Why should you be worried about the large number of successful social engineering attacks taking place in the U.S.? In September 2019, the FBI announced that $26 billion was lost in Business Email Compromise/Email Account Compromise (BEC/EAC). That’s an astounding number! Given how simple some of these attacks are, it makes you wonder what makes social engineering attacks so successful.
What is social engineering?
Social engineering refers to a diverse spectrum of malicious activities that exploit human psychology to gain access to sensitive information. It is more an art than a science where attackers manipulate people and exploit the human tendency to trust to gather information. The information these attacks seek could be your passwords, bank information, credentials that control your computer/accounts, access to your network, or corporate intellectual property.
For example, an attacker impersonating a CEO might send an email requesting someone in the accounts payable department to pay a vendor invoice. Or, maybe an attacker fakes his identity as an employee of a company and asks HR to change his direct deposit information. Or, perhaps the hacker sends an email claiming that your account has been compromised, and requesting you to change the password using a link in the email. These are all examples of credential phishing attacks.
The human factor and our tendency to trust
The success of social engineering attacks can be attributed to the fact that they manipulate our human weakness to trust. Timothy R. Levine, a distinguished professor and chair of the department of communication studies at the University of Alabama–Birmingham, explains this human tendency in his book Duped: Truth-Default Theory and the Social Science of Lying and Deception. The truth-default theory, using decades of empirical research, explains how humans have a near-universal mindset to accept the content of incoming communications as accurate. The thought that maybe we shouldn’t trust the communication doesn’t even come to mind. While this helps us to function socially, it makes us vulnerable to deceit.
Malcolm Gladwell takes this concept a step further in his book, Talking to Strangers, where he explains that defaulting to truth does not mean we don’t have doubts. We trust someone not because we have no doubts, and belief is not the absence of doubt. On the contrary, we trust because we don’t have enough doubts to shake us from our truth-default position.
Going back to the CEO impersonation example above, let’s take a closer look at the same email and apply the truth default theory.
I need an urgent favor from you. I am on the road and don’t have access to work email. I got a call from ABC corp regarding the recent invoice. It looks like they are making changes to their processes and request that we do a wire transfer this time around. Let me know if we can do this. I will get back with more information.
What will Harry’s mindset be when he reads this email? He might have been surprised that his CEO sent this email from his Gmail account and not his corporate account. Maybe there is some doubt. However, John does explain that he is on the road and cannot access work email, and the Gmail address does have John’s first and last name. If Harry had doubts regarding the wire transfer, John again explains why the vendor made this one-time request. There is a sense of urgency in the tone, and all John is asking Harry is to respond and say whether he can help him. Why should Harry be concerned? An average person in this situation will default to trust. Once initial trust is established by replying to this email, it makes the attacker’s job even easier to provide bank details and execute the fraudulent wire transfer.
How to protect your business from social engineering attacks?
While training your employees and generating more awareness will help, this is not a failsafe option. According to a McKinsey analysis, 28 percent of the workweek is spent reading and answering emails. This translates to 2.6 hours spent and 120 emails received on a daily basis for an average American worker. This large amount of email activity is a significant amount of information to process, and the human brain might not be vigilant all the time to spot malicious intent in emails.
A more automated multi-layered technical solution will be required to analyze incoming emails and detect social engineering attacks. The solution should be sophisticated enough to profile and predict such attacks and proactively stop such suspicious emails from reaching your employees.
Are you concerned about social engineering attacks? Do you fear your employees could receive such emails? Contact SilverSky to learn about our social engineering protection solutions.