When a data breach appears in the news (which has happened a lot recently), many of us picture a hacker in a black hoodie, trawling through reams of code on a custom-built PC. We often imagine them finding a single mistake – a zero that should be a one, or vice versa – that lets them slip through a company’s defenses.
After all, that’s how hacking is usually portrayed in movies and TV shows.
But re-read the latest news reports and you’ll notice that most data breaches can be traced back to a single cause: social engineering. Increasingly, hackers are exploiting human psychology, rather than technical vulnerabilities, to access company accounts, tools, and databases.
The success of these attacks hinges on how persuasive the hacker can be – or how well they can imitate someone trustworthy – rather than their knowledge of a particular programming language.
It’s a timely reminder that cybersecurity is always changing, and the best way to protect a company is by focusing on the people who work there, not just the tools and policies that are in place.
Social engineering tactics: different but the same
Social engineering is an umbrella term for any type of attack where a criminal tries to manipulate you into sharing sensitive data, or doing something that helps them gain access to confidential information. Hackers use a variety of techniques to pull off these attacks. Here are just a few that you might have heard of:
Phishing occurs when a hacker tries to trick you with a fake but convincing email. The phony ‘sender’ will often urge you to click on a link which sends you to a scam website. Or they’ll ask you to share something confidential with them, like the credentials for one of your accounts.
Criminals often research a target before calling their cell phone provider and pretending to be the target. They’ll make up a believable story (e.g. “I lost my phone”) that explains why they need their number ported to another SIM card. If necessary, the hacker will reassure the customer support rep by sharing facts they know about the target.
Why is this a problem? Many people receive two-factor authentication (2FA) codes via SMS. The criminal will check if they can use the SIM in their possession – which is linked to the target’s phone number – to intercept these codes and log in to any online accounts.
In some cases, the criminal will simply frustrate their target by bombarding them with 2FA notifications. They’ll then reach out to their target and claim to be a member of their employer’s IT department, or a representative from the service the account is tied to. The criminal will come up with a story (e.g. “sorry, it’s a bug”) and tell the target that the notifications will stop if they accept one of them.
These are just a few of the tactics that fall under social engineering. While they all differ slightly, the basic approach is the same – the hacker is focusing on people, who are by definition human, and prone to making mistakes every so often.
Why social engineering is more popular than ever
Social engineering continues to be effective for a handful of reasons:
It’s a low effort, high reward strategy for criminals. Hackers don’t have to leave their homes or inspect code to perform a social engineering attack. They can simply write a phishing email, send it to thousands or even millions of people, and then wait to see if anyone falls for it.
Many workers are burned out. If you’re tired, stressed, or a combination of the two, there’s a higher chance that you’ll slip up and fall for a criminal’s social engineering attack.
Social media makes it easier for criminals to research their target. Most people share snippets of their lives on social media. Criminals will collect these digital breadcrumbs and use them to impersonate their target.
Criminals are getting better at impersonation. There are many telltale signs that an email or text message isn’t legitimate. However, some criminals are being more careful and stamping out these common mistakes, which makes it harder for people to spot when they’re being targeted.
It can be difficult for businesses to tackle. Many companies aren’t large enough to have a dedicated IT or security department. Others don’t have the time or resources to offer security training. This makes it difficult to support people with the guidance, tools, and support they need.
The solution: human-centric security
There’s no easy fix for social engineering. But there’s an approach that you and your team can adopt to reduce the effectiveness of these tactics:
Focus on your people.
The latest breaches show that it’s human beings – not necessarily technology – that are on the front lines of the security battle. You can adapt with an approach to security that focuses on people and the tools, knowledge, and support they require. This way of thinking is called human-centric security.
What businesses can do to protect their team members and customer data
What does that mean in practice? Every company is different, but here are some steps and initiatives to consider:
Start at the top. Ensure your leadership team understands the risks of social engineering, and have bought into the idea of creating a strong security culture within your organization.
Make training and education part of your culture. An annual training seminar isn’t enough. Use employee onboarding and regular workshops to reinforce good habits and break down the latest threats, including social engineering techniques.
Encourage team members to speak up. Vulnerabilities may go unnoticed if team members aren’t comfortable asking questions or reporting suspicious activity. Don’t criticize anyone’s mistakes, and celebrate your company’s security wins, no matter how small they seem.
Be patient. Creating a culture of security takes time. Staying committed will increase the likelihood of your new culture taking root and spreading naturally across your organization.
5 tips to protect yourself against social engineering attacks
Here are some extra tips to bolster your own security while you’re online:
Know the signs. Be on the lookout for typos, strange links, and any language asking you to take urgent action.
If in doubt, stop and assess. If something feels off, don’t make a rushed decision. Take a deep breath and contact the supposed sender in some other way to verify what you’ve just been told.
Use strong, unique passwords. This will make it harder for criminals to break into your accounts. The simplest way to create, store, and use strong passwords is with a password manager like 1Password, which works on all of your devices.
Turn on 2FA when it’s available. 2FA adds a second layer of security to your online accounts. If a criminal does discover one of your passwords, this will keep them out of the associated accounts. Just don’t use SMS for 2FA codes if you can, as this could leave you open to a SIM swap attack. Instead, use an authenticator app, or a password manager like 1Password.
Check alerts about unusual sign in attempts. Many services will send you an email or push notification if they detect a suspicious sign-in attempt. Most of these alerts will be a false alarm, but you should still pay attention to them, because they could highlight a genuine hack attempt.
What the future holds
Social engineering won’t disappear overnight. In fact, there’s a good chance it will never disappear entirely.
But that doesn’t mean it isn’t possible to beat the hackers. Stay alert, refine your security habits, and encourage your company to adopt a human-centric security model.