Human error is often cited as an excusable reason for problems created outside of a company’s control. But what happens when a mistake by an employee – fooled into revealing sensitive information by criminals – causes a major security breach for a business?
Across the threat landscape, experts acknowledge ‘social engineering’ is firmly on the rise. It's a tactic growing in popularity, in which attackers break through an organization’s cyber security defenses by taking advantage of an employee’s failure to spot they are being duped.
Social engineering can take many forms, including:
- Phishing – often in the form of emails that purport to be genuine but include malicious links to click.
- Vishing – voice calls made to trick people into revealing passwords or security information, sometimes referred to as telephone-oriented attack delivery (TOAD).
- Smishing – a phishing attempt made by SMS text message.
- Whaling – an attempt to use a genuine-looking email that makes a senior executive take a specific action, such as transferring funds.
The problem is laid bare by Proofpoint’s 2023 Voice of the CISO Report. It found more than three-quarters (78%) of UK CISOs viewed human error as their organization’s biggest cyber vulnerability, up from 65% in 2022.
“To some degree, everyone is vulnerable to all forms of social engineering,” says Thea Mannix, director of research at Praxis Security Labs. “Most successful social engineering attacks are highly sophisticated and require an individual to be highly alert and paying attention at the time of the attack to detect anything amiss.
“We cannot pay attention to everything all the time, this is against our very biology, so it is inevitable that at some stage the right circumstances arise, and people make mistakes.”
Mannix, who has a PhD in neuroscience, suggests it’s not possible to make people completely immune to cyber deception but that at best leaders can improve their defenses.
She adds: “Most organizations pour all their resources into avoiding an attack and put very little towards mitigating and planning for the impact of an attack.”
Developing a more realistic tone
According to research by Egress, for its Phishing Threat Trends Report 2023, a fifth (19%) of phishing emails rely solely on social engineering, up from just under 7% in 2021.
James Dyer, the company’s threat intelligence lead, explains that social engineering and phishing have combined to form the most sophisticated threat to businesses yet.
“Gone are the days of grammatically questionable phishing attacks; social engineering, with the help of a chatbot, can mimic the tone of voice and smatter personalized remarks scraped from social media to impersonate effectively... and extremely quickly.”
It’s no wonder then that Renske Galema, area vice president for Northern Europe at CyberArk, warns education is critical. She highlights the company’s recent Threat Landscape report, which shows how security leaders have identified security awareness training as one of the top three most effective components of a defense-in-depth strategy.
Create playbooks that will improve the effectiveness of your security team
“Teaching employees about the real-world ramifications of risky behavior is key to improved security,” she advises. “Methods focusing on team collaboration to solve problems, rather than shaming individuals who fail, will also go a long way in promoting the team game mentality for better security.
“C-Suite executives are the ones responsible for implementing a security strategy based on education, awareness, and collaboration. It’s their role to ensure the company’s security approach is not about placing blame, but about teaching employees how to quickly find and stop attacks.”
Social engineering attacks have many ultimate goals. These might aim to gain human trust and use this to unwittingly install malware that can steal sensitive financial information and customer data, or it may use an attack to gain entry to a system to take it offline; the aim then is to blackmail a company into paying a ransom for it to work properly again.
Industries often targeted include law, the public sector, and healthcare – as well as national utilities. Kelly Indah, a security analyst at Increditools, adds: “I’ve seen how organisations sometimes underestimate this risk. People are usually savvier about financial phishing but less aware of work-related manipulation.
“Social engineering will likely remain prevalent unless countermeasures evolve in tandem with manipulation methods. Compliance and clear policies must also materialise as more than just words. By adopting evidence-based approaches, we can all work to close vulnerabilities and deny attackers their all-too-frequent victories through human deceit.”
New vectors include QR codes and PDFs
Experts have warned that the growing availability of AI tools will power a new wave of social engineering attacks. Heather Hinton, chief information security officer at PagerDuty, believes it will make the issue “worse over the coming years” because it becomes “easier and cheaper to set up”.
“This will allow sophisticated attacks against lower-level employees, especially those in support roles,” Hinton suggests. “We will continue to see sophisticated social engineering attacks through these individuals to target their employer’s customers.”
She adds the technology should be deployed as a positive, with AI cyber security used as a measure to counter AI-driven attacks.
“Automation within digital operations management is a game changer as it supports incident responders in quickly making the right decision under pressure. The right tools can revolutionize security processes and reduce human error during incidents,” Hinton explains.
“To mitigate human errors, the endpoint becomes front and center as a technical control point. Businesses will renew their interest and deployment of secure endpoints including endpoint lockdown, secure configuration, and data exposure management.”
The fallout from social engineering is not just about its raid on the company’s bottom line – it has personal consequences too. In Egress’ Email Security Risk Report, researchers found that once the dust had settled from an inbound email incident, almost three-quarters (74%) of employees involved were disciplined, dismissed, or voluntarily left.
Threat actors are also upping their tactics. New versions of social engineering involve fake QR codes, taking advantage of the increasingly normal practice of users scanning them to access a website or payment portal. PDFs are also another more common vector.
Attackers are also sending emails designed to imitate real CEOs or managers, aiming to fool employees into thinking a request is official. This is known as pretexting, where a fake scenario is established, and this might also include messages purporting to be from the police or everyday co-workers.
To beat this, some IT departments are attempting to get ahead of the problem by sending out social engineering-style messages to their employees and then seeing who falls foul of these. Not dealing with the risks could lead to fines or even legal action if a breach occurs.
Kevin Curran, IEEE senior member and professor of cybersecurity at Ulster University, suggests that given social engineering attacks typically exploit human psychology, the only way to deal with the problem is through continual employee training and such pretend attacks.
“Sadly, only a few will listen and learn,” Curran admits “It generally takes people to make a mistake before they learn, but that can be too late”.
