Think Like A Criminal: What You Need to Know About Social Engineering Attacks in 2020
- by Brittany Day
In our recent blog post Think Like A Criminal: How To Write A Phishing Email, we examine phishing from the eyes of an attacker to help you understand and protect against this notorious email scam that is to blame for over 90% of all cyberattacks. In this article, we briefly touch on social engineering - or techniques that attackers employ to manipulate psychology. Considering 98% of all cyber attacks rely on social engineering, we want to provide readers with more information on the topic and advice for protecting against social engineering attacks. Here is what you need to know about social engineering in 2020.
What is Social Engineering and How is it a Threat to My Business?
Social engineering refers to the use of deception to manipulate individuals into sharing confidential or personal information that can be used for fraudulent or malicious purposes. Criminals have been leveraging social engineering techniques for centuries; however, in our new digital reality, the magnitude of this threat has increased exponentially. Threat actors are now able to obtain extensive information on targets by searching the Internet - relying heavily on widely-used social media platforms for their research.
Social engineering scams are highly successful because they exploit human nature. Attack campaigns often prey on people’s inherent desire to help or leverage trust relationships built with a superior, colleague, partner or organization.
Like other cyber threats, social engineering attacks generally follow a standard lifecycle methodology that can be broken down into four clearly-defined steps:
1. Information Gathering: Threat actors identify a target, employ Open Source Intelligence Techniques (OSINT) to gather as much information on the target as possible and select the attack method(s) they will use.
2. Establish Relationship: Cyber criminals engage with the victim though targeted communications such as social media messages or spear phishing emails.
3. Exploitation: Attackers use information and the relationship they’ve built with the target to gain a ‘foothold’ (i.e. giving away sensitive information).
4. Attack Execution: Threat actors perform the attack - carefully erasing any digital footprints (such as malware) in order to remain undetected.
Phishing Is A Favorite Lure Among Social Engineers
Phishing is the most common type of social engineering attack used to gain access to account credentials, sensitive data, confidential business information and funds. Phishing has dominated the email threat landscape for decades; however, with the recent increase in remote workers and the proliferation of popular cloud platforms like Office 365 and G Suite, there has been a resurgence in phishing attacks. Unlike past phishing campaigns, modern phishing attacks are sophisticated, evasive and rely heavily on social engineering to appear legitimate. These malicious scams carry serious consequences for businesses including data theft, financial loss, reputation damage, significant downtime and, in many cases, permanent shutdown.
The Cost of a Social Engineering Attack: Two Key Examples:
- In February 2020, an unknown threat actor successfully conned Shark Tank investor Barbara Corcoran out of nearly $400,000 with a spear phishing email using an address nearly identical to that of her assistant and containing a fake renovation invoice.
- Spear phishing campaigns against the Democratic National Committee and the Clinton Foundation resulted in the compromise of copious confidential documents - potentially influencing the 2016 presidential election. Many of these documents were stolen by impersonating Gmail officials and asking targeted individuals to reset their passwords, or through the use of a malicious link.
How Can I Defend Against Social Engineering Attacks?
The majority of social engineering attacks are so targeted and deceptive that it has become difficult to blame a user for falling for a scam. After all, even the most security-conscious individuals can be tricked by social engineering. Thus, defending against social engineering attacks requires a comprehensive, fully-managed email security solution that creates a safeguarded environment around the user by preventing all mali
cious mail from being delivered.
In addition, users and organizations should use strong passwords for all accounts and be aware of the information they make publicly available online. We suggest checking websites for personal information that may be publicly available (like addresses, phone numbers, etc.), and requesting that it be removed. Websites like haveieenpwned, which notify users when their information is discovered online, can be helpful in monitoring the availability of your personal information on the Internet.
The Bottom Line
People are not computers - but they can still be hacked through the use of social engineering tactics. Combating modern email threats that leverage social engineering techniques requires a fully-managed, all-in-one email security solution that safeguards the inbox against all fraudulent mail potentially leading to compromise.
Interested in partnering with an industry leader to secure your users, your data and your brand against the most advanced email threats? Let’s Get In Touch
- Effectively Securing Business Email Accounts: Are Employees the Weakest Link?
- Encryption: An Essential Yet Highly Controversial Component of Digital Security
- Business Email Security Redefined: Key Benefits of Securing Your Business Email with Guardian Digital
- 8 Business Email Security Best Practices
- Demystifying Email Encryption: Stop Sender Fraud
- Demystifying Phishing Attacks: How to Protect Yourself Now
- Demystifying Tax Fraud: How to Avoid Falling Victim to Deceptive, Costly Scams This Tax Season
- Coronavirus Phishing Scams are On the Rise - Is Your Business Email at Risk of Infection?
- Dave Wreski: Founder of Guardian Digital – Open Source Cloud Email Security
- New Ransomware Warnings: Is Your Business Safe from This Silent Threat?
- FBI: Existing Cloud Email Protection Inadequate Against Phishing, Ransomware
- Email Risk is Universal: Securing Business Email in Every Industry Sector
- How To Safely Navigate Office 365 While Working Remotely
- Tips and Advice for Staying Safe Online During COVID-19
- Why Your Business Needs Better Email Security
- Defending Against COVID Email Spoofing Attacks with DMARC
- You’ve Got Mail: How To Tell If It’s Fraud
- Open-Source Security Is Opening Eyes
- Think Like A Criminal: How To Write A Phishing Email
- The Four Biggest Email Threats Your Business Faces Today
- Everything On DocuSign Phishing Attacks in 3 Minutes
- Understanding Payload-Less Email Attacks in Under 3 Minutes
- Demystifying Fileless Malware in Less than 3 Minutes
- How to Protect Sensitive Data & Maintain Client Trust in Financial Services Industry
- Exchange Servers Are Vulnerable - Learn How To Secure Your Email Server Now
- Apache SpamAssassin Leads A Growing List of Open-Source Projects Taking Steps to Correct Instances of Racism and White Privilege
- Cyber Risk Is Greater than Ever in the Legal Industry
- Understanding Malicious URL Protection - And Why You Need It to Secure Your Email
- Email Security for SMBs Beyond COVID-19
- Email Risk Is BIG for SMBs - How To Protect Your Business Now
- Email Threats By The Numbers: How Big Is My Risk?
- The Modern Email Threat Landscape: Where Traditional Defenses Fall Short
- Why Email Security Is More Important Than Ever in This 'New Reality'
- The Threat of CEO Fraud Extends Beyond the C-Suite
- Top Email Security Trends Putting Your Business at Risk of Attack
- Think Like A Criminal: What You Need to Know About Social Engineering Attacks in 2020
- Managed Services: A Key Element of Effective Email Security that Even Modern Solutions Lack
- How To Secure Your Remote Workforce: Advice from Leading Security Experts
- FBI: The 2020 Presidential Election Is Under Attack by Email Scammers
- AT&T Security Researchers Identify a Correlation between Strong Cybersecurity and Business Success
- Your Current Approach to Email Security May Not Be Enough
- Ways to Prevent Email Account being compromised in a Breach
- Celebrating 20 Years of Revolutionizing Digital Security
- IBM Closes its $34 Billion Acquisition of Red Hat
- Interview with Security Expert and Author Ira Winkler
- What is Phishing Email? How to prevent Phishing email scams?
- Ways Our Business Email Exceed Your Expectations
- Spear Phishing Protection - Definition & How To Recognize Spear Phishing Email
- What is Whaling (Whaling Phishing)? & How to Prevent Whaling attacks?
- Ransomware Attack Explained - Best Practices For Ransomware Protection
- Business Email Compromise (BEC) - Definition & Prevention From BEC Attacks
- Wire Transfer Scams Involving Real Estate Transactions: How to Prevent Fraud with Effective Email Security
- Guardian Digital and Mautic: A Dynamic Open-Source Duo
- Email Malware - How to Recognize & Prevent Malware Email Attack
- An Open-Source Success Story: Apache SpamAssassin Celebrates 18 Years of Effectively Combating Spam Email
- What is Spam Email - Types & How to Prevent Spam Emails?
- Email Virus - Complete Guide to Email Viruses Plus Best Practices
- What Is A Zero-Day Attack & How To Prevent Zero Day Exploit?
- 2020: A New Decade of Digital Threats - Is Your Business Email Secure?
- Linux: An OS Capable of Effectively Meeting the US Government’s Security Needs Heading into 2020
- Email Security: Complete Guide on Email Security & Types of Email Threats
- Guardian Digital Keeps its Customers Protected from Intel Design Flaw
- Security Spotlight: Open Source Email Security Solutions
- Top Six Advantages of Open Source Development/Products
- Python and Bash - Contenders for the most used scripting language
- Guardian Digital Outlines Top 4 Benefits of Choosing Cloud
- Unrivaled Protection Against Today’s Most Dangerous Threats
- Guard Your Email Accounts Against Today’s Most Dangerous Threats
- Security Highlights from Defcon 26
- Linux / Open Source FAQs: Common Myths / Misconceptions
- Email Security FAQs Answered by Guardian Digital
- Guardian Digital Mail Systems: Designed to be Secure Without Fail