According to the 2020 Verizon Data Breach Investigations Report, even though hacking is reportedly down, social engineering accounts for more than two thirds of attacks.

Of those attacks, 96% of them arrive via phishing. Attackers are using increasingly sophisticated trickery and emotional manipulation to cause employees, even senior staff, to surrender sensitive information.

Social engineering attacks spiked dramatically during the first half of 2020. The FBI also previously reported that, as of May 28, it had received nearly the same number of complaints this calendar year as it did in all of 2019.

Every time an employee clicks on a malicious link — whether through phishing or other means — they are putting the entire organization at risk of exposure. NordVPN Teams highlights the 3 most common types of social engineering attacks in 2020, and what to watch out for:

 

Phishing

Phishing is the most common type of social engineering attack today. Phishing attacks involve tricking a victim into revealing passwords and personal information, or handing over money. This occurs when someone clicks a malicious link —whether in a phishing email or a text message. This results in an account becoming compromised. User error can also be the result of someone leaving a laptop unattended, which subsequently leads to data theft.

“Criminals could trick an individual by posing as a legitimate business or government agency. For instance, you could receive an email asking for donations that’s supposedly from a non-profit, or a phone call from your bank requesting your social security number,” comments NordVPN Teams Chief Technology Officer Juta Gurinaviciute.

There have been a series of major phishing attacks recently, such as the Twitter attack, which took control of the accounts of major public figures and corporations, including Joe Biden, Barack Obama, Elon Musk, Bill Gates, Jeff Bezos, and Apple.

 

Pretexting

In a pretexting attack, attackers create a fake identity and use it to manipulate their victims into providing private information. For example, attackers may pretend to be an external IT service provider and request the user’s account details and passwords to assist them with a problem.

This gives the hacker a sense of the victim’s personal and professional life, which helps establish the right pretext needed to approach the victim credibly.

“The reality is, cybercriminals are constantly attempting to manipulate their way into secure digital locations. It often starts with a friendly “Hello” and ends with businesses losing thousands—sometimes, millions—of dollars,” Gurinaviciute adds.

 

Baiting and quid pro quo attacks

In a baiting attack, bad actors provide something that victims believe to be useful: for example, free downloads or free healthcare advice about COVID-19. This is also known as “clickbait”. It may be a software update, which in fact is a malicious file, or an infected USB token with a label indicating it contains valuable information, and many other methods.

A quid pro quo attack is similar to baiting, but, instead of promising something of value to the victim, the attackers promise to perform an action that will benefit them, but in exchange for another action from the victim. For example, an attacker may call random extensions at a company, pretending to be calling back on a technical support inquiry.

“The most common quid pro quo attack occurs when a hacker impersonates a member of the IT staff in a large organization, and then offers them some kind of upgrade or software installation. They pretend to be helping, but they instruct the victims to perform actions that will compromise their machine,” says the NordVPN Teams expert.

Social engineering prevention

A cost-effective way for enterprises to reduce risks is to firmly cement security at the top of the corporate agenda. Confidential data, intellectual property, and digital systems are only as secure as their weakest users. So, without a security awareness program, risk management strategies may not be as effective.

According to the NordVPN Teams expert, companies also need to enforce multi-factor authentication (MFA). Even with security measures like antivirus software, firewall, encryption technology, and regular vulnerability tests, a perpetrator can bypass them all if there is no MFA in place.

Companies like Gartner recommend implementing Zero Standing Privileges as part of a company’s defense strategy. This means that a user is granted an access privilege only for a particular task and only for a time needed to complete it. Afterwards, the privilege is rescinded. If the user’s credentials get compromised, even an inside perpetrator will not have immediate access to the business’s data and systems.

“Social engineering and unpatched software will remain the top two root causes of successful exploits, as they have been for more than 30 years. Cybercriminals capitalize on instability, which is one reason why social engineering attacks are on the rise during COVID-19,” the NordVPN Teams expert concludes.