In 2022, the cost of an average social engineering attack associated with a data breach was $4 million. When criminals get past a company’s security defenses, it’s clear that finances are most at risk. So how can your company detect social engineering attacks, and prevent access to its hard-earned funds? Keep reading to find out, and see the effects of social engineering attacks on businesses.
Trustpair blocks the financial effects of social engineering attacks by continuously controlling payments and blocking those to unknown or suspicious parties. Request a demo to learn more!
What is social engineering?
Social engineering refers to the use of psychology to manipulate a victim into doing what the perpetrator wants. In this context, the techniques are used in crimes and scams so that the attackers gain inside knowledge.
Social engineering is a very malicious technique and relies heavily on the victim’s compliance. Hackers with more technical knowledge sometimes opt for pharming-style cyberattacks. Social engineering is less technical and fits into the phishing umbrella.
High-profile individuals and employees at companies are most at risk of being targeted by social engineering. That’s because they are the gatekeepers to significant funds. Once the information is gained, the attackers might sell it on the black market, and use it to commit identity theft or further crimes by impersonating their previous victims.
How do social engineering attacks work?
Social engineering attacks can work in a number of ways but most often, there are three parties involved. These are the attacker, the target that the attacker impersonates, and the victim.
Here is how a social attack could work:
- The attacker decides on their victim.
- The attacker researches the victim to find a third-party target to impersonate. This party is typically known to the victim, like a supplier, and it’s easy for the attacker to confirm their association.
- The attacker spoofs the real email address of the third-party target.
- The attacker crafts a clever email impersonating the target and uses similar language to the target, sending this to the victim. In most cases, the attacker asks the victim for confidential information or to transfer money.
- The attacker places urgency on the victim to complete the request, trying to avoid suspicion or investigation (especially in the case of CEO fraud where any sniff of suspicion would likely result in failure for the fraudsters).
- If the victim complies without verifying the identity of the attacker, they would likely transfer funds or inadvertently commit a data breach.
In more extreme cases, spear phishing also exists and plays on social engineering techniques. This refers to the in-depth research of a victim to create the most convincing scam possible. The attackers could hack into the third party that they are impersonating, mimic exactly the same language, and ensure the timing of their attacks is specific.
Moreover, whaling describes the same phishing and social engineering process but for high-profile targets – such as celebrities or high-level executives.
The common denominator, though, is that each of these results in the same ending if the attack is successful – it leads to the victims sharing their sensitive information with the perpetrator.
What are examples of social engineering attacks
There have been a fair few examples of social engineering fraud over the years that have led to many interesting case studies and security upgrades. Here are two of the most notable examples:
- Sony Pictures: 2014
- SolarWinds: 2020
Sony Pictures Social Engineering Breach: 2014
In 2014, a group of cyberattackers used social engineering to gain access to Sony Pictures’ internal system.
They impersonated Apple, a known third party, to send a “password verification” email over to the employees (a phishing email).
Here’s where the social engineering tactics were implemented. The email used the logo and mimicked the exact language that Apple uses on their typical password verification communications. They married this with a technical element; the spoofing of the real Apple website for employees who clicked on the link. It meant that the hackers created an identical website and confused computer security systems, bypassing the typical flagging measures with pharming techniques.
It only took one employee to click on the link in the email and enter their details for the perpetrators to capture the password to the system. Then, the havoc really began, with the group leaking unreleased movies, scripts and even embarrassing internal emails.
Sony lost an estimated $15 million, and upon investigation, realized that the perpetrators gained access through this Apple email more than a year before they took action.
SolarWinds social engineering attack: 2020
SolarWinds is a subsidiary of the GPS software: Garmin.
Here’s how the company systems were compromised in 2020
- The attackers sent socially engineered emails that looked legitimate to a number of employees from Solarwinds, each with a malicious link
- At least one of the employees clicked on the link within the email, downloading malware onto the internal systems
- The malware allowed the perpetrators to gain access to the internal systems of SolarWinds, and the hackers encrypted the files to lock access, rendering huge operational issues
- After days of operational disruption, SolarWinds paid an undisclosed ransom amount to the attackers, regaining access to their systems and getting their clients (like Garmin) back up and running
This attack would never have been possible without the initial emails that passed as legitimate. So, it leads to an important lesson for companies: you can’t rely on your employees to simply spot social engineering – it’s often undetectable. Instead, organizations should implement a range of fraud detection and prevention techniques to avoid the effects on the business.
How can you detect them?
Detecting social engineering fraud isn’t easy, but there are some general red flags that can help you spot the scammers.
Firstly, teach employees to be wary of any emails received from senders that they don’t recognize. These days, many email providers will include a warning message from an email originating from outside of your workplace organization. But it’s always worth double-checking the email address to ensure it’s recognized. This should also help your employees spot spoofed email addresses – which are similar to actual accounts but not identical.
Secondly, check the tone of the email. Does it sound generic? Or are there any spelling or grammatical errors? These are both likely signs that the email itself might not be legitimate and don’t require oversight from your IT security team.
Third, employees should be taught to hover over any email links before they click. This includes any links, from documents to websites and payment links. By hovering with the mouse, your employee can tell if they’ll be directed to the site they intend to reach, or whether they will be redirected to a malicious online destination.
Each of these tips can make up the regular security awareness training sessions for your employees.
Learn all about fraud detection and prevention in our latest fraud study!
How can you prevent these attacks?
Alongside detection, a strong fraud prevention strategy is a business’s best asset. Your organization can prevent social engineering attacks by:
- Testing: Regular security testing can remind employees of the threats, and plug any vulnerabilities within your systems
- Implementing internal controls: segregation of duties is a great way to spread responsibilities among team members. It ensures that no single employee has too much power (also known as the four eyes principle)
- Performing due diligence: Doing proper background checks on your employees, and finding out about the ultimate beneficial owners of your suppliers should help identify any risks that attackers could exploit, so that you can prevent them
And as a safety net, you can put further measures in place to protect your business even if the worst should happen.
Financial fraud detection software like Trustpair can automatically block payments to suspicious or unknown third parties. We continuously monitor payment details and validate third-party credentials. In an attempt of social engineering, Trustpair can protect your finances even if a scammer is successful in their attempt to gain access to your system. That’s because Trustpair automatically blocks the payments before money ever leaves your account.
Social engineering attacks help criminals to commit online espionage, by manipulating victims with psychology. Detect social engineering with employee awareness training and prevent it with due diligence, penetration testing and internal controls. Trustpair blocks the effects of social engineering by controlling your payments with data validation.