Lots of people these days are talking about cybersecurity. To many people, this conjures images of hackers delving deep into computer code to unearth and exploit systematic weaknesses. The reality is that many of the most successful cyberscams rely not on the weaknesses within a computer system but on the weaknesses of human beings. For example, the John Podesta email hack was a social engineered spear phishing attack.
Known as social engineering attacks, these scams use a number of methods to trick company employees into granting the hacker access to a network, giving up proprietary information, or even occasionally taking action against a company’s interest. In 2015, these attacks became the most popular way hackers chose to try and exploit company systems. READ MORE: Social Engineering 101, An Introduction
Generally, Social Engineering attacks breakdown into a few different categories:
- Phishing: Phishing attacks use a variety of different means to trick users into giving out username and password information or other log-in credentials to unauthorized individuals.
- Trojans: Trojan attacks involve tricking people into either clicking on website links or downloading documents that contain malware and will infect the user’s computer. Often the malware will then infiltrate the rest of a company’s network once downloaded.
- App Attacks: A number of applications available for mobile devices that use either Android or iOS come with malware attached that can use the device’s connection to wireless networks to steal log-in credentials or create backdoors. Apple had to remove 300 such apps from the App store in September 2015 and one study found over 12,000 infected apps capable of running on the Android mobile operating system.
- Business Email Compromise Attacks: Perhaps the most sophisticated and most expensive type of attack, BEC attacks involve scammers attempting to impersonate a high ranking company official - normally either the CEO or CFO - over email to convince an receiver to wire money to an account. These attacks have made the news multiple times over the past year or so, with Ubiquiti Networks losing $39 million in one attack and BitPay losing $50 million in another.
Social Engineering Works Because It Bypasses Machines
Companies who want to stay ahead of the game on cybersecurity need to do more than secure their IT systems from mechanical exploits. They also need to protect against weaknesses that arise from the human element in those systems.
There are a number of steps companies can take to mitigate these attacks:
The more employees know about popular forms of attack, the more likely they are to spot an attack as its happening and therefore, the less likely they are to fall for them.
Employees need procedures to fall back on when faced with the pressure that can come from some of these attacks. For example, a popular method of attack involves posing as an external auditor asking questions about data security or similar issues. An employee trained to verify all such requests with a manager before giving out certain information is far less likely to cause a security breach when faced with this type of attack.
Companies need to keep both themselves and their employees up to date as the cybersecurity landscape changes and perform regular checks to ensure their policies are effective and being followed.