What if you could eliminate 95% of cybersecurity exploits by doing one thing better? Would you do it? Social Engineering in its many forms accounts for 95% to 99% of common exploits that cybercriminals use to gain initial access to your information assets. There are two simple security controls that you can put in place that would virtually eliminate the threats caused by social engineering.
Social engineering is the use of deception, impersonation, authority, trickery, and fraud used to convince a targeted victim to perform an action that will be harmful to the victim. This process takes advantage of human psychology, and uses emotions such as fear, anger, uncertainty, confusion, and even excitement and happiness against us.
In the FBI’s recent IC3 Internet Crime Report for 2019, the most common crime by number of victims is Phishing, Vishing, Smishing, and Pharming attacks. These are all common forms of social engineering using technologies such as email, telephone calls, text messages, and hijacked or replica web sites. See our recent guest post for explanations of these terms. These exploits open the door to the number one crime by dollars lost, Business Email Compromise/Email Account Compromise (BEC/EAC). In 2019, reported losses from BEC attacks totaled $1.77 trillion dollars. Taking into account unreported losses, the actual total is much higher.
The vast majority of these exploits start with an email, a convincing story, and a link to a fake web page. There are many examples of phishing attacks in my regular Friday Phish Fry posts, like this Wells Fargo phishing attack. The goal of the attack is usually credential stealing, which happens when the victim enters their user ID and password into the login form on the fake web page. With the credentials in hand, the attacker can log into your email account, bank account, work computer, and perhaps other online accounts where you use the same user ID/password combination. The end goal is to separate the victim from their money.
In the opening paragraph I suggested there was an easy solution to this problem. Here they are:
- Multi-factor authentication – Two-factor and multi-factor authentication requires the use of a password and an additional factor, like an authenticator code, to successfully log into any account. Most criminals who have stolen your password will not be able to supply the second authentication factor. This is pretty much game over for the attacker.
- Cybersecurity awareness training – When people know what to look for, they are more likely to successfully identify and resist the exploit. When training is combined with periodic simulated phishing emails, it is even more effective. Many companies provide this sort of training in an affordable subscription model. My current employer, Infosec Systems, is one of those companies.
Both of these solutions are reasonably easy to implement, and are affordable, even by smaller companies without a big cybersecurity budget. I’ve personally worked on three cases where small companies lost amounts from $16,000 to $65.000 to a BEC attack that undoubtedly started as a phishing email or other social engineering exploit. The money they lost would have covered the cost of training and implementing MFA many times over. Don’t wait to become a victim yourself before taking action.