In an era where digital threats are escalating, small business owners find themselves increasingly targeted by cyber criminals. Understanding these threats, particularly social engineering, is crucial. In fact, no matter how much you invest in security applications and policies, your employees remain the most vulnerable part of any network environment. This blog aims to demystify social engineering, shed light on its common forms, and offer strategies for defense.
What is Social Engineering?
Social engineering is a manipulation technique that exploits human error to gain private information, access, or valuables. Unlike traditional hacking, it relies on psychological manipulation. Small businesses are often targets due to their limited resources for robust cybersecurity and structured, consistent employee education.
Five Common Social Engineering Threats
1. Phishing
Most everyone is now aware of a phishing attack, which is a random, almost scattershot attempt to steal sensitive information through deceptive emails or websites. For example, cyber criminals send an email, text, or other message purporting to be from a reputable source in order to induce individuals to reveal personal information, such as passwords or credit card numbers. Criminals closely simulate the “look and feel” of legitimate emails from the largest retailers or banks (i.e. Amazon or Bank of America) to trick users into clicking on malicious links.
The Colonial Pipeline ransomware remains one of the most infamous phishing attacks. In May 2021, through a phishing email, a hacker group called DarkSide gained access to a VPN password, which allowed them to penetrate the Colonial Pipeline network. They stole 100GB of data within two hours, which DarkSide then encrypted and demanded a ransom to release. Colonial Pipeline shut down the pipeline to prevent the ransomware from spreading and paid a $4.4 million dollar ransom, some of which was later recovered by law enforcement. The interruption led to widespread fuel shortages, millions in lost revenue, and damage to Colonial Pipeline’s reputation. (1)
2. Pretexting
Pretexting is a form of social engineering where attackers fabricate scenarios to lure their victims into divulging sensitive information. Unlike phishing, which often uses a broad, scattergun approach, pretexting involves crafting a believable story tailored to a specific target. For example, an attacker might impersonate an authority figure, such as a bank official or tax agent, to extract personal or financial data.
In September 2022, Uber employees were surprised to find an unauthorized user posting in their company’s slack channel. They had hacked their way into the account and left a message that read, “I announce I am a hacker and Uber has suffered a data breach.” Uber employees, who did not reveal their identities, admitted that it appeared as if the hacker breached multiple internal applications and accessed sensitive data. The hacker admitted on Twitter that they gained access to the company’s internal VPN by specifically targeting and then tricking an employee into handing it over. The hacker claimed they were a corporate information technology expert and needed the password. (2)
3. Baiting
Baiting, in the context of cybersecurity, is a deceptive technique where attackers lure victims into a trap using the promise of an item or good. This method plays on human curiosity or greed, enticing individuals to break security protocols. Unlike other social engineering tactics, baiting often involves a tangible reward, like a free download of software or access to exclusive content.
In July 2020, 130 high-profile Twitter accounts were compromised to promote a bitcoin scam. Twitter and other media sources confirmed that the perpetrators had gained access to Twitter’s administrative tools so that they could alter the accounts themselves and post the tweets directly. The fraudulent message read, “We are giving back to our community. We support Bitcoin and we believe you should too! All Bitcoin sent to our address below will be sent back to you doubled! Only going for the next 30 minutes.” While the criminals were found and tried, Twitter’s stock fell by 4% in one day during the attack. (3)
4. Quid Pro Quo Offers
Quid pro quo, a Latin term meaning “something for something,” refers to a type of social engineering attack where the perpetrator offers a benefit or service in exchange for information or access. This tactic exploits the human tendency to engage in reciprocal behavior. Cyber attackers might offer technical support or free services, luring victims into providing sensitive information or access to secure systems.
Sadly, it takes shockingly little to entice employees to share their passwords or personal data. In one particularly shocking incident, a criminal posing as a tech engineer learned of a password in exchange for a chocolate bar. (4)
5. Tailgating
Tailgating, also known as piggybacking, is a social engineering tactic where an unauthorized person gains physical access to a restricted area by following closely behind an authorized individual. This method exploits the social norm of politeness, as people often hold doors open for others without questioning their credentials. In a business setting, tailgating can lead to unauthorized access to sensitive areas, data breaches, and theft of physical assets.
Frank Abagnale, portrayed by Leonard DiCaprio in Steven Spielberg’s “Catch Me If You Can” (2002) is probably the most famous tailgating scammer. Over many years, his confidence and slick appearance fooled many people into granting him access to unauthorized areas. Indeed, he cashed $2.5 million worth of bad checks while impersonating a pilot, doctor, teacher, and attorney. (5)
Prevention and Mitigation Strategies?
Despite the prevalence of phishing, pretexting, baiting, quid pro quo offers, and tailgating, businesses have numerous options to combat social engineering:
- Educate employees about social engineering threats, including applications such as KnowBe4 or Bullphish ID to simulate cyber attacks
- Implement robust identify verification processes, including Multi-Factor Authentication (MFA)
- Update security applications regularly (and create notifications for improperly updated devices)
- Implement zero trust security policies that limit access to sensitive information
- Encourage a culture of skepticism and vigilance
Dynamic Edge Can Help
Since 1999, Dynamic Edge has helped hundreds of small and mid-sized businesses maximize the return on their technology investment. Contact us today for a free network assessment, so that we may help you implement cost-effective security solutions to keep your organization and its clients safe and productive. Our Help Desk features friendly, experienced engineers who answer calls live and solve more than 70% of issues on the first call.
- https://www.techtarget.com/whatis/feature/Colonial-Pipeline-hack-explained-Everything-you-need-to-know
- https://www.nytimes.com/2022/09/15/technology/uber-hacking-breach.html
- https://en.wikipedia.org/wiki/2020_Twitter_account_hijacking
- https://www.sciencedaily.com/releases/2016/05/160512085123.htm
- https://en.wikipedia.org/wiki/Catch_Me_If_You_Can_(book)
