How Cybercriminals Use Social Engineering to Access Sensitive Information

Cybercriminals are always on the lookout to take advantage of the unknowing employee. While we often think that cybercriminals are using complex software to compromise organizations – and they are – one of the most popular ways of eliciting sensitive information is actually a very old technique: social engineering. Like a grifter working a confidence game, social engineering is a manipulation technique that exploits the basic human instinct of trust to steal personal and corporate information.

Social engineering takes advantage of a potential victim's natural tendencies and emotional reactions. Cybercriminals manipulate unsuspecting victims using various techniques, including phishing emails to elicit personal data, creating a false pretext that ‘requires’ sensitive information, quid pro quo attacks where scammers promise a benefit in exchange for information, and tailgating, where criminals without proper credentials trick someone into letting them into an area where sensitive information is stored.

While we all would like to think that we’d never fall for a social engineering attack, some of the biggest companies in the world have fallen prey to these types of schemes. This past July, we saw one of the largest social engineering-driven cyber breaches ever when Twitter fell victim to the dubious claims of bad faith actors. According to a blog post released by Twitter, the hack took place when bad actors “manipulated a small number of employees and used their credentials to access Twitter’s internal systems.” After gaining access to privileged systems, the attackers attempted to hack 130 high profile user accounts.

The cyber criminals successfully breached 45 accounts and released posts encouraging the victim’s followers to send bitcoin to a BTC address under the false premise that the senders’ payment would be matched and returned. The attack ultimately lined the pockets of the hackers to the tune of $120,000.

The attack offers modern companies a valuable learning opportunity about the realities of social engineering threats:

• Social engineering can victimize anyone at any organization – The Twitter hack proved that even tech giants aren’t immune to social engineering scams. An attacker that conducts in-depth research about a victim can easily fool them with a convincing story and phony credentials. Being prepared to defend against the threat is vital, whether you’re part of a small business or a multinational organization.
• Social engineering schemes are targeting more privileged users – The access employees have to internal systems makes them a major target for cyber criminals. Acquiring login credentials from one user through a phishing email could grant access to privileged IT resources that would otherwise be inaccessible to the attacker, making a data breach considerably more devastating.
• Two-factor authentication may not be enough to protect your data – While two-factor authentication is important for securing access, it isn’t enough alone to protect your data. If a fraudster tricks an employee into giving up information directly, then the data will still be breached. Cyber security awareness training is essential to ensure that employees know how to minimize the risk of data leaks.
• Social media is the new frontier for successful phishing attacks – With social media ad spend expected to top $43 billion in 2020, cybercriminals will inevitably start to exploit the reach those companies have online. The larger the number of followers a company has, the greater the number of potential targets for scams.
• The Twitter hack could signal a new onslaught of social engineering threats – The success of the Twitter hack will undoubtedly inspire other hackers to attempt similar social media hacks. Consequently, we can expect to see an increasing number of social media compromise scams taking place. Strong security awareness training is critical to spotting cyber threat warning signs and keeping your data safe.

Against all these attack types, your number one weapon is awareness. Being aware not only of the warning signs but also of which best practices to adopt to limit the exposure of your information is critical to staying safe online. There are many things you can do to defend against social engineering attempts and reduce the chance of a social network breach, but the two critical steps are:

• Investing in your people – Investing time and money to educate your people about current cyber threats will give them the tools needed to mitigate these risks effectively. Tools such as phishing simulations and ransomware simulations are great resources you can use to get a snapshot of your exposure and determine what to do to increase security awareness in your organization.
• Educating your team – Educating your users about social engineering attacks will help them spot the signs if they become the target of a cybercriminal. Giving users real-world examples of social engineering scams also goes a long way toward helping to detect attempts in real-time.

The next generation of cyber security threats aren’t limited to malware exploits but rely increasingly on manipulating internal employees to gain access to information. Addressing the threat isn’t as simple as an antivirus but requires consistent cyber security awareness training.

Implementing the best practices outlined above will enable your organization to work productively and safely without having your information hijacked by an unscrupulous actor. By equipping employees with the knowledge they need to detect social engineering attempts, you will substantially increase your chances of keeping your data where it belongs.

Theo Zafirakos is CISO of Terranova Security.