When it comes to cybersecurity, a social engineering attack refers to any kind of malicious activity that involves human interaction. In essence, it’s a confidence trick designed to fool people into giving up private information such as passwords or causing them to make security errors.
The best known type of social engineering attack is the phishing email, a scam whereby users are sent an email that appears to be from a legitimate source, such as a friend in need, their bank, a provider of internet services, or more, containing a link. Clicking this link takes them to a website that can then download malware onto their computers, steal personal information, or more.
But social engineering is more than just phishing emails. Social engineering is all about psychological manipulation, and when word gets out about a particular type of scam being prevalent, scammers adjust to seize new opportunities.
More than just phishing emails
While phishing emails remain a problem, they have now been added to by a range of other types of social engineering attacks.
Messaging apps, for instance, provide an alternative to emails when it comes to phishing. As platforms like WhatsApp have grown in popularity (WhatsApp alone currently has 2 billion users around the world), malicious actors have seized upon them for social engineering.
Attackers might, for example, disguise themselves as trusted sources so that it appears that messages are coming from a genuine source. They could then provide links or ask for information like the 6-digit codes which allow them to seize control of a users’ WhatsApp account. Because of the speedy way users read messages on their phones, they might be less likely to question clicking a link or sending a reply, compared to the more formal platform that is email.
Alternative types of social engineering could include telephone calls that claim to be from somewhere like Microsoft support, promising to help fix problems on your computer by remotely accessing it. “Scareware” is also a frequent technique, presenting users with popup banners that claim to have detected spyware on a users’ computer, and persuading them to download a supposed antimalware tool which may, in fact, be malware.
Fake Microsoft Teams updates
Simply put, whatever opportunities there are to fool users, some unscrupulous cybercriminal is likely to take it. Increasingly, they will make use of privileged information — such as referencing personal data that could have been acquired through previous data breaches — to make it appear that they are genuine and not bad actors. Once again, it’s all about fooling unsuspecting victims.
Recently, a social engineering attack seized upon one of the most popular workplace communication platforms to spread malware. Ransomware attackers used ads pushing false Microsoft Teams updates as a way of deploying backdoors which use a commodity attack simulation tool called Cobalt Strike.
Microsoft warned its customers about these FakeUpdate campaigns that place fake ads which encourage users to click them to supposedly update their workplace software. In some cases, the ads appeared in search engines as top results to make them appear trusted. However, when the user clicked on the link in question, it triggered the download of a payload which distributed the malicious material.
Protecting against social engineering
There are multiple steps users can take to protect against social engineering attacks. One good way to counter social engineering attacks is through education. Because social engineering exploits human error, proper training can alert people to the threats they face. Social engineering doesn’t work if users don’t fall for the scam, so teaching users about the various scams and how they work can be a great way of ensuring that people don’t fall prey to tricks.
Linked to this should be practicing proper security hygiene when it comes to administrator privileges. Admin privileges should be given only to essential users, stopping employees or other users who do not need this from being able to make significant changes to a system or access sensitive areas. Wherever possible (and that should be almost everywhere), multi-factor authentication (MFA) is also a “must have.” This requires multiple pieces of information to be given (usually a password or passcode and access to a connected device like a phone or piece of biometric information) before a person can log-in to a system. Even if a password is stolen by attackers, they will not be able to use it on its own to break in.
Consider bringing in the experts
In the case of the FakeUpdates scam, Microsoft suggested one mitigating step would be to ensure users use web browsers able to filter out and block malicious websites. Even if users had clicked on a questionable link, they would receive a notification alerting them to the possibility that it is dubious content. Connected to this is the importance of making sure that software is kept up to date so that users are protected by the latest security patches.
For real peace of mind, however, it’s worth bringing in the cyber security experts. They will be able to offer endpoint protection and traffic inspection that monitors incoming traffic requests and sorts legitimate from illegitimate requests. It can then block the potentially harmful ones so you don’t need to worry. No human input required.
Social engineering is a major risk when it comes to cyberattacks. They can be particularly frustrating because they rely on our having made mistakes that, really, we should have been too smart to fall for, but nonetheless do. The results can also be devastating. Luckily, by following steps such as the above it’s possible to safeguard against them.
