An email arrives, with an “urgent” request from your boss. The email contains a link to update some information on a portal that looks like your company’s web portal addresses. Unless you’re Mark Manson, author of “The Subtle Art of Not Giving a F*ck,” the word “urgent” with your boss’s name in the sender field evokes a huge emotional response. To complete the “urgent” request, you click on the link and log on to the portal and transfer your credentials.
Guess what? You just got phished! The portal was mirrored and now the hacker has your information, access and credentials.
You’re not alone.
According to some Social Engineering statistics:
95% of successful cyber-attacks are the result of a phishing scam1
Over 400 businesses are targeted by spear-phishing scams every day2
These numbers and the types of social engineering attacks are increasing every day.
We had a conversation with a Canadian Cybersecurity Expert from the Ingram Micro Professional Services, who took us behind the scenes of a Social Engineering attack.
What is Social Engineering?
Social engineering is getting people to do things that they would not ordinarily do. It is achieved by playing on human emotions. It has replaced malicious software as hackers' weapon of choice. In addition to phishing emails, some hackers have taken to the phone - making calls to impersonate a colleague, usually one in need of help.
What kinds of emotions are typically exploited in a Social Engineering attack?
The most common emotions that are exploited are
- Ego “you’ve been selected for a special promotion”
- Financial need “you’ve just won a lottery”
- Curiosity “how to add $1000 to your income per month with minimal effort”
- Charity “click on this link to donate to Tsunami and Earthquake victims in Indonesia”
- Urgency / Job Duties “Please review attached details and respond immediately”
What are some of the most common types of Social Engineering attacks?
Phone calls or vishing (voice-enabled phishing) and email phishing. The most dangerous form is spear-phishing which is a customized targeted form of phishing designed for a company or an individual. With increased social media activity, it has become easier for hackers to customize phishing attacks to companies and individuals. Hackers are information hunters and mind hunters crafting new and more sophisticated attacks each day.
How can companies better protect themselves from Social Engineering attacks?
You need a strong human firewall as your last line of defense as employees are the weakest link in your network security. Any network security program, device and system are vulnerable in the face of a social engineering attack. Awareness is the first step in building a human firewall. However, we’ve seen that generic training programs are typically taken lightly.
At Ingram Micro Professional Services (PTS), we prefer to create “teachable moments” – through a social engineering test assessment, we first create a social engineering experience and follow that through with training when the aftermath of the experience is fresh in the team’s mind. We recommend that organizations conduct penetration test assessments in conjunction to improve overall security posture. At PTS , these tests are conducted by certified and experienced Cyber Security Experts.
Are you ready to improve your clients security posture? All services mentioned in this article can be delivered by Ingram Micro’s Professional Services team under your customer’s brand name! This is a great opportunity for your customers to build a “trusted advisor” relationship with their clients. Contact firstname.lastname@example.org for special pricing.
- Iron Scales Email Security Report 2017
- Symantec 2017 Internet Security Threat Report