Why Cybersecurity Measures are Powerless Against Social Engineering

The growing sophistication of social engineering attacks creates a challenge that even high-tech systems are not prepared for.

We often think of cybersecurity as being a high-tech arms race. As criminals become more sophisticated, defense teams create new systems to counter them. Artificial intelligence (AI), machine learning (ML), and other digital transformation features are at the forefront. However, no matter how sophisticated your defenses or how tight your encryption, none of it can perfectly fight the rising tide of social engineering attacks.

The rise of technology

That’s not to say technology doesn’t have a role to play. It does. Cybersecurity has evolved out of all recognition over the past few years. Advances in encryption, automation and adaptive networks, machine learning, and supercomputers have enabled companies to erect sophisticated multi-layered defenses against incoming threats.

Today cybersecurity professionals are bolstered by automated systems which constantly scan for threats updating protections to the next level. Operating much faster than any human professional, they propel cyber protections into the digital age.

At the same time, though, they are being met by an increasingly sophisticated foe. As a result, cybercriminals have embraced the digital age using AI, data analytics, automation, and ML to find ways around defenses.

Criminals can effectively train bots to overcome protections and to create more realistic spoofing or phishing attacks. Using data, often obtained illegally, cybercriminals can use ML to simulate believable scenarios and more effective attacks.

On both sides of the divide, then, cybersecurity is getting smart. Both attackers and defenders are turning to the same advanced technologies to offset the other. For this reason, investment in cybersecurity will continue to grow. A recent study found that firms expect to increase cybersecurity measures by 10% in 2021 as they attempt to counter a rapidly evolving landscape.[1]

The pandemic has shaken up the challenge of cybersecurity. In addition, the increasing use of digitization and remote working has exposed networks and forced companies to take action to secure all endpoints across an organization.

Cybersecurity vendors focus efforts on developing secure remote access virtual private network (VPN) monitoring, endpoint security, mobile security, and cloud security. 

However, for all these technological innovations, cybercrime remains a very human challenge. Ultimately, the critical challenge for cybercriminals is to fool someone within an organization into making a mistake. For this, they rely on the principles of social engineering.

What is social engineering?

Social engineering is the process of using psychology or trickery to persuade a target to take a specific course of action. In cybercrime it comes in various forms:

·         Phishing attacks: Emails attempting to persuade a user to click a link or download a file that allows a virus to be downloaded.

·         Scareware: Emails or phone calls create a situation in which a user must hand over his or her details. For example, this might involve entering your account details to correct a problem with your account.

·         Blackmail: With personal data becoming more vulnerable, cybercriminals may obtain, or claim they have obtained, information that could cause embarrassment or worse to a user. They can use this to compel the person to hand over information.

·         Baiting: Using false promises, criminals hope to pique a user’s curiosity. For example, claiming to have a tax refund available.  

·         Spear phishing: This is a more targeted version of phishing. Using stolen data, hackers can personalize their target, using approaches that look and feel relevant to you. For example, they may take the identity of someone you know, using their email address, to persuade you to hand over information.

Social engineering attacks have become progressively more common in recent years. Losses have reached the billions.[2] They are helped both by developing technologies and current events. The digital revolution has encouraged companies to embrace everything which comes with digital innovation, including cloud computing and data analytics. As a result, they are processing much more information across more locations than ever before.

Meanwhile, cybercriminals are becoming more sophisticated. For example, they use ML and natural language processing technologies to create highly effective phishing emails. This sophistication makes it increasingly difficult for users to differentiate between emails from a reliable source versus a criminal.

Cybercrime innovation has profound implications. For example, while cybercriminals are already hijacking email addresses to craft messages which appear to come from trusted sources, ML helps them adapt increasingly convincing messages which appear to have come from that individual.

The current situation has also created a heady environment of opportunity. The pandemic pushed people into isolation. Society has come to rely even more heavily on technology, with people relying on email for communication with organizations such as banks.

The emergency also created openings for spoofing attacks, with emails claiming to be from the government or international organizations claiming to contain important information about the pandemic. For example, the World Health Organization had to alert people that scammers were sending emails that claimed to offer important information about the pandemic.   

At a time of global emergency, these emails — many of which come with convincing branding — can easily entrap people who might otherwise have been more careful.

Why is social engineering so effective?

Social engineering is rapidly becoming the weapon of choice for hackers because it attacks a channel that most companies will struggle to defend against, their own people. Technical defenses such as firewalls, and software security, have become much more effective. However, humans remain the most vulnerable point in any security system.

According to a study from IBM, human error accounts for 95% of cybersecurity breaches.[3] For all the technology being deployed by both sides, it found hackers still rely on someone making mistakes such as clicking a link, downloading a file, handing over information, or failing to take a specific course of action.

The situation can be likened to a football team. The manager puts a considerable amount of effort into drilling his team to be organized defensively, but all that comes to nothing if someone makes a horrendous mistake.

Most companies are now aware of this vulnerability. More than half of businesses believe their employees are their most significant cyber risk.[4] They are investing money in cyber training for staff, and, as a result, most people are more vigilant than they used to be. As a result, people in general — and consequently your employee — are more cyber aware than they used to be.

However, social engineering’s secret sauce uses human emotions such as greed, envy, fear, or even just to circumvent natural defenses. For example, messages claiming your data has been compromised can panic you into disclosing information you shouldn’t.

Equally, a message offering an exciting business opportunity can persuade some people to lay aside natural common sense and chase those gains.

Spoofing trustworthy sources also encourages people to let their guard down. Take, for example, the biggest social engineering of all time, a $100mn raid on Google and Facebook. A Lithuanian national Evaldas Rimasaukas set up a fake computer company and invoiced specific employees at the tech giant for services that had actually been provided. The employees then transferred money into a fraudulent account set up in the company’s name.

Fighting back against fraudsters

Social engineering is an increasingly serious threat for everyone in the company. The impact may not only be financial but could damage a firm’s reputation and lead to problems with regulators. Individuals may also find themselves held responsible.

When a Chinese company fell victim to CEO fraud in which hackers impersonated its CEO and other high-level executives, it tried to sue its own CEO, claiming he had failed to implement proper security measures. The attempt failed, but it should be seen as a warning shot to senior executives everywhere. Already regulators are moving to make individuals more accountable for breaches. By 2024, Gartner predicts CEOs could find themselves held personally responsible for breaches.[5]

The stakes, then, are high for both companies and employees. To effectively counter this threat, firms must develop strategies to nullify the specific danger social engineering brings. Moreover, they must do more than just raise awareness among staff about incoming threats and ensure they have information to reduce their vulnerabilities.

It’s about putting in place provisions and protocols which offset the same vulnerabilities which social engineering exploits. For example, even if a message appears to come from a highly trusted source, employees should follow tried, tested, and trustless procedures to ensure all actions are 100% verified.

Into the future

Much of this relies on understanding the evolution of cybersecurity. Technology is driving this forward at a frightening pace — much faster than most people believe. For example, in 2019, a CEO received a call from someone who sounded exactly like his boss asking him to transfer money. He did so without a second thought, little realizing that the hackers had developed technology that could effectively mimic the sound of an individual’s voice.

This method of attack is the kind of sophistication that one might imagine would be part of a science fiction story. Unfortunately, however, it is here with us in the present day.

Technology is evolving, creating new threats that people would not be aware of. Everyone in the company needs to be made aware of the latest threats and the evolving capabilities of attackers. Only in this way can they maintain effective defenses against the attacks which are coming their way. Businesses will continue to build their technical defenses, but forgetting the human element and the psychological impact of social engineering can leave the firm-wide open to attack. 

Sources: 

1. Helpnetsecurity.com: Cyber security Investments will increase 10% in 2021. 
2. Willistowerswatson.com: Social Engineering Insights 2020
3. Thehackernews.com: Why Human Error is #1 Cybersecurity Threat to Businesses in 2021
4. Kapersky.com: The Human Factor in IT Security: How Employees are Making Businesses Vulnerable from Within | Kaspersky official blog
5. Gartner.com: Gartner Predicts 75% of CEOs will be Personally Liable for Cyber Physical Security Incidents by 2024

‍