- hello@group8.co
- 12 Marina View, Singapore
As the digitisation of society continues apace, many companies realise the need to invest heavily in cybersecurity technologies and measures to safeguard their essential data.
However, regardless of how advanced and up-to-date an organisation’s cybersecurity infrastructure may be, there remains an imperfect human element to its overall cyber defence programme that is difficult to account for. And cybercriminals can often exploit this element via psychological manipulation to obtain or compromise classified information about a company and its computer systems – this is known as a social engineering attack.
While there is no sure-fire method to guarantee you and your employees do not fall victim to a social engineering attack, there are ways you can mitigate the risks. To help you, we have shared below the common types of social engineering attacks to look out for and the steps you can take to outsmart their instigators.
Phishing is the most conventional social engineering attack, in which threat actors disseminate emails and text messages with content that elicits fear, curiosity or panic in users. This is meant to trick employees into disclosing sensitive information or opening email attachments that contain malware or links to malicious sites. This attack comes in many forms, including spear phishing, whaling, and Business Email Compromise (BEC). Phishing has gained a considerable uptick in cases during the COVID-19 pandemic, leading to many data breaches worldwide. A recent and notable example of phishing in Singapore is OCBC Bank’s case in December 2021. Scammers pretended to be the bank in their text messages and swindled Singaporeans out of around $13.7 million.
Baiting involves threat actors triggering the interest or greed of individuals and causing them to divulge their security details or download malware inadvertently. For instance, a person may be baited by a ‘free giveaway’ or deceived by a fake website that steals their login credentials, resulting in severe consequences. In 2020, the Singapore Police Force (SPF) noticed a spike in baiting cases that took the form of fake cash giveaways linked to COVID-19 government payouts. When victims of the baiting campaign unwittingly shared their Internet banking information with scammers, their bank accounts were hacked and used to make illicit transactions.
Threat actors execute this attack by adopting an attractive persona and pretending to be romantically or sexually interested in their victims to get them to yield sensitive information. Malicious entities may also intend to mislead victims into wiring them much money; this form of social engineering attacks typically begin as innocuous-looking messages that can result in massive system compromises for both individuals and organisations.
Scareware is a cyber-attack that first presents pop-ups or other notifications claiming that users’ systems are infected with viruses and require critical security updates. Victims are then persuaded to go to fraudulent sites that contain these ‘updates’ or purchase software solutions they believe have value but are useless or malware themselves. There are instances where scammers can also steal victims’ credit card information through scareware.
Most social engineering attacks can be thwarted with proper employee training. But there are also plenty of other ways you can protect your organisation and yourself from such attacks further, starting with the following:
Due to the constant data breaches that occur nowadays, your login credentials may be exposed at any time and used by threat actors to gain access to your accounts. Hence, besides practising good password hygiene, implementing 2FA is essential to protect your private data.
Two-factor authentication (2FA) is another layer of security on top of the usual username-password verification method. An account protected by 2FA is considerably more challenging for hackers to enter since it typically requires users to key in a one-time password (OTP) via text or to pass a biometric challenge on a personal device before allowing them access.
No application is entirely secure, and vulnerabilities unknown even to their developers could arise at any time, as exemplified by the infamous Log4Shell software bug. These issues are addressed by security patches as soon as they are detected to prevent cybercriminals from exploiting them. As such, security patches are essential, especially against social engineering attacks that attempt to sneak viruses into your devices. Their updates must be installed as quickly as they are available.
Penetration testing, or conducting a simulated cyber-attack on your organisation’s system to identify its weak points, is one of the most effective ways to defend against social engineering attacks. Suppose the penetration testing firm succeeds in using social engineering to endanger any of your critical systems. In that case, you can then identify the specific types of social engineering attacks your business is prone to and work on eliminating the weaknesses in its cybersecurity programme.
Phishing scams, one of the most common types of social engineering attacks, generally use emails or Short Message Service (SMS) texts as their means of attack by impersonating a trusted entity, such as a representative from your bank, your boss at work, or an online store you frequent.
Do verify the email sender’s identity by reaching out to the organisation or person they claim to be through their official contacts and confirming whether they sent the email. Moreover, carefully check the details of the email and SMS you received, such as the sender’s email address and their manner of writing, to see if they are genuinely whom they claim to represent. It is also best to avoid clicking on any unknown links before doing the above checks.
Social engineering attacks fundamentally take advantage of flaws in human judgment to work. Thus, attackers collect as much information about their targets as possible to improve their chances of entrapping them. And in this digital age where social media has become an irreplaceable part of people’s lives, collecting such data has become much easier than before.
As such, pay attention to your digital footprint and be mindful of what you post on the Internet. For instance, if you upload your resume online, it may be best to remove your contact number and residential address from it. Such information is precious to attackers planning to execute a social engineering attack.
With multiple companies beefing up their cybersecurity infrastructure to safeguard their assets against rising cyber-attacks, many cybercriminals depend on human error to access organisations’ confidential information.
Therefore, you must ensure you and your employees are well-educated on the various forms of social engineering attacks so that your business will not fall victim to these ploys. Additionally, you may want to consider equipping your business with adequate cybersecurity measures to mitigate the risk and damage of a social engineering attack.
At GROUP8, we understand the need for a robust security infrastructure to allow all businesses, big or small, to be in control. As such, we provide a suite of cybersecurity solutions, including penetration testing services, that can be tailored according to your business needs. Do not hesitate to reach out to us at hello@group8.co to learn more.