Written by Lloyd Evans, Identity Manager, LastPass JAPAC.
Most of us are familiar with traditional phishing emails, with the telltale signs of a dodgy email being easy to spot. However, phishing scams are becoming increasingly sophisticated and difficult to detect, and unfortunately they are not slowing down in volume.
Although phishing started via email, it now occurs across all digital channels, with the ACCC even warning consumers of the spike in “Hi Mum” scams via text. When it’s too difficult or time-consuming to hack into a sophisticated site or network, hackers can get the job done by abusing someone’s trust or manipulating their feelings. This is where social engineering comes in.
But there are steps we can take to make sure our credentials don’t fall into the hands of cybercriminals, both in our professional and professional lives. Cybercriminals are always looking for ways to get our personal data, the lesson here is: don’t make it easy for them.
What is Social Engineering?
Cybercriminals are always looking for the easiest way to target and exploit a user’s online information. With over 60% of the world’s population now online, individuals increasingly have more accounts and passwords to keep track of, which has created a void in proper cybersecurity practices and understanding. basis of these. This exposed individuals to unnecessary risk by giving hackers easy access to a database – statistics suggest that 46% of all data breaches are the result of human error.
Even those who think they are digitally savvy and have password-secured accounts, social engineering is very effective in tricking them into giving them their information. Hackers use this technique to trick victims into giving them confidential data, such as passwords or banking information, so that they can achieve their goals with ease. Sometimes social engineering takes advantage of the trust people have in their colleagues or companies. Other times he preys on people when they feel vulnerable or fearful.
So many of us rely heavily on technology for everything from work to grocery deliveries to social media, so it’s more important than ever to spot the signs of an attempt at social engineering.
Common social engineering hacks
Phishing is still the most common type of social engineering hack with the most success resulting from compromised credentials. This involves people being tricked into revealing their login credentials to an unknown user, which are then used to breach an account and steal information. This social engineering attack continues to impact Australians – the OAIC Notifiable Data Breaches report has consistently found over the past 4 years that phishing via compromised credentials accounted for approximately 30% of cyber incidents.
Although phishing is still very common on email, it has spread to all digital channels. Smishing, while not nearly as successful as compromised credentials, has increased sharply over the past 12 months. The spike in “Hi Mom” scams is a perfect display of emotional manipulation.
Scammers also work on victims over a long period of time through dating apps such as Tinder, often spending weeks on a target to receive their information. Once the connection is established, cybercriminals can attempt to emotionally manipulate their victims into sending them money. These attacks prey on people who may feel vulnerable and seek human intimacy, and are therefore very effective. According to Scamwatch, Australians lost nearly $37 million in 2021.
Social engineering scams even happen in the workplace through business email compromise (BEC). It remains a major threat to businesses, with the average loss per successful event increasing to over $50,600. Hackers can usually gain access to the corporate network in a very short time by impersonating co-workers to steal information. By simply investigating their online target beforehand, they are able to create a more genuine and genuine message that has a better chance of gaining the victim’s trust.
Key tips for people to protect themselves
By understanding how social engineering scams work, individuals can know where and how to spot when something is wrong and what to do if they fall victim to it.
- A password manager is essential to protect against attempted phishing attacks of compromised credentials by helping users create and maintain long and complex passwords. Most password managers can also autofill your credentials tied to a specific URL, so they don’t submit information about a phishing URL. Using a password manager app can also help you identify malicious websites by displaying an icon in the browser bar to indicate that it’s a known site. The app will not show the icon if an entry was misspelled via a phishing attack.
- Beware of random and unexpected messages. If you receive an unsolicited message, even if the message seems legitimate at first glance, be aware that any user or message that you do not know could be an intentional scammer.
- Don’t assume the apps you know and love are safe. As individuals become more aware of email phishing, so do hackers. That’s why they increasingly try to reach you through the apps and sites you trust. They know they’re more likely to catch you with your guard down on social media in particular.
- Don’t assume your business communications are secure. If you’ve received an email from a co-worker that sounds weird, listen to your gut. Reach out to that co-worker using another method of communication, such as a phone call, and make sure they sent you this message.
- Use Multi-Factor Authentication (MFA) to give you an extra layer of protection, especially if you’ve suffered a social engineering attack. Although a hacker has access to your password, using MFA means that they will not be able to access your account unless they are also able to provide another form of authentication that you have already chosen in advance, like a password of an application authenticator.