Hack your brains before a hacker does

7 Mar 2024

Practical staff training as a key element of defense against social attacks 

In the world of information security (IS), one of the most attack-prone and difficult areas to protect is the human element. Social engineering, a methodology aimed at manipulating people to perform certain actions, has always been and still is one of the most effective tools for criminals.

A vivid example of successful social engineering, although not from the computer sphere, can be found in the movie “Catch Me If You Can”, which is based on real events. This is the story of legendary con man Frank William Abignale, Jr., who was able to outwit the authorities of 26 countries in five years. Abignale displayed amazing powers of transformation, posing as an airline pilot, a sociology professor, a doctor and a lawyer. This emphasizes how dangerous and subtle the art of social engineering can be.

When looking at examples of computerized social engineering, the first to be mentioned is Kevin Mitnick, one of the most famous hackers in history, who used social engineering as a key tool to break into networks and systems. He masterfully tricked company employees over the phone by impersonating their colleague to gain passwords and access to sensitive information. Not only did Mitnick hack into systems, but he also had a detailed understanding of the social aspects of security, which allowed him to bypass technical defenses by exploiting the human element.

One of the most famous phishing schemes is the “Nigerian Prince” emails, where attackers posing as members of the royal family or government officials promise large sums of money in exchange for providing their banking information or sending a small amount of money to cover “transaction costs.” Although the scheme is now widely known, many variations continue to successfully defraud people around the world.

In 2011, RSA Security fell victim to a sophisticated social engineering attack when attackers sent phishing emails to employees with an attachment containing malicious code. One employee opened the attachment, which allowed the hackers to install a backdoor on the company’s network and ultimately gain access to information about RSA’s security technology used to protect multiple government and corporate networks.

In July 2020, there was a large-scale attack on Twitter that compromised the accounts of celebrities, politicians, and large companies. Attackers used social engineering to gain access to Twitter’s internal tools and management systems by tricking company employees. They then published messages asking people to send bitcoins to a specified address with the promise of doubling the funds sent. This incident underscored the significance of social engineering in modern cyberattacks.

In this context, effective defense measures that not only prevent attacks but also actively counter them become critical.

In this article, we examine the importance of social engineering simulation as part of an overall information security strategy. We will determine what benefits social engineering simulation brings to companies and what steps companies can take to effectively utilize this tool. Let’s start by defining social engineering in the context of cybersecurity.

What is social engineering?

Currently, social engineering is encountered in virtually every field of endeavor that involves the human factor. Based on its wide application, the definition of social engineering is interpreted differently depending on the context.

In the context of cybersecurity, social engineering is a method of manipulation and deception to obtain sensitive information or perform certain actions that could lead to the compromise of an information system or data breach. Unlike technical attack methods that exploit vulnerabilities in software and hardware, social engineering targets vulnerabilities in the human factor. What is meant by these vulnerabilities?

The OSSTMM (Open Source Security Testing Methodology Manual) information security standard introduced in 2001 emphasized the importance of trust as a fundamental aspect in information security. This approach emphasized that mutual trust between users and systems is key to protecting information. However, the 2007 version of the standard introduced a radical change to this concept, stating that “trust is vulnerability”. In the context of social engineering, this statement emphasizes that attackers can exploit trust as a weakness in information protection by using manipulation and deception to bypass technical and procedural security barriers.

Social engineering can take the form of email phishing attacks, social media communications, calls requesting access to systems, or even physical access to premises under various pretexts. Such attacks can be very difficult to detect and pose a serious threat to any company, regardless of size or industry.

What the statistics of social engineering incidents reveal

After analyzing the year 2023, we can say that social engineering in all its manifestations has taken center stage, becoming a key issue in information security and in defense against cyber threats. This period has seen a significant upheaval: what was previously considered a minor security issue has now become a major cyber threat. 

Observations reveal a number of key moments in social engineering in the past year.

Social engineering in general. 98% of cyberattacks are based on social engineering. In 2023, social engineering has become the primary method of attack for attackers. There has been a dramatic increase in social engineering tactics, including phishing websites (54%), emails (27%), fraudulent social media schemes (19%), and messengers (16%). The total number of social engineering incidents occurring in the third quarter of 2023 reached the highest level ever.

Attacker priorities. Social engineering remains the top threat to individuals and a major attack vector for organizations. The professional services business sector and government agencies continue to be prime targets for corporate social engineering. At the same time, scammers often use the tactic of sending emails that look like official letters from government organizations, banks, or other companies to deceive their victims.

Evolution of methods. In 2023, attackers have increased their use of new methods, such as phishing via Microsoft Teams and using PDFs for stealth phishing. In addition, in early 2023, Darktrace announced a 135% increase in malicious emails characterized by significant linguistic deviations in syntax, semantics, grammar, and sentence structure. This development is in line with the widespread adoption of tools such as ChatGPT, likely indicating the growing potential of generative artificial intelligence to create more sophisticated and convincing phishing attacks.

Brand spoofing. Check Point Research published a list of the top brands for phishing scams in the second quarter of 2023. The list of top brands ranked by total phishing attempts is led by Microsoft (29%), Google (19.5%), Apple (5.2%), Wells Fargo (4.2%), Amazon (4%), and others. First, the dramatic rise in phishing attacks aimed at mimicking well-known brands such as Microsoft, Google, and Apple highlights how attackers are leveraging users’ trust in these companies to steal personal information. Second, the focus of attacks on the technology sector, banking, and social media indicates that hackers select targets that have a wide audience and a significant amount of sensitive data. Finally, the use of the same methods despite changing target brands suggests that tactics such as phishing are highly effective.

Cybercriminal organizations. The K2A243 (SCATTERED SPIDER) group is an example of an organization that actively uses social engineering techniques such as calls and SMS, as well as attacks through the Microsoft Teams platform using DarkGate malware. Another example is the ransomware group BlackCat, which accessed 80 GB of data from Reddit in February 2023. The group demanded a $4.5 million payout, as well as the cancellation of planned API pricing changes in exchange for the return of the data.

Impact of the attacks. As of 2023, social engineering has a success rate of about 90%, making it one of the most common types of attacks on networked systems. The average annual loss from a social engineering incident in 2023 was about $130,000. Companies typically lose this amount due to theft of money or destruction of data. When social engineering leads to a massive data breach, the damage can reach hundreds of thousands of dollars and sometimes even millions. Organizations are most likely to experience a data breach as a result of successful attacks (56%). Disruption to core business operations is less common but remains a significant consequence (36%).

What is social engineering simulation?

You can only partially protect yourself against social engineering with technical methods and tools. Tools for filtering e-mail, detecting malicious attachments and links, and suspicious activity on the network and on computers are only helpful until they begin to hinder the work of users, or when attackers manage to bypass these security tools.

Therefore, it is important to focus not only on the technical aspects of information security, but also on employee training. They are the main line of defense in preventing social attacks, and they must be aware of the manipulation tactics and deception techniques that attackers can employ. Knowledge of social engineering countermeasures helps employees take appropriate action with confidence. Social engineering simulations are widely used to address such challenges.

Social engineering simulation is the development and implementation of simulated or modeled situations in which social engineering tactics and techniques are used for the purpose of practical training, exercising and testing in a controlled environment. 

The main purpose of social engineering simulation is not only to improve the awareness but also the actual preparedness of personnel for potential threats, and assessment of the preparedness of the entire organization for social attacks, identify weaknesses, and develop strategies to improve information security.

Social engineering simulations, compared to technical means and purely theoretical training, have a number of benefits that are tangible for businesses and other organizations of all sizes. The main pros include improving staff skills, improving response to potential attacks, and creating a more robust data protection system.

Let’s take a closer look at how social engineering simulations can bring real benefits to your organization.

  • Realistic attack scenarios. Attack scenarios are created based on realistic, state-of-the-art techniques used by attackers. This approach makes training as effective as possible, because personnel are familiar with the most likely scenarios and are trained to recognize attacks when they occur.
  • Identifying vulnerabilities. Analysis of employee reactions to simulated attacks allows you to identify not only hypothetical but real weaknesses, not only in psychological security, but also in organizational and technical security. Using this data, the organization can take steps to address vulnerabilities and improve security systems.
  • Increased staff awareness and proactivity. Participating in simulations helps employees better understand attack methods and realize the importance of following security rules, which makes employees more vigilant and ready to take the right actions in such situations.
  • Reduced risk of incidents. A trained workforce that can recognize and prevent social engineering attacks reduces the risk of data breaches and other cyber threats. This approach helps to ensure information privacy, improve the overall security culture, reduce direct and indirect losses from incidents, and preserve the company’s positive reputation.
  • Improving the effectiveness of your security policy. Simulation results allow you to evaluate the effectiveness of your company’s current security policy. Using this data, you can make the necessary changes and improvements to your risk management strategies, codes of ethics, and corporate culture.
  • Regulatory Compliance. Many regulators require organizations to demonstrate compliance with information security standards. Conducting social engineering simulations gives you the opportunity to not only ensure security, but also demonstrate regulatory compliance.

Evaluating the results of social engineering simulations is an ongoing process. It is important to conduct simulations on a regular basis to monitor changes in employee awareness, response skills and the effectiveness of protective measures.

Based on the results, the employee training program should be adjusted, and the company’s defenses against social engineering attacks should be improved.

Which companies can benefit from social engineering simulations

Consider a few types of companies for whom social engineering simulations can be a particularly valuable resource in ensuring cybersecurity and protecting sensitive data.

Company typePotential benefits of social engineering simulations
Organizations with high security standardsMinimize the risk of leakage of confidential or sensitive information.
Countering state and commercial espionage.
Financial organizationsProtecting customers’ electronic money and financial data from fraud and cyberattacks.
Train employees in the financial industry to develop skills to detect and defend against fraudulent attempts, which helps maintain customer confidence and regulatory compliance.
Technology organizations or divisions of organizationsProtect valuable data and intellectual property from theft and cyber threats.
Train staff to identify risks and protect valuable data from leaks and unauthorized access.
The nation’s critical infrastructure and other organizations with high business continuity requirementsPreventing unauthorized access to critical systems, shutting them down, damaging them, damaging people’s health, lives, and the environment.
Companies with a wide network of employees working remotelyHelp train employees to identify fake requests for access to systems or information, which is especially important with the increasing number of remote workers and the risk of social engineering attacks.
Educational institutionsTrain students and staff to identify and prevent attacks that target learning resources and personal data.
Ensuring the security of information and protecting students and staff from cyber threats.

If your company type is not mentioned in the table above, it does not mean that social engineering simulations are not right for you.

Every organization, regardless of size or industry, is susceptible to social engineering, so it needs to be protected, and can customize social engineering training and simulations to meet its specific needs and threat level. After all, every company has unique characteristics and traits that may require a customized approach to social engineering training and defense against social engineering. 

Phishing simulation programs are tailored to an organization’s specific needs and characteristics. This approach allows you to emphasize vulnerabilities and prepare your staff for the specific types of attacks your company may face.

We offer free consultations on social engineering defense. We can design and implement training and simulation programs to meet your requirements and expectations. After all, even the most robust data protection system can be vulnerable if employees are not familiar with social engineering techniques and are unable to recognize the manipulations of attackers.

Protect your company from social engineering today – contact us for a free consultation.

Other posts

10/04/2024
Trends in Cyber Challenges and Solutions 2024
30/03/2024
Blog and social media security for business