Techniques for social engineering have been used for thousands of years. The oldest recorded instance can be
found in the Bible's book of Genesis, where it is stated that the Devil, appearing to Eve as a snake, played on her
hunger by persuading her that God was holding back some powers by banning her and Adam from eating fruit from the Tree of Life. Criminals have significantly increased their use of social engineering over the past few
centuries to control and con unwary people into doing things that they would not otherwise do on purpose. The introduction of the internet has given criminals access to a vast array of new approaches and prospective targets.
Social engineering is widely used nowadays since it is inexpensive and has had great success. Social engineering techniques target the human aspect, which is the weakest link in cybersecurity, and they are all created to capitalise on human nature. Cybercriminals are coming up with ever-more cunning ways to deceive individuals and workers and use several social engineering techniques such as
Phishing, which uses email, SMS, social media, etc. to trick users into clicking a malicious link, downloading malicious files, or disclosing personal information,
Business email compromise (BEC); A strategy where the attacker assumes the identity of a reliable executive with the authority to handle financial matters for the company
Baiting; The criminal makes false promises to users and has them disclose personal information or download malware unto their devices.
When COVID-19 epidemic struck in early 2020 companies and institutions were forced to transition to remote environments. As stated by International Labour Organization, 59 countries adopted telework policies for non-essential employees as of mid-April 2020. Additionally, governments from all around the world urged employers to permit working from home to increase social distancing. This new normal led to a swift rise in disinformation and a variety of cyberattacks. Hackers and other criminals took advantage of every facet of the situation. Social engineering-based cyberattack volume surged during the pandemic in several industry sectors. Businessinsider.com reports that the FBI acknowledged receiving roughly 4,000 complaints of cyberattacks every month which represents an increase of 400% from pre-covid-19.
The Twitter hack was a widely reported incident during the pandemic. cnn.com stated that an attacker took over several well-known Twitter accounts, including those of Apple, Bill Gates, and Barack Obama, and tricked users into sending Bitcoin to a fake account. The fraud hauled about $118,000 worth of bitcoin, but it also resulted in the arrest of a 17-year-old hacker. As stated by Businessinsider.com, this attack was conducted utilising both social engineering and conventional hacking techniques. By persuading a carrier to assign a number to a new phone (a process known as SIM-swapping) and deceiving a Twitter employee into believing he was an IT employee of Twitter, the hacker was able to gain control of a cell phone number, get private data through social engineering, which enabled him to launch the attack.
Cybercriminals used social engineering to their advantage by taking advantage of the following aspects of society's overall response to the pandemic:
Increased usage of social media and email: Phishing attacks rose. They are typically hidden in emails with attachments and links. Additionally, predatory, and fraudulent content about Covid-19 was broadcast on social media
Remote employment initiatives: The initiative was new and many people who worked from home lacked basic cybersecurity knowledge and training, leaving them vulnerable to attack
Precarious economic conditions: Global recession hits which led to the stock market crash, inflation, and loss of jobs. People, businesses, pharmaceutical companies that make vaccines, and the public health sector were targeted by cyber criminals with disinformation and social engineering.
Social engineering has become a prevalent technique for cybercriminals. According to knowbe4, 97% of malware employs social engineering to target users. The main challenge for protecting against social engineering is protecting against human misjudgment. Venkatesha et al. provide general guidelines for combating social engineering which covers points that have an impact on the demography that social engineering attackers target. Both administrative and technical safeguards were discussed by Kamrul et al., which include having company policies that employees must adhere to when using social media, installing unlicensed software, accessing organisation resources, and patching and access control policies to name a few.
The 2020 COVID-19 pandemic is still having a significant impact today. We now understand the need for cybersecurity, especially during periods when we are more exposed. Organisations now face greater cyber risks as a result of the unintended shift in the cybersecurity landscape from the workplace to the home environment. Users are always the weakest link and easiest target for cybercriminals, hence, it is critical to prioritise social engineering training and awareness for users and employees, as this will greatly reduce social engineering attacks.
References
Kamrul Riad A., Shahriar H., Valero M. and Hossain M(2021), "Cybersecurity Risks and Mitigation Techniques During COVID-19," 2021 IEEE 45th Annual Computers, Software, and Applications Conference (COMPSAC), 2021, pp. 1351-1356, doi: 10.1109/COMPSAC51774.2021.00190.
Venkatesha S, Reddy KR, Chandavarkar BR.(2021). ”Social Engineering Attacks During the COVID-19 Pandemic”. SN Computer Science. 2021 ;2(2):78. DOI: 10.1007/s4297
Comments