Written by Lloyd Evans, Head of Identity, LastPass JAPAC.
Most of us are familiar with traditional phishing emails, with the tell-tale signs of a dodgy emails easy to spot. However, phishing scams are becoming more sophisticated and harder to catch, and unfortunately aren’t slowing down in volume.
Although phishing began on email, it now happens on all digital channels with the ACCC even warning consumers of the spike in ‘Hi Mum’ scams via SMS. When it’s too difficult or time-consuming to hack into a sophisticated site or network, hackers can get the job done by abusing someone’s trust or manipulating their feelings. This is where social engineering comes in.
But there are steps we can take to ensure our credentials are kept out of the hands of cybercriminals, in both our working and professional lives. Cybercriminals are always looking for ways to get our personal data, the lesson learnt is: don’t make it easy for them.
What is social engineering?
Cyber criminals are always looking for the easiest way to target and exploit a user’s online information. With more than 60% of the world’s population is now online, individuals have more and more accounts and passwords to keep across which has created a void of proper cybersecurity practices and a basic understanding of it. This has left individuals exposed to unnecessary risks by giving hackers the easy fodder to enter a database – statistics suggest that 46% of all data breaches are a result of human error.
Even those who believe they are digitally literate and have password-secure accounts, social engineering is very effective at conning them into giving them their information. Hackers use this technique to dupe victims into giving them confidential data, such as passwords or banking information, so they can accomplish their goals with ease. Sometimes social engineering takes advantage of the trust people have in colleagues or companies. Other times, it preys on people when they’re feeling vulnerable or fearful.
So many of us rely heavily on technology for everything from work to grocery deliveries to social media, it’s more important than ever to spot the signs of a social engineering attempt.
Common social engineering hacks
Phishing is still the most common type of social engineering hack with the most success resulting from compromised credentials. This involves people being duped into revealing their login credentials to an unknown user which are then used to breach an account and steal information. This social engineering attack continues to impact Australians – the OAIC Notifiable Data Breaches report has consistently found over the past 4 years that phishing via compromised credentials has accounted for ~30% of cyber incidents.
While phishing is still very prevalent on email, it has expanded across all digital channels. Smishing, although nowhere near as successful as compromised credentials, has sharply increased in the past 12 months. The spike in ‘Hi Mum’ scams is a perfect display of emotional manipulation.
Scammers also work on victims over a long period of time through dating apps such as Tinder, and often spend weeks on one target to receive their information. Once a connection is made, cyber criminals may attempt to emotionally manipulate their victims into sending them money. These attacks prey on people who may be feeling vulnerable and seeking human intimacy, and as a result are very effective. According to Scamwatch, Australians lost nearly $37 million in 2021.
Social engineering scams are even happening in the workplace through business email compromise (BEC). This remains a major threat to businesses, with the average loss per successful event has increased to more than $50 600. Hackers can usually gain access to the corporate network in a very short space of time by impersonating work colleagues to steal information. By simply investigating their target online in advance, they are able to craft a more authentic, genuine message that has a better chance of gaining the victim’s trust.
Key tips for people to protect themselves
By understanding how social engineering scams take place, individuals can know where and how to spot when something looks off and what to do if they fall victim.
- A password manager is critical to protecting yourself from attempted compromised credential phishing attacks by helping users create and maintain long and complex passwords. Most password managers can also auto-fill in your credentials related to a specific URL, so they don’t submit information on a phishing URL. Using a password manager app can also help you identify websites with malicious intent by displaying an icon in the browser bar to indicate that it’s a known site. The app will not display the icon if an entry was misspelled via a phishing attack.
- Be suspicious of random and unexpected messages. If you receive a message that is unsolicited, even if the message looks legitimate at first glance, be wary that any user or message you are not familiar with could be an intended scammer.
- Don’t assume the apps you know and love are safe. With individuals becoming increasingly aware of phishing via emails, hackers know this too. Which is why they’re increasingly trying to reach you via the apps and sites you trust. They know they have a better chance of catching you with your guard down on social media in particular.
- Don’t assume your business communications are safe. If you received an email from a co-worker that looks off, listen to your instincts. Reach out to that co-worker using another method of communication, like a phone call, and make sure they actually sent you that message.
- Use multi-factor authentication (MFA) to give you an added layer of protection particularly if you’ve experienced a social engineering attack. Despite a hacker gaining access to your password, using MFA means they won’t be able to get into your account unless they are also able to provide another form of authentication that you’ve already picked out in advance, like a passcode from an authenticator app.