The foundation of all human relationships is trust. But our tendency to trust is exploited every day by hackers who engage in social engineering to gain unauthorized access to computer networks with the intent to steal data and cause financial harm.
Social engineering attacks occur when fraudsters combine publicly accessible information and manipulative tactics to fool an unsuspecting victim into providing personal information and other sensitive identification data.
Bad actors often begin the attacks by collecting personal information about their targets on social media accounts. Next, they contact the potential victim directly and pose as a trusted connection, such as an employer. These tactics can quickly lead to compromised credentials and the potential for account takeovers leading to large-scale damage and theft.
Why social engineering is so effective
Common social engineering attacks include:
• Phishing, in which hackers send a fraudulent message designed to trick the victim into revealing sensitive information.
• Baiting, where the hacker uses a false promise — like a $10,000 reward — to spark a victim’s greed or curiosity.
• Scareware, where the victim is overwhelmed by fictitious threats to get them to buy or download malicious software.
These kinds of attacks are on the rise precisely because they are so lucrative. According to security firm Check Point Software Technologies, the average social engineering attack costs companies $25,000 to $100,000 per incident, and that amount can even be far higher in terms of data compromised.
Social engineering attacks are so effective because they tap into basic human emotions, both positive and negative, and exploit them to steal money and information. For instance, it’s common for a fraudster to play on a person’s sympathy to trick them into providing information. A typical example of this is when hackers pose as the victim’s co-worker or boss and ask for help with a login, password or other system sign-on data.
Fraudsters also understand that humans are not perfect and will often act selfishly. As a result, social engineer attacks often tap into emotions like greed to get what they want. For example, a bad actor may entice a victim into providing account details and login information by offering money or other incentives.
The bad guys also know that people often don’t think clearly when under pressure, so they ramp up the urgency in their requests to force the hand of a victim. When a target is told they need to provide their information quickly to keep a (bogus) negative event from happening, they often do what they are asked.
Stopping social engineering attacks
How can businesses and consumers defend against social engineering attacks? Here are three ways to limit the chance of a successful attack.
1. Always be wary online. It’s critical to be suspicious of unsolicited requests from individuals seeking data or personal information. Ask yourself why that person really needs to know what version of an operating system you’re running, or what company you work for. Be equally suspicious of any files or attachments that arrive in your inbox unsolicited. Never download files you don’t recognize. If you don’t recognize the file, then it’s a risk. It’s also wise to install and maintain anti-virus software, firewalls, and email filters.
2. Make cyber education a priority for both employees and customers. It all starts with education. You should train both your employees and customers to practice good security hygiene. For instance, educate your employees about common scams when you see them. If a particular attack vector is proving successful and becoming more widespread, make everyone aware of it so they can take the necessary precautions. Also, encourage your customers to pay close attention when going through emails, especially when taking further actions like clicking a link or downloading an attachment. Remind them that you don’t ask for sensitive information over email, and that they should always double-check email and link validity.
3. Monitor for malicious users. Many social engineering attacks rely on fake account creation and/or use of synthetic identities to succeed. To thwart attacks, add the right mix of procedures, checks and balances into your onboarding and signup process to ensure customers are unable to create synthetic identities and fake accounts. You can also implement risk-focused systems to monitor for any unusual changes in the digital identity footprint of your customers. This includes authenticating them each time they engage in high-risk transactions, such as password resets or large transfers of money.
The reality is that there is no single solution that can put a halt to social engineering. But combining technology with customer education can make it difficult for fraudsters to succeed and can put a significant dent in social engineering attacks overall.
TeleSign helps you protect and defend your customers and your operations across the entire customer journey — from sign-up to sign-on. We help you block fake users at scale, detect unauthorized access, prevent account takeovers, and defend against other malicious actions against your customers.
To learn how businesses can protect their operations and customers from fraud and cyberattacks visit: TeleSign.com.