will increase in effectiveness and application to predict and defend from future threats as they adjust and evolve. An organization should also adopt the use of KPI (Key Performance Indicator) to measure the effectiveness and attendance of the awareness. In addition to device protection, each individual device should have a VPN, or Virtual Private Network, for automatic encryption of Internet traffic. A good VPN will protect the user’s identity, location, browsing, shopping, banking, and all information transacted online, including over public WiFi networks.
Any business, whether a commercial enterprise or a non-profit business, would understand that building a secure organization is important to long-term success. When a business implements and maintains a strong security position, it can take advantage of numerous benefits. An organization that can demonstrate an infrastructure protected by robust security mechanisms can potentially see a reduction in assurance rewards being paid. Treasury departments should also engage staff with these social techniques in a fashion that is relevant to their daily activities in their personal lives, which will dramatically increase awareness and compliance at the workplace.
Additionally, this approach to cyber security strategy positions the enterprise for optimal benefit from the forthcoming acceleration of disruptive innovation in the IT security industry.
Nicholas Ibenu is a Researcher, a former IT System Engineer with BusinessDay Media Limited and currently an Assistant Professor of Information Technology and Cyber Security at Escae-Benin University of Science and Technology.
