The cyber security industry has traditionally focused on technological weaknesses, but according to the 2019 Trustwave Global Security Report, the majority of breaches begin with social engineering.
What is social engineering?
Social engineering is a method of psychological manipulation in which a trickster persuades someone to perform certain actions or divulge sensitive information.
The technique is often used by cyber criminals to dupe users into providing login details, downloading malicious attachments and granting physical access to the organisation’s premises.
The most common method of social engineering is phishing, in which crooks send messages (typically emails) that imitate a legitimate person or organisation and which contain a malicious attachment or a link to a bogus website.
How severe is the threat?
Trustwave found that phishing and social engineering was the most common method of data breach in most systems.
For example, it accounted for 46% of compromises in corporate/internal network breaches – more than three times as many as the next biggest vulnerability (weak passwords, 14%).
It was even more effective in POS (point-of-sale) breaches, being the primary method of attack in 60% of security incidents, compared to 40% of incidents caused by remote access.
Phishing and social engineering was also the primary attack vector in 60% of Cloud breaches, compared to 20% for application exploits and 20% for remote access.
The only system in which social engineering wasn’t a major threat was e-commerce, where the majority of incidents are caused by code injection (53%) and application exploits (26%).
Common phishing attacks
As Trustwave notes, most phishing emails follow the same pattern even though the content continually changes.
“In some cases, attackers base their templates on actual messages by just changing a few words and underlying links,” the report adds.
So what types of emails should you be looking out for? The most common scams include:
- Emails imitating Outlook and Office 365, asking recipients to verify an account or email address, change a password or upgrade their mailbox storage limit;
- Fake invoices targeting customers of utility and services companies, like electricity and broadband providers; and
- Account updates from entertainment services like Netflix.
Trustwave also reported that many phishing emails look legitimate because the attacker compromised a genuine website by stealing login credentials or exploiting software vulnerabilities.
Alternatively, fraudsters might use free hosting sites, such as Wix, Weebly and Webhost.
Protect your organisation from social engineering
Your staff need to be trained on the threat of social engineering. It’s too easy – and too common – to brush off information security concerns as ‘IT’s problem’, but everybody needs to be aware of the threats facing them.
Our Phishing and Ransomware – Human patch e-learning course is the perfect introduction to email-based threats. In just a few minutes, you and your staff will gain an understanding of what phishing is, how it works and what to look for.
If you’re interested in more crash courses, we also offer ‘human patch’ training modules on: