Social Engineering: How can Companies Protect Themselves?

Social Engineering: Over 70 percent of all cyberattacks result in less hardware or software as the primary target, but try to obtain sensitive information through targeted manipulation by humans and thus carry out further attacks.

This is because well-protected servers are much more challenging to compromise from the outside than to take advantage of employees’ conscious or unconscious assistance.

The attackers’ goals are usually:

• Industrial espionage
• Damage to image or reputation
• Identity theft
• blackmail
• Access to further data structures.

Even if the exact methods are not always known, as criminal experts mostly do not publish their techniques, various manipulation bases are known that are used. In most cases, social engineering attacks attempt to exploit people’s emotions and thus artificially evoke fear, joy, happiness, or satisfaction.

Due to the pretended urgency of the alleged concern and the limitation of the time to act, the victim is put under pressure and made to act rashly.

Phishing and Spear Phishing

We all know poorly written phishing emails with spelling mistakes and impersonal salutations. Unfortunately, the present looks partly different, but the future is almost certainly distant. With more individual spear-phishing attacks, criminals try to trigger targeted actions or to obtain information. Through prior research, individual attacks are carried out that appear much more realistic than phishing campaigns sent in bulk. Such attacks are no longer only carried out by shrewd individuals. As the last wave of the EMOTET Trojan showed, malware is becoming more and more intelligent.
With so many social channels requiring schedule template frequent posts,

Let’s go into a thought experiment. I can find out a great deal of information about companies and individuals through social networks and other publicly available sources. With this information, I can prepare a targeted spear-phishing attack that cannot be easily detected. But meanwhile, Malicious software is able to evaluate information and use it for automated attacks. This development is worrying and will keep us busy over the next few years.

Voice Phishing, Shoulder Surfing, and Company

The tactics beyond the usual email phishing are becoming more and more pronounced and professional. In the future, we will not only experience attacks via the “e-mail” channel.

Social networks and team communication tools of the remote work age, such as B. Microsoft Teams and Slack or video conferencing software, are increasingly becoming criminals’ focus. I still remember my last long train trip on the ICE from Hamburg to Leipzig in 2019. A middle manager from a German DAX company sat in the compartment and held a meeting on strategic directions and budget planning that everyone could hear. Without reaching into the social engineering bag of tricks, I was involuntarily fed sensitive company information.

Strict guidelines and awareness-raising measures could easily prevent such a meeting with potentially harmful effects. Just like a privacy film protects the people sitting next to you from looking. However, due to the increase of the corona pandemic, we are also seeing increased use of voice phishing on employees working from home. The person receives a series of calls. A common example calls from the IT department. They want to configure the VPN access correctly in order to protect the person in the home office. The attempt is then made to trick the person into giving access data on the phone or entering it on a fake VPN portal.

How can Companies Protect Themselves?

The company can protect itself in several areas. Unfortunately, it often happens that measures are only taken after an attack has already been successful in practice. While monitoring and evaluating attacks are critical, preventative measures must be taken to reduce the likelihood of a successful attack.

On the one hand, clear communication channels must be set up and the value of the information classified. Even in their sleep, all employees must know which information can be passed on to which groups of people. Only in this way can the action’s security be consolidated, and the level of protection increased. On the other hand, people need to be able to identify and classify threats. This is achieved through sustainable awareness-raising and training measures.

The more often people are confronted with situations using examples or exercises, the more confident they will be in dealing with them. However, people can also significantly protect themselves by following the steps below because social engineering attacks thrive on the information that criminals can collect beforehand about the victim.

The data economy is not only a principle of the current data protection regulations but also a principle of our everyday digital life. Only the necessary information should be posted on social media. Besides, special care should be taken when inviting strangers.

Also Read: Backup Software – Protective Wall or Gateway?