What is Social Engineering?

According to recent studies, cybercriminals use social engineering techniques to drive 98% of cyberattacks, making this an important topic of discussion for businesses and users. If your organization is a managed service provider (MSP), read on and discover how social engineering works and what you can do to help your clients protect their business from attacks. 

Social Engineering Statistics

• 98% of cyberattacks rely on social engineering.
• 43% of the IT professionals said they had been targeted by social engineering schemes in the last year.
• 21% of current or former employees use social engineering to gain a financial advantage, for revenge, out of curiosity, or for fun.
• 43% of phishing/social engineering attacks targeted small businesses.
• Source: PurpleSec, 2021 Cyber Security Statistics

Social engineering is the practice of duping an individual – in person, on the phone, or online – into doing something that makes them vulnerable to further attacks. In the digital world, it is easier to trick people into falling into online traps than it is in real life, making online social engineering a prevalent and dangerous practice.

Social engineering takes advantage of people’s emotions to make them do something so that a criminal can gain physical access to private offices and buildings and/or online access to a company’s systems. Here are some common social engineering techniques that these criminals use to dupe individuals, get the information to launch further attacks, extort credentials, and/or steal data or money.

Create fear. You receive an email from someone saying they are with the Internal Revenue Service (IRS) and that you will be immediately arrested unless you provide your credit card number to pay back taxes.

Exploit greed. You receive  a message via Facebook Messenger that says you won a free laptop and to click on the <malicious> link so you can provide further personal information to redeem it.

Take advantage of your curiosity. You receive a text message from FedEx that states they are not able to deliver your postal package because the address they have is incorrect. The message offers a link so you can provide your address and other personal information, or the link can go to a malicious site that automatically infects the user’s device with malware.

Ask for help. You receive a text message from what you think is a colleague (which is a cybercriminal masquerading as your colleague) that says they are in a foreign country, have been robbed, and need money to get home. The message asks you to click on the link to wire transfer funds or pay via a credit card.

Entice you to feel empathy or sympathy. You are entering your office building using your passkey and a well-dressed, flustered woman follows behind you stating she lost her passkey, is running late for an important meeting, and preys on your sympathy to let her enter the building. 

“Social engineering is the art of exploiting human psychology, rather than technical hacking techniques, to gain access to buildings, systems, or data.”   –  CSO Online

Social engineering attacks are the first step attackers use to collect some type of private information that can be used for a subsequent attack, such as a phishing attack. For example, if the attacker can entice an employee to provide password information, the attacker will use that information to gain access to the employee’ device and launch other attacks across the corporate network. Social engineering attacks can take several forms.

Baiting attacks lure people with attractive, significantly discounted, even free products or services and entice an individual to respond by clicking on a <malicious> link or offering up personal information, such as a credit card number.

Scareware is a type of social engineering attack that “scares” a user into taking an action that leads to an attack. For example, you are working on your computer and an ad pops up from what appears to be a legitimate malware vendor telling you that your computer is infected and to download a free trial to remove the malware. Once you click on the link to download the free trial, you are, in fact, then infected with malware.

A physical breach is an in-person attack where the criminal impersonates a person of authority or a person in distress to convince an individual to carry out an order or provide help. For example, an attacker can impersonate a police officer and order a receptionist at the front desk to provide him access to an office building under the pretense that a crime is in progress.

Pretext attacks are used by cybercriminals to establish a trusted connection with an intended target to obtain personal or sensitive information or to entice the target to perform a critical task. First, the attacker researches the target to gather personal, yet public information, such as who the target works for, who are his colleagues, who does he bank with, and who are his circle of friends, Then, the attacker creates an online persona, masquerading as a trusted individual or business and entices the user to perform an action. For example, Katherine works in finance for ABC company and the company president emails Katherine with an urgent message to transfer funds to one of its partners. Believing this email to be benign, Katherine transfers the money as directed, only to later discover that she was the victim of a pretext attack.

Here are several examples of some of the costliest social engineering attacks over the last several years.

Google and Facebook were victims of the largest social engineering attack of all time. A Lithuanian attacker and his team established a fake company, masquerading as a computer manufacturer that worked with both companies. The team also set up fake company bank accounts and then invoiced the companies for products and services – that the real manufacturer provided – but directed them to deposit money into fake bank accounts. Between 2013 and 2015, the attackers cheated the two tech giants out of over $100 million.

In 2020, Shark Tank television judge and host, Barbara Corcoran, was a victim of a social engineering attack, which cost her nearly $400,000. The attacker created an email address that looked like it belonged to Corcoran’s assistant. The email contained a fake invoice from FFH Concept GmbH — a legitimate German company — for $388,700.11 for real estate renovations. This request looked legitimate to the bookkeeper – because Corcoran invests in real estate – and wired the money to the bank account listed in the email. The scam was only uncovered when the bookkeeper copied Corcoran’s real assistance when she replied to the original email. 

In 2019, the Toyota Boshoku Corporation, a major supplier of Toyota auto parts, reported that attackers duped the company via email by convincing an employee with financial authority to change account information on an electronic funds transfer. The company lost $37 million.

In 2018, Cabarrus County, North Carolina received an email from its county suppliers, requesting payments to a new bank account. The email was malicious, and the attackers impersonated the county suppliers. Cabarrus County paid $1.7 million as per the email’s instructions, after which the money was diverted to other accounts.  

The best way to spot a social engineering attack is through training and education so that users “think before they link.” Users must be trained to:

• Understand there is no such thing as a “free lunch.”
• Never open an email you do not expect and/or that comes from someone you do not know.
• Verify the authenticity of any request to transfer funds through other channels, e.g., validate via phone or email the requester separately – using the email account that you know – to verify.
• Investigate any emails requesting personal and/or sensitive information by researching through other online channels, such as Google.
• Never install pirated software or any software you do not know.

In addition to employee training and education, a business needs multi-layered protection to stop social engineering attacks. This includes a combination of:

Anti-malware software to protect systems, applications, and data from malicious attacks, including preventing users from going to malicious sites.

Firewalls to prevent unauthorized access to corporate systems.

Email filters that scan emails to identify spam and phishing content and isolate them in a separate folder; users should be sure to set their spam filters to high and check their spam folders regularly for legitimate emails.

Multi-factor authentication, which requires users to provide at least two pieces of evidence to verify they are who they say they are.

Timely software patches to ensure the operating system and applications are always up to date.

Specifically designed for MSPs, Acronis Cyber Protect Cloud integrates best-of-breed backup, machine intelligence (MI)-based antimalware, and protection management in one solution. Included at no cost or on a pay-as-you-go basis, Acronis Cyber Protect Cloud lets you build services to protect your clients’ systems, applications, and data.

You can expand your service portfolio to further meet your client requirements with advanced protection packs that extend their capabilities. By adding advanced protection packs such as Advanced Backup, Advanced Security, Advanced Disaster Recovery, Advanced Email Security, and Advanced Management onto Acronis Cyber Protect Cloud, you can expand and customize your services to deliver the optimum level of cyber protection for each client and every workload.

Installed with one agent and managed through one console, the centralized management of Acronis Cyber Protect Cloud ensures you can fully protect your clients’ systems and data without having to juggle multiple solutions. A single pane of glass provides the visibility and control needed to deliver comprehensive cyber protection – from creating local and cloud-based backups to stopping zero-day malware attacks with MI-based anti-malware and defenses.