We’ve all seen it before. A letter from a Nigerian Prince wanting to gift a life-changing sum of money. While it’s used as a joke now, originally this worked because for the targets, because for North Americans, Nigeria was just exotic enough that it might be possible. Maybe their ancestor helped the prince’s great-grandfather, saved his life, did a favor that changed the course of this far away land and now the Prince wants to pay it forward. The hope and fantasy was enough that many people fell for the scam.
These days, almost everyone knows money don't grow on trees and there's no Prince handing diamonds and pearls. That rich tycoon with no heir looking to leave their vast wealth to their third cousin doesn't exist. Many people laugh at the thought of falling for such obvious scams.
But that doesn’t mean the scams have stopped.
In fact, they’ve evolved, but still target the same weakpoint that they’ve always gone after: human emotions. Now it just looks a bit more refined, more polished.
And more dangerous than ever.
Some experts even claim that these manipulative tactics–known as social engineering–are responsible for more attacks than unpatched vulnerabilities. In this article, we’ll explain what social engineering is, how it relates to cybersecurity, and some best practices to safeguard against these attacks.
Strengthening cybersecurity
Cybersecurity is getting stronger, meaning it’s harder for bad actors to break through easily to steal data. Protections like AES-256 and PGP encryption have never been brute-forced, and enforceable strong passwords and MFA mean there are fewer exploits available. The workarounds that do get discovered are quickly patched so they don’t work for long.
Now, security has gotten to the point that anyone trying to break it needs considerable compute power, meaning they need to expend massive amounts of resources that likely won’t yield results. It’s estimated that it takes more attempts to break AES-256 encryption than there are atoms in the universe; getting a once-in-an-atom luck isn’t something worth gambling on. It's even expected to best quantum-computing attempts, at least with current and projected gains in technology.
For most, the potential for great rewards isn’t worth the cost, especially when exploits aren’t likely to stay open for long.
While older, unencrypted systems are now laughably easy to crack and can be defeated by something found in a quick Google search, most modern businesses don’t keep important information on outdated, unsupported systems like Windows XP anymore. The shift to the cloud has made it so they don’t have to. Updates can be applied without rebuilding infrastructure, so the time, resources, and effort to stay up-to-date is trivial.
But that doesn't mean the scammers have quit. It's just harder to force your way in. Because of this, many criminals and scammers have shifted to a new focus.
People.
The weakest link
Since trying to break encryption isn’t worth the effort, the better option is to simply let someone give the access willingly. Getting in with an admin account, for instance, means full control of everything. But why would someone just give away important credentials? By preying on the human needs of helpfulness, empathy, and fear.
The idea of gaining access through humans is called social engineering, and it can be surprisingly effective.
What is social engineering?
Social engineering takes advantage of humans so that someone gives the desired information to the attacker instead of them having to break through systems or intercept it.
There are a lot of ways to do this. Developers often have backdoor entries into accounts for troubleshooting, can update account information like emails and phone numbers, and can send password and account reset details. They just have to convince that person to let them in.
A social engineering technique would work something like this: the attacker gets enough information about an account to know it’s valuable, possibly knowing the username or email of the account. Since they can’t guess the password, they call in to try to get access. The support person asks for identifying information which the attacker may not have. And here’s where the social tactics come into play.
The person, not having the required identifiers, will plead for help, use fear, urgency, or play on empathy to try and get help. “My boss will fire me if I can’t finish this by Monday, and my family is struggling as it is. Can you please help me? I can’t lose my job in this economy.”
The support worker, wanting to help, might cave and give access like updating the account email and sending the reset to the new email that the attacker owns. Then the attacker simply uses the link and they’re in. No technical abilities, exploits, or workarounds required. Plus, the support worker feels good that they helped someone in need… Until they find out later it was all a scam.
More types of social engineering attacks
The example above is just one type of social engineering, and there are many more methods and cons used against human targets.
Here are a few of the more popular options:
Phishing
The tried and tried again method of scam emails. These can range from “Your Account will be blocked tomorrow” to “Invoice paid” (with malware attached) to impersonating your boss asking for a favor.
Different types work better on different people. For instance, a new employee might be more likely to follow the request from an email with their boss’s name to make sure they stay in good graces, and never bother to check if the actual email address matches, while an HR professional might be a better target for an invoice paid scam since they might deal with invoices every day.
Phishing comes in a few different variants. Spear Fishing is a more targeted attack (like the examples above), while Whaling goes for the C-suite–ones not likely to fall from emails from themselves. They all have one thing in common though: persuade the user to take action, usually one they wouldn’t normally do.
Some of these are intentionally poor, so when they don't get auto-marked by spam, the target that actually engages is more likely to fall for the obvious bait. Others are much more sophisticated, copying style, tone, logos, and formats of real emails, then leading to something like a legitimate-looking login screen and URL. In these cases, the victim might not even know they fell for something, so it's always important to be on alert and aware.
Tailgating and Piggybacking
These are basically the ways to sneak into restricted areas that you’ll see in the movies. Catching the door or accompanying another employee, having someone use their key card, claiming to be a repairperson or contractor, tricks like that.
What these techniques have in common is that they almost always take advantage of empathy and helpfulness. Most people want to be helpful and liked, and doing a favor or helping someone who seems in trouble helps them to feel better, when in reality the person was counting on it.
Baiting
As the saying goes, an unknown flash drive can crumble your business in a flash. Okay, so while that’s not a real saying, the sentiment still stands. Baiting is about leaving "bait" to get someone to do something out of curiosity or for a potential reward. Sure, that flash drive might have something interesting, but running that executable might compromise your entire network.
Scareware
Your computer may already be infected! You accessed an illegal website and your information has been sent to the FBI, looking at 20 years jail time... Unless you act now and use our scam service.
While this is another one that's been overexposed, scareware isn't always so blatant. Sometimes, it is much more subtle, like optimizing space on your phone so you don't run out before the next upgrade cycle.
While Ransomware might sound similar, the issue is that the system is often compromised, so the threat is much more legitimate. But unfortunately, even paying it doesn't always lead to safety.
Avoidance is the best defense for both. Removing malware is much harder than never having it in the first place, so if a scary message comes up, check from other sources that what it's saying is legit; just don't follow the link.
Dumpster diving
Don't leave important documents in the trash. At least not when they haven't been shredded. Dumpster diving can be a legitimate way to get information from the garbage before it's been taken away or properly destroyed.
Tactics to stop social engineering
Social engineering is powerful, but it's not unbeatable. There are several tactics to help combat it.
You’ve likely heard complaints from people about entering all their information to an automated system or telling a worker, then having to give it again a 2nd or even 3rd time. They were given the information once, why ask again?
To reduce the chance of the person not being who they say they are.
Asking someone for personally identifying information (PII) means that the person either is who they say they are or has access to enough information about the person to pass as them. Security questions take this a step further, because that personal information isn’t widely available, and likely not in a database of names, emails, phone numbers, and addresses.
This is one tactic to help stop social engineering, but there are several other methods you can use to protect yourself, your data, and your organization.
Use MFA whenever possible
Multi-factor authentication is the practice of using multiple methods of authentication to allow a login. Usually, it requires having a successful user/password combination, then adding a code from an email, text message, or authentication app.
Using an authenticator app is the best of these methods because the codes are generated locally on a trusted device, so are much harder to fake. Opening the app itself usually requires separate authentication as well, such as a face ID. For sophisticated attacks, this might only be a slight barrier, as entering the authorization code into a fake site that a hacker controls will still let them log in as you if they're prepared, so it's important to watch for other signs still.
Lock down access and reevaluate regularly
Improper access control is one way that can stop access to important or sensitive information. Suppose that a user gets their credentials compromised and an attacker is able to log in as them. If that user has access to all files by default, like company proprietary information, the attacker now does too.
Best practices are to limit access to only people who need it, and to be cautious. You can always give someone access if they need it, but removing access is often a less common task so may be forgotten. Locking down access and adding people is the safer approach, especially when it involves confidential data.
Access control should be reviewed regularly as well. Users shift roles, and employees can leave the company. Making sure that they don't leave with access to sensitive files will help safeguard the data.
Have regular security awareness training
Probably the most important and most effective way to protect against social engineering is to make sure that everyone has regular security awareness training. This kind of training explains the methods, risks, and steps to take when dealing with social engineering techniques.
Simply put, you don't know what you don't know, so if attackers are using techniques like the fake Google Doc sharing trick--which over half of users fall for in testing--and your team has never heard about it, then they might not think twice and might not think to prepare or defend against it.
Because attacks evolve and methods alter over time, this kind of training should be done regularly to be effective.
Use software with safeguards in place
Attackers get a minimal payoff if the software they gain access to has multiple layers of protection. For instance, files that are inaccessible, unreadable, and unchangeable aren't much use to anyone.
This is where Couchdrop comes in. Couchdrop is the simple, secure, and reliable way to transfer files. There is no infrastructure to configure or manage, and updates are delivered automatically with no downtime. There are multiple safeguards in place to protect the infrastructure and user files, including things like active threat monitoring, containerization, and redundancy. The platform also never stores user files at any point.
Because of this, Couchdrop is able to be used for files subject to HIPAA and GDPR regulations, and is SOC 2 Compliant. There are many other security parameters in place as well. To find out more, check out the Couchdrop trust center or get in touch with our team.