Cyber-attacks are the greatest threat to the world’s financial system, said Federal Reserve Chairman Jerome Powell in a recent CBS News interview. Powell cites the risks as greater than the troubles that triggered the 2008 financial crisis. As companies do more business online, criminals have found new niches and more sophisticated tactics—the most common and dangerous being social engineering.
Social engineering differentiates itself from other cyber-attacks in the fact that it targets people. These attacks feed into human nature by using influence, manipulation, or deceit to gain information. Social engineering is far more sophisticated because of the deception necessary to invoke a person into disclosing information. Today, about 3% of malware tries to exploit a technical flaw, while 97% of malware instead targets individuals through social engineering.
What Are the Types of Social Engineering?
Phishing – One of the most common and familiar tactics, phishing continues as illegitimate emails or texts aimed to instill a sense of urgency or fear in victims. The email or text contains links to malicious websites or attachments containing malware. An example is receiving an email requesting a change to your password. Upon closer inspection of the email, a link to an illegitimate website prompts the user to enter confidential information. This type of social engineering continues to target nearly every person in the US.
Spear phishing – Although very similar to phishing, spear phishing is more specific and advanced. Instead of targeting a list of individuals, spear phishing focuses on one person or a small group of people at an organization. An attacker will create tailored messages based on the victim’s job position, contacts, and characteristics to make it appear legitimate. Spear phishing requires a higher level of effort from the perpetrator and takes longer to pull off over regular phishing schemes.
Baiting – Used to pique a victim’s interest or curiosity, baiting lures a user into a trap to steal personal information or infect their computer with malware. An example of this tactic is leaving a malware-infected USB drive in a spot where a potential victim would see it, like in the office bathroom. The victim grabs the bait and inserts it into a computer, allowing the automatic install of malware.
Quid Pro Quo – In this scenario, the attacker offers a service or benefit in exchange for information or access. The most common example is when a hacker impersonates an IT professional and requests information in return for money, access to software, etc. The hacker then installs malware in the guise of software updates.
Tailgating – This in-person attack is when someone seeks access to a restricted area. It can be as simple as someone who follows an employee into a secure building, often with a ‘hold the door!’ technique. Imposters sometimes disguise themselves as a repairman, delivery person, or vendor.
Water-holing – Although rare, water-holing infects one specific website and targets a unique group known to visit that site. By putting malware on the website (‘watering hole’), a targeted group visits the site and carries malware back to infect their computers. This technique poses a specific threat to the websites of high-profile companies.
How to Stay Safe from Social Engineering Attacks
As the digital world evolves further, cybersecurity threats continue to grow. It is more important than ever to learn about cyber threats and take proactive measures to stay safe from social engineering attacks. Here are a few tips.
Time to clean out that email inbox. For most, email inboxes are an overwhelming space with emails, junk, attachments, and everything in between. Take the first step and clean out the inbox—delete, archive, organize, and even unsubscribe. This organization can help workers slow down and focus on the email at hand, helping to be mindful of who senders are and evaluating suspicious links. Additionally, beware of tempting offers. If something comes into your inbox and you think it is too good to be true, it probably is.
Stay vigilant when online. Social engineering’s secret sauce is the people-centric approach. Cybercriminals may spend weeks and months planning an attack. When someone falls victim, be proactive to report the incident (and do not take it personally). Additionally, security awareness training using phishing simulations, engaging and relevant content helps prepare individuals for scams.
Keep your tech healthy. There is no longer any excuse—most devices update automatically, and antivirus/antimalware runs quietly in the background so ensure both are working. Additionally, when given the option, use multifactor authentication on passwords for an extra level of security.
At Bank of Southern California, we are committed to clients’ online security. To learn more about our secure digital banking products, contact us today.