• Bradley Sing

    Bradley Sing is currently Technical Consultant at Mimecast where he has been since November 2016. Bradley has been working in the technology industry for almost four years and draws on his previous experience to help align customer business needs with the technical solutions that Mimecast provides, which ranges from product demonstrations to help documenting processes and aspects of products. Prior to his role at Mimecast, Bradley worked across the web hosting & domain name industry in Australia, working for Melbourne-based web hosting startup Hosting Australia and previously Melbourne IT Group.

    Comments:0

    Add comment
Content

For all the protocols, the firewalls and the bots, much cybercrime comes down to one age-old question: how can one human fool another?

Social engineering, in which attackers try to trick their targets into sharing confidential information, has always been with us in one shape or another. But today’s attackers are using new techniques to increase the volume and sophistication of their attacks. Social engineering attempts leave fraud, ransomware and reputational damage in their wake, and they’re getting worse every year. Let’s take a look at the history of social engineering, discuss why threats are on the increase, and outline what your organisation can do to fight them.


The scale of the social engineering threat

Phishing emails (known as Business Email Compromise attacks when they target an organisation through its employees) use social engineering to commit fraud. The Australian Cyber Security Centre (ACSC) received 4,600 reports of Business Email Compromise (BEC) attacks in the last year, a slight decline on 2020’s numbers. But, tellingly, the average loss per incident rose by 50% to over $50,600, as criminals became better at exploiting breaches.

A 2021 survey of Australian and New Zealand businesses found that 70% expected an email-borne attack to damage their business in the next year, with half noting the growing volume of attacks and almost two-thirds flagging their increasing sophistication. So why is the threat on the rise, and why is so much social engineering carried out via email?


Social engineering, the Garden of Eden and the Eiffel Tower

The methods may change with time, but social engineering runs through history and literature like graffiti. Think of the Bible, in which the Devil convinces Eve that God is keeping the best fruit for himself, or the Trojan Horse, in which Odysseus filled a giant wooden horse with warriors, then left it outside the gates of Troy as a “gift”.

Since then, scammers have evolved side-by-side with technological progress, using everything from rigged scales and fake religious artefacts to counterfeit banknotes. In the 1920s, con man Victor Lustig even sold the Eiffel Tower to gullible scrap metal dealers – twice. But whatever tools they used, the principle was the same: trick people into doing something that benefits the scammer. But limited by the technology of their time, these scams were not easy to scale. They generally relied on direct interaction with the scammer and the victim. That is, until the arrival of the internet.

Why email is today’s biggest threat

Email became widespread in the 1990s, and scammers soon piled on this new frontier. Previously, a criminal usually had to meet, or at least speak to their victim – Lustig’s “commandments” included listening patiently and dressing smartly. But as email has surged in popularity, scamming has hit a new high:

  1. Email means social engineers can keep their distance, reducing the chance of getting caught

  2. “Tells” that might be observed in a physical meeting are far less of a risk, and spoofed domains make impersonation easy

  3. Emails can be sent to many users at once – now a startling three billion are sent every day. Most will be binned – there can’t be many of us who haven’t received an email from a desperate Nigerian prince at some point in our lives – but only one has to stick for the scammer to get a good return.

  4. The rise of email has coincided with the rise of connected networks, rapid bank transfers and easily transferable data, making it easier for scammers to get their hands on cash or data

Social media is making attackers jobs even easier

Some phishing attempts (like the Nigerian Prince scam) rely on an indiscriminate bombardment of thousands of emails, but those targeting bigger fish rely on inside information to win their victim’s trust. Twenty years ago, that might have involved scouring websites and reference books, calling receptionists to check someone’s job title or poring over the trade press for news of major projects. Today, scammers don’t have to do the legwork because we do it for them.

An employee might tell the world their holiday dates on Instagram, share videos of their last conference speech on LinkedIn, describe their life story on Facebook or shout out to a new colleague on Twitter. All these pieces of information can supply “ins”, helping scammers build a picture that can trick even the most experienced staff members. BEC attackers typically tap into existing workflows or familiar contacts to encourage key employees such as executives or accounts staff to act without thinking, or create a sense of urgency to hustle otherwise sensible workers.

If an account is hacked, problems can quickly mount up. Many individuals use the same password across multiple platforms; others use their Google or Facebook profile to access other applications. One hack can provide a world of data, while SIM-swapping attacks now allow scammers to evade Multi-Factor Authentication (MFA) and access multiple accounts.


Deepfakes can fool even the wary

Social engineering attacks evolve as technology does, which is why the latest modes of attack are so disconcerting. Deepfakes, in which video or audio is manipulated by AI to impersonate someone’s voice or online appearance, are getting more sophisticated all the time. Creating deepfakes generally requires video and audio, and the technique is not yet widespread, but the threat is growing.

Just ask the FBI, who warned in March that, “Malicious actors almost certainly will leverage synthetic content for cyber and foreign influence operations in the next 12-18 months.” Doctored voice messages or video recordings might be used to ask for funds to be released or for you to reset your password, and can also be used to circumvent verification techniques that rely on face or voice recognition.

Social engineering attacks are using COVID-19 as cover
Cybercriminals love nothing more than an opportunity, and the pandemic has given hackers more chances to make money. The increase in remote work makes it harder for cybersecurity teams to effectively secure a single perimeter. Workers may also be less familiar with each other and be more reliant on online tools.

The last two years have also seen some scammers ask for gifts (often via bogus e-vouchers, which have long been a profitable stream) for the sick or bereaved. As more and more people shopped online and used government portals for safety advice, the rip-off merchants followed. But this trend isn’t just about COVID-19 – it’s about nimble, strategic attackers who will exploit whatever circumstances come to hand.

How to fight back

Thankfully, with a few basic measures, individuals and organisations can protect themselves against the majority of social engineering attacks, even as they grow in scale and sophistication.

Both the Australian and New Zealand governments offer valuable tips for individuals. Key measures include:

  1. Turn Multi-factor protection on for all accounts

  2. Read emails carefully and do not click on unusual links or attachments, especially on mobile

  3. Look for the padlock or unbroken key symbol on your browser window when evaluating a website

  4. Check the privacy settings on your personal and business social media accounts


Organisations looking to minimise the risk of phishing attacks should:

  1. Run frequent security awareness training

  2. Consider marking external emails with a subject line tag (such as “[External]”)

  3. Use DMARC to fight spoofed emails

  4. Reward employees who spot and report email scams

  5. Keep email filters and firewalls properly configured and updated


How to survive social engineering attacks

The history of social engineering shows us that attackers are constantly on the lookout for new ways to exploit their victims, and that some attacks will succeed. New opportunities, such as social media and deepfake videos, will help scammers find new victims. And as we all become more used to generic BEC attacks, it’s likely we’ll see a rise in spear-phishing attacks that use data to target specific individuals.

There’s no silver bullet for social engineering scams, but a well-rounded defence will dramatically reduce your chances of getting stung. A successful strategy will mix technological solutions such as firewalls and DMARC with frequent and engaging awareness training. Doing so will limit the number of attacks that reach employees, and help them spot the BEC emails that make it through. Companies that keep their eyes open and can adjust their security posture in the face of new threats have the greatest chance of escaping unscathed from social engineering scams.

Technical Consultant, Mimecast

Bradley Sing is currently Technical Consultant at Mimecast where he has been since November 2016. Bradley has been working in the technology industry for almost four years and draws on his previous experience to help align customer business needs with the technical solutions that Mimecast provides, which ranges from product demonstrations to help documenting processes and aspects of products. Prior to his role at Mimecast, Bradley worked across the web hosting & domain name industry in Australia, working for Melbourne-based web hosting startup Hosting Australia and previously Melbourne IT Group.

Stay safe and secure with latest information and news on threats.
User Name
Bradley Sing