August 6th, 2024, marks the first annual National Social Engineering Day, an opportunity to raise awareness about social engineering threats and emphasize effective cybersecurity practices.
The day honors Kevin Mitnick, The World’s Greatest Hacker, who paved the way for modern cybersecurity training.
As we spend this day spreading awareness, let’s discuss the role of social engineering in cyber attacks and how you and your business can best avoid it.
The Rise of Social Engineering
Individuals have long used their understanding of humans' social and psychological nature to get what they want, with either benign intent or sometimes ill will and a wish for personal gain.
Social engineering has been increasingly utilized in cyber attacks. Today, when a skilled threat actor uses social engineering tactics to gain unauthorized access to organizations, it can often result in severe consequences. Consider the average cost of data breaches in 2023. Globally, the average cost of a data breach was nearly $4.5 million U.S., while the average cost in the U.S. was an astonishing $9.44 million.
Kevin Mitnick and Social Engineering
Kevin began honing his social engineering skills in his youth through tinkering with the latest technology and landline pranks. This carried into adulthood, where Kevin found himself on the FBI’s Most Wanted list. As an unparalleled social engineer, Kevin’s “victories” were not for personal gain but to highlight vulnerabilities.
One such case involved Kevin’s notorious quest to fly under the radar and chat in private on a cell phone without being tracked. The outcome is the infamous case of Kevin’s 1992 social engineering to access and manipulate the technology inside the once high-tech Motorola MicroTac Ultra Lite cell phone.
Common Types of Social Engineering
There are a variety of techniques used by threat actors that you and your team should be aware of. Some of the most common types of social engineering include:
Phishing. This is where an attacker sends fraudulent emails that appear to come from a reputable and trusted source. For example, they may claim to have important information but need your name, birth date, social security number, and account number to verify your identity. Phishing tends to cast a wide net targeting as many people as possible.
Quid Pro Quo. This “something for something” tactic involves an attacker attempting to trade something for a piece of information. An example would be if a threat actor called a corporate main number pretending to be from the IT department and needed to reach someone with a technical issue. Once connected with someone with an issue, the attacker simply says, “I can fix that. I just need your login credentials.”
Tailgating & Piggybacking. Social engineering also works well to gain physical access to an unauthorized location by following someone else in. Tailgating involves getting in without being noticed by the authorized user, often by simply sticking their foot in the door before it closes.
Piggybacking happens when the authorized user knows they are letting someone in, but assumes there is a reason they are there. For example, if an individual approaches with their arms full, an authorized person may feel compelled to hold the door open for them.
Baiting. Just as a fisherman puts bait on the hook, this type of social engineering involves offering something enticing that then leads the victim into the trap. A common example is an offer of a free download that tricks the user into providing credentials. A face-to-face baiting scheme could include handing out data storage devices like USB thumb drives that actually contain remote access malware.
Ways to Spot (and Avoid) a Cyber Attack
With so many techniques for getting you, your employees, and your coworkers to willingly grant access to threat actors, vigilance and proactivity are key. Here are a few techniques for spotting and avoiding cyber attacks.
Phishing attacks are very common. With every email that hits your inbox, make sure you:
- Read unknown email sender addresses carefully to make sure the domain is legitimate.
- Analyze the content and be cautious if the language is stiff or awkward.
- Avoid downloads from senders you don’t know.
As a full organization, here are a few more steps you can take to avoid an attack:
- Keep your systems up to date with the latest software.
- Implement two-factor authentication (2FA) for all software.
- Proactively educate yourself and your team on cyber security awareness best practices.
Test Your Team’s Cyber Security Awareness
Would you like to test your team’s cyber security awareness during an actual cyber attack?
Of course not. Social engineering training is a good first step, but you need a way to determine if your team complies with those best practices. That’s where social engineering testing comes in.
By working with an experienced, professional security team, you can simulate a social engineering attack to reveal how and where real threat actors access your information. With a 100% success rate when utilizing social engineering to test systems, our team is here to help you build a strong security framework.
Explore Social Engineering Testing with Mitnick Security today.
