Cybersecurity Blog Series: Social Engineering

It seems that every day we see another headline announcing that a prominent company or public organization has been compromised by a cybersecurity breach, losing sensitive data, public trust, and hundreds of thousands (or even millions) of dollars in the process. The fact that these cyberattacks happen so frequently may be puzzling—after all, shouldn’t these businesses have the financial and technical resources to properly safeguard their critical IT infrastructure?

Similarly, the fact that these headlines often cover high-profile corporations may instill a false sense of security in small and medium-sized businesses (SMBs), believing that they do not have enough money or valuable information to be targeted by cyberattacks. However, what many people don’t realize is that cybercriminals are increasingly going after smaller organizations, including those in the non-profit, education, and healthcare sectors.

It may also come as a surprise that many of today’s cybersecurity breaches are not caused by technical flaws or network vulnerabilities. The mass distribution of malware has become a multi-billion dollar industry, which means cybercriminals actually require very little technical knowledge to execute successful attacks. Instead, they rely on social engineering tactics, which exploit human weaknesses in the cybersecurity chain of command through the powers of persuasion, influence, and manipulation. While e-mail is a common vehicle for social engineering attacks, they can also occur over the phone, through text messages, and in person.

Simply put, social engineers understand that we are inundated with messages from countless sources every day, and are unlikely to take the time to scrutinize e-mails, links, or attachments before opening them. They know how difficult it is for us to pass up promotional offers that appear to come from our favourite coffee chain or clothing store, or how difficult it is for us to ignore a phone call claiming to come from our bank or a government agency. They take advantage of our tendencies to trust and appease other people—which ultimately means the weakest cybersecurity link in any organization is the people who work there.

Phishing is one of the most common types of social engineering schemes, cited as being involved in 97% of all cyberattacks. Phishing attacks target organizations of all sectors and sizes, as well as individual web users. They frequently appear as e-mails from a legitimate business, such as a popular social media website or courier service, and can be surprisingly sophisticated in their appearance and techniques. Often, they will advise you to click on a link or open an attachment, which will unleash malware that can damage your device, cripple your networks, and steal your identity.

One increasingly common type of malware that has been grabbing international headlines is ransomware. After it has infected your computer or smartphone, ransomware encrypts your data so that you cannot access it until a set ransom amount has been paid, most often in the form a crypto currency called Bitcoin. It is estimated that ransomware attacks grew by 600% in 2016, costing businesses and individuals in excess of $1 billion to retrieve their data. While large-scale corporate breaches are more likely to be featured in the news, the reality is that SMBs are more likely to be targeted by ransomware attacks.

But it doesn’t stop there. Increasingly, social engineers are using targeted spear phishing attacks that appear to come from a friend, family member, or work colleague. A popular type of spear phishing is Business E-mail Compromise (BEC), where a message that seems to come from the head of a company asks an employee to wire money or share sensitive information—such as account numbers and passwords—that can be used to infiltrate the organization. At the end of the day, it only takes one momentary lapse in judgement to do irreparable financial and reputational harm to your business, and the strongest firewalls cannot protect your data if someone in your organization falls for a social engineering attack.

Ultimately this raises the question as to what business owners can do to safeguard their IT systems, financial resources, and sensitive data. The CarefreeIT Cybersecurity Centre provides Security Awareness Training for all our clients' employees as a critical first step. Our experienced instructors hold training sessions at our Waterloo office, as well as onsite at client locations. This training aims to create human firewalls by addressing the most pressing security issues facing SMBs today, such as password and data sharing policies, how to recognize and respond to cybersecurity threats, and safe web browsing practices. While it’s true that the cyberthreat landscape continues to evolve with each passing day, we believe that knowledge can transform employees from security liabilities to empowered champions of their organization’s cybersecurity defense strategies.