Now Hiring: Are you a driven and motivated 1st Line IT Support Engineer?

Blog

Social Engineering attacks

Cyber Security / Cyber Security Threats

Social Engineering attacks

As the pandemic struck the world by surprise, many, if not all, organisations were forced to make a rather quick transition to digital remote operations. While many came forward with the benefits of remote working and digitizing daily operations, hackers see it as a golden opportunity to exploit vulnerabilities aroused from this transition. 

pasted image 0

Cyberattacks before and during pandemic 

The sharp increase in digital attacks made many organisations realise that security should not be considered as an “add-on” in a budget but rather as a necessary cost that companies need to bear to avoid a greater calamity as around 62% companies in Malaysia alone  are encountering cybersecurity challenges since the pandemic began. Since the beginning of COVID-19, the FBI has reported that cybersecurity complaints have experienced a fourfold rise and losses stirred by cybercrimes amounted to $1 trillion in 2020 . As the saying goes: “Prevention is better than cure”, and many companies have learnt the lesson the hard way ever since COVID-19 raged.

Social Engineering attacks

The main form of social engineering attacks used in 2020 was phishing. The latter encompasses phishing emails, scareware, quid pro quo, among others. By definition, phishing is a digital attack which tricks individuals into believing that the malicious email sent by the attacker is an email of utmost importance such as an email from the bank or from the company the individual works in.  One of the most used phishing scams is deceptive phishing whereby external bodies impersonate the actual company and trick clients into giving in their credentials and any other personal details. In 2020, cyber criminals landed around $ 2.3 million from a school located in Texas by forging an email from WHO . This depicts how negligence and ignorance from the employee’s end can cost a hefty amount and cripple the organisation as a whole.

The most common techniques used in deceptive phishing are:

Incorporation of legitimate URLs

In this method, the attacker will try to avoid being detected by email filters by including legitimate links in their phishing emails. This could be done by providing genuine contact details.

– Combining malicious and benign codes

In the case of phishing landing pages, the attacker will combine malicious and benign commands so as to escape detection from Exchange Online Protection (EOP). To implement this, the hacker can reproduce the CSS and JavaScript of a renowned IT company’s login page in order to bag the credentials of customers. From there, the attacker can usurp the money of the client, or this may even lead to identity theft.

– Forwarded and shortened link

To avoid detection, hackers try to create their phishing emails in such a way that they are not discovered by the Secure Email Gateways (SEGs). This can be done by using shortened URLs which will redirect the employee/client to a genuine web page.

– Minimal email content

To avoid raising any red flags, an attacker will attempt to include the least amount of content in the email. The latter can be implemented by replacing text content with that of an image.

  How to prevent phishing?

Since the world has shifted to remote working, it is important that workers secure their personal network and devices first so that hackers do not use them as a pathway to gain access to the company’s confidential information or network. Here are simple steps that one can take on an individual level to protect himself/herself from phishing attacks:

– Verify the spelling of URLs in emails before clicking on it or keying in confidential information

– Look out for URLs which forwards to a distinct web page with identical layout

– If an email has been received from a known source but it appears dubious, contact that source with a new email

– Avoid posting personal information such as birthdays, addresses, email contacts or even photos of work setup/desktop on social media. Hackers may get a whiff about the work operations of the employee, the type of device and operating software used.

If an employee is part of the IT Department in a company, he/she can implement the following ways to decrease phishing attack scopes within the organisation:

– “Sandboxing” inbound email, verifying the safety of each link a user click

– Examining and analysing web traffic

– Implement penetration testing to find vulnerabilities that an attacker can exploit. Use the results to brief and educate employees about security shortcomings that the organisation has and the necessary precautions that needs to be taken.  

Leave your thought here

Your email address will not be published. Required fields are marked *