Let’s start this article by defining a cyberattack and considering the landscape. A cyberattack attempts to breach an organisation’s or individual’s information system to benefit the cybercriminals financially or cause ongoing disruption to the victim. These attackers can be individuals or, in some cases, organisations. Attacks can disable computers, steal sensitive data or create a launchpad for other attacks from compromised systems. Common attacks include:

Malware
Phishing
Man-in-the-middle
Distributed denial-of-service (DDoS)
SQL injection
Zero-day exploits

What is phishing?

Phishing is a social engineering attack that attempts to gain access to systems by deploying malware through an e-mail link or by tricking people into giving up sensitive information by masquerading as a trusted entity within an organisation.

Phishing is the leading cause of cyberattacks in the world, according to the FBI, and phishing incidents nearly doubled in frequency, from 114 702 incidents in 2019 to 241 324 incidents in 2020. Ninety-six percent of all phishing attacks are delivered via e-mail, so staff training and education are more important than ever before.

This prevalence makes the cost of a breach a scary statistic: IBM’s Cost of a Data Breach Report puts the average cost per compromised record in 2019 at US$150. For context, 5.2 million records were stolen in Marriott’s 2020 breach. That means the cost of the breach could amount to $780-million. But on average, a breach costs organisations $3.92-million.

What is social engineering?

Social engineering refers to all the techniques used to coerce or talk a victim into revealing information that someone can use to perform malicious activities and render an organisation or individual vulnerable to further attacks.

How do social engineering attacks work?

Social engineering acts take place over a series of stages, starting with the investigation of the target victim/organisation and understanding the flow of communication and who sits in the senior roles. The attackers proceed to hook the target by engaging, often via e-mail, spinning a story to trigger the revealing of sensitive information. Once this has taken place, the attacker can then proceed to expand the attack, disrupting more elements and interacting with other key stakeholders. With the attack complete, the attacker will cover their tracks and remove any trace of their work — by this time it’s too late and the damage is done.

What is business e-mail compromise?

Business e-mail compromise (BEC), or CEO fraud, also often referred to as e-mail spoofing, relies on the fact that businesses operate almost exclusively on e-mail in most cases. According to the FBI, BEC is one of the most financially damaging forms of cybercrime currently in use.

The attacker will spoof an e-mail by changing a few characters, hoping to trick the receiver into thinking they’ve received an e-mail from a senior member of the organisation, most likely the CEO or chief financial officer. The fraudulent e-mail will attempt to harvest sensitive data or, in most cases, aim to transfer funds out of the organisation.

The FBI lists BEC as the cybercrime with the highest amount of reported losses — $1.77-billion during 2019 alone. The losses resulting from ransomware over the same period was just $9-million.

What is the best defence against social engineering?

A few strategies are available to help in the defence against social engineering attacks:

Keep anti-malware and antivirus software up to date
Stay up to date with operating system and firmware updates on endpoints
Have a detailed log of staff that handle sensitive data
Ensure two-factor authentication is enabled everywhere it can be
Use strong passwords and don’t reuse the same passwords across multiple accounts and applications
Regular penetration testing can help identify vulnerabilities
Keep staff trained and updated on how to detect and deal with attempted social engineering attacks

About Ava Security
Ava is a global technology company with offices in the UK, Norway and the US. We exist because we believe that we can create a better, smarter way to deliver security. We help organisations see, understand and act on their surroundings to protect their people, business and reputation in real time. For more, visit www.avasecurity.com.