Combatting the Dark Art of Social Engineering

The 2023 Verizon Data Breach Investigations Report reveals that 74% of breaches involve a human element. IBM’s Cost of a Data Breach 2023 attributes over 95% of data breaches to human error. The findings are clear: as technology advances, so do the methods used for cybercrime. The same tools that enable positive advancements and conveniences can also be exploited for malicious purposes. Some breaches result from simple errors, while others involve deliberate privilege misuse or stolen credentials. However, the tried-and-tested method of social engineering remains a top tactic for cybercriminals because, quite simply, it works. 

What is Social Engineering?

Social engineering is the art of manipulating people into revealing confidential information. It exploits human psychology rather than computer systems. Making it highly effective.

People are naturally social creatures, susceptible to persuasion and manipulation, and cybercriminals are aware of this. They leverage these traits to gain unauthorised access to company systems, bypass security controls, or steal sensitive data from organisations across various industries.  Think of scammers or con artists - it’s essentially the same concept.

Social Engineering Attacks in South Africa

In South Africa, social engineering tactics range from phishing emails and WhatsApp messages to social media scams, pretexting phone calls and impersonation strategies. The South African Banking Risk Information Centre (SABRIC) has reported a dramatic increase in social engineering attacks in recent years, affecting organisations nationwide. The financial impact on South African businesses is significant: in 2022 alone, businesses suffered an estimated loss of R2.2 billion due to such attacks, as highlighted by the Cybersecurity and Digital Forensics Institute. These attacks have damaging effects on company reputations, lead to a loss of customer trust, and are exceedingly costly.

Research indicates that in Africa, just over half of all security incidents (52%) involve social engineering. In more than a third (37%) of successful attacks, vulnerabilities are exploited. Alarmingly, in one out of ten incidents, fraudsters gain access to business resources by compromising credentials.

How to Spot a Social Engineering Attack

Fortunately, common sense is your best defence. If something seems suspicious or doesn’t feel right, it may be an attack. Look out for these common clues:

• A sense of urgency or crisis: Attackers often create a false sense of urgency to rush you into making a mistake. They may use fear, anxiety, scarcity, or intimidation. For example, you might receive an urgent email from someone pretending to be your boss, demanding sensitive documents immediately. Or you might get a text message from someone posing as SARS, claiming your taxes are overdue and you must pay immediately to avoid a fine.
• Pressure to bypass or ignore security policies: Be wary of any attempts to pressure you into ignoring or bypassing security protocols you are expected to follow at work.
• Requests for sensitive information: Be cautious of requests for sensitive information that attackers should not have access to or should already know, such as your account numbers.
• Unusual messages from known contacts: If you receive an email or message from a friend or co-worker, but it does not sound like them – perhaps the wording is odd, or the signature is incorrect – be cautious.
• Email addresses from personal domains: Be suspicious of emails that appear to be from a co-worker or legitimate company but come from personal email addresses, such as @yahoo.com or @gmail.com.
• Curiosity or too-good-to-be-true offers: Be alert to messages that play on your curiosity or seem too good to be true. For instance, you might receive a notification about a package you never ordered or a message claiming you’ve won a prize in a contest you never entered.

Do this: If you suspect that someone is trying to trick or fool you, stop communication immediately.

Understanding Emotional Triggers

Cyber attackers often use various technologies or platforms to try to deceive us, such as email, phone calls, text messaging, or social media. While this can seem overwhelming, most of these attacks share one common factor: they play on our emotions.

We’ve already mentioned urgency, but emotions like anger and surprise can also be powerful triggers. People are more likely to respond to messages that evoke strong feelings or touch on topics they are passionate about. Our natural curiosity can also be exploited. For instance, a cyber attacker might send you a message claiming that a package is undelivered, urging you to click on a link to learn more – even if you didn’t order anything online. Our curiosity can make us want to investigate, but there’s no package - only malicious intent behind that link.

Most importantly, attackers are skilled at using names or brands you trust to convince you to take an action. This is why so many phishing attacks use the names of banks, or other government agencies –trusted, well-known entities. That’s why it is crucial to double-check email addresses and websites to ensure they are legitimate.

Five ways to stay ahead of cyber criminals

Now that we know what to look out for, here are five ways you can protect yourself:

1. Verify identities: Before sharing sensitive information or completing transactions, verify the identity of the person or organisation you are dealing with. Don't hesitate to ask for identification or confirmation if you have any doubts.
2. Limit personal information: Be cautious about sharing personal information, such as your address, phone number, or financial details, online or over the phone. Only provide such information to trusted and verified entities.
3. Trust your instincts: If something feels off or too good to be true, trust your instincts. Take a moment to step back and assess the situation before proceeding.
4. Be mindful on social media: Be careful of the information you share on social media platforms. Avoid posting sensitive details, such as your location or holiday plans, publicly, as cybercriminals can use this information for social engineering attacks.
5. Secure your devices: Keep your devices and software up to date with the latest security patches and antivirus software. Secure your Wi-Fi network with a strong password and avoid connecting to unsecured public networks.

Stay Ahead of Cyber Criminals

By following these precautions, understanding the emotional triggers, and remaining vigilant, you can significantly reduce the risk of falling victim to social engineering attacks, regardless of the lure, technology, or platform used by bad actors.