Caspar Herzberg |
The Greek army pulled off the greatest example of social engineering thousands of years ago when they wiped the floor with their opposition in the city of Troy. The Greeks deceived their counterparts in Troy by appearing to surrender with the gift of the Trojan Horse. Laced with soldiers, these troops then popped out of the wooden trophy at night and opened the gates, allowing the rest of the Greek army to enter, leading to the fall of Troy.
Thousands of years later, the Trojan Horse is more commonly used now to describe a type of security exploit designed to inflict the same misery as the Greeks did to Troy only to your computers and networks instead – opening the gates. A Trojan Horse ‘virus’ tricks the users into inadvertently inviting malware onto their PC, which can lead to potentially devastating effects.
How about when someone posing as a gas repair man waltzes up to your door, instructing you that there’s a fault with your boiler and that he needs to fix it immediately. You let him in the gates by opening your door. He proceeds to charge £50 for ‘fixing the major problem’ and just like that, you’re a victim of social engineering.
Most probably believe that they’re smart enough and alert to these methods of subterfuge, so wouldn’t let said person into their home. So why are so many people allowing cyber criminals to crack their PC by neglecting some obvious and easy to deploy methods of defence? Social engineering is on the rise, so much so that it cost businesses more than US$2.3billion in 2015. It can be used as a destructive means to destroy or spy on data or computer software and for the theft of identity, data and money.
Closer to home, at Microsoft’s Future Decoded event in November past, Chancellor of the Exchequer, Philip Hammond MP, announced the government’s strategy to help tackle social engineering and cybercrime. He said: “Just as technology presents huge opportunities for our economy, so too it poses risks. There are three core pillars to the strategy; defend, deter and develop.”
This helps to illustrate the scale of these attacks. Microsoft recently published an eBook on social engineering and its devastating impact, which revealed that a staggering 99.7% of documents used in attachment-based campaigns relied on social engineering. Furthermore – as if it couldn’t be any worse – 98% of URLs in malicious messages were linked hosted malware.
These are worrying statistics and the fact that many aren’t aware of them or the potential impact from social engineering is concerning. Cybercrime follows the money, leading it directly to social media which has become the playground for those posing on fake or fraudulent profiles, otherwise known as phishing. Companies such as Google and Adobe are part of the famed Fortune 100, however, they are also the most targeted with almost half of the profiles proclaiming to represent them on Facebook being unauthorised.
The Greeks may have the first recorded case of social engineering, but in the digital age, spear phishing is now the most common means of deception. It’s done by floating email inboxes daily and is usually accompanied by a catchy subject title, sent under a pseudonym proclaiming to be someone working for a household name, such as Apple or Netflix, coupled with a subject line about a recent transaction or billed statement. These contain malicious links to websites that look almost identical to the website of the company being used as cover – but this is only a disguise for these hackers. You enter your personal and/or credit card details and voila; your identity, payment details and everything attainable using this information is compromised.
Real world prevention strategies are part of a list of tangible changes you can implement for security policies. It is essential for these to be articulate and easy for every user in your organisation to understand. Educating your colleagues is the greatest form of defence from these attacks and doing so should be at the forefront of any organisation, ensuring they’re aware of the different methods of social engineering is critical.
So, when a meticulously woven Trojan Horse arrives at your gate, take appropriate action and always question its authenticity. You wouldn’t let someone enter your home, so why keep the door left wide open to your data?