Social engineering hacking relies on the manipulation of predictable human behavior to gain access to computer user’s credentials, accounts, or data. Estimates for the average cost of a social engineering hack can range wildly from $130,000 to $4 million.
Cybersecurity tactics such as IT audits, pentesting, vulnerability scanning, reports, and alerts are highly sophisticated. Yet, social engineering hacking is able to circumvent this technology by “hacking” our brain instead—taking advantage of our trust, fear, politeness, or inattention. This specific type of hacking may be supported by technology; but the catalyst is psychological exploitation.
In this blog post, we examine how hackers have used social engineering and the various types of hacks including examples, plus how you can act now to either prevent them or to minimize the impacts.
What Is Social Engineering in Psychology and What Does it Have To Do with Hackers?
Social engineering is a term that comes from the field of psychology to describe how people can influence others to take action. For example, pickpockets rely on diversions such as physical jolts on a train and our politeness, to divest victims of their wallet.
84% of malicious hacks occur as a result of the manipulation of computer users.
Robert Cialdini’s Research on Persuasion
Robert Cialdini wrote seven digestible “Principles of Persuasion” identifying how humans can be influenced.
- Reciprocity is all about how people feel obliged to give back in kind. This might explain why email recipients tend to answer in kind by responding or clicking on links.
- Scarcity concerns how people want more of things that are rare (FOMO—Fear of missing out). Phishing hacks prompt us to click on dubious links faster for this reason.
- Authority is how people will follow the “lead of credible, knowledgeable experts.” Legitimate-looking messages, links, and websites often fool users.
- Consistency is about how people like to match their previous behavior and words. Many social engineering hacks rely on predictable human responses.
- Liking relates to how we prefer to say yes to those we like. Many hacks will capitalize on this almost imperceptibly—using friendly, empathic language.
- Social proof concerns how humans can be persuaded to behave like others. Hackers capitalize on this factor, prompting you to act the same as you believe others have.
- Unity describes how group members can be heavily influenced by the group. This is how hacking attempts can be innocently spread among communities.
Malicious hackers can depend on our emotions overriding our logical security brain. In the latest nefarious AI hacks, what grandparent would not respond to an AI bot that has been trained to sound like their grandchild out somewhere, alone, and in need of instant cash?
Ways To Recognize Social Engineering Hacking and Business Implications
Here are some different types of social engineering hacking.
|Social Engineering Hack||What Happens|
|Baiting||In this attack, your staff members are tricked with a gift voucher or product if they submit their email address or complete a survey. Click on a link leads them to a spoofed login page that grabs their login credentials.|
|Phishing||Hackers frequently use “‘spoofed” (faked) email addresses to trick employees into thinking they’ve received a legitimate email from someone they know. These emails contain links that lead users to an illegitimate website where users enter their login credentials or banking information, which is subsequently stolen.
|Honey Trap||Another case is where the hacker assumes a fake online identity, professing love, then a convoluted tale of woe. Once they’ve gained their target’s trust, they persuade them to hand over large amounts of cash to help extricate them from some predicament.|
|Pretexting||Anyone who orders online will be familiar with this one. In this scenario, hackers gain your trust by appearing to be a delivery service, then trick you into paying a small but illegitimate shipping or postal fee.|
Business Implications of Social Engineering Attacks
The fallout from a successful social engineering hack can be devastating.
- The most obvious, immediate, and costly impact is damage to your business reputation in your industry and among your customers.
- The knock-on effect is likely an instant loss in the production of your goods or the provision of your services as you scramble to figure out what has happened.
- This will naturally be accompanied by a reduction in sales, while existing customers start closing their accounts.
- Your team must now identify and fix the vulnerability. And, you must attempt to recover the data, prevent its release or sale, or contemplate paying a ransom.
- Simultaneously, you must fulfill your notification and rectification responsibilities to customers, as outlined by relevant data-security and protection laws across countries. Failing to do these steps may result in financial penalties.
- Legal challenges may also arise and be handled by expensive professionals.
Examples of Successful Social Engineering Attacks, Data Breaches, and Real Business Consequences
Let’s look at two infamous social engineering attacks: how the hack was enabled, what data was exposed, and the remediation actions that followed.
ISACA reports that social engineering hacking ranks number 1 in leading hacks
- In this data breach, a social engineering hacking scam convinced an employee to give a bad actor remote access.
- As a result, a database containing the partial customer ID, names, email addresses, and phone numbers of a reported 7.5 million employees was exposed.
- There is little information available on what Verizon did to rectify this, but they have stated that the situation has been resolved.
- As in many types of hacks, the information may not be immediately actionable, but it could be combined and used to facilitate other more serious attacks elsewhere.
Caesars Entertainment–September 2023
- Caesars Entertainments filed an official 8-K notice to inform the federal regulator that their loyalty program database was hacked.
- The database contained drivers’ license numbers and social security numbers, which were traced to an unnamed, outside IT vendor.
- Caesars paid around half of the $30 million demand to attempt to prevent the disclosure of the data.
- Right now, Caesars enterprise is still in operation, with no closure of its casinos or online gaming websites.
MGM Resorts–September 2023
- According to Reuters, Scattered Spider (otherwise known as Muddle Libra and UNC3944) claimed that they hacked MGM Resorts and Hotels (and have been suspected of the Caesars attack too).
- Though there is little information on the details, one of their favored social engineering tactics is to contact the helpdesk of companies, pretending to be an employee who’s lost their login credentials and with just enough information to persuade the call handler. Once they’ve bypassed multi-factor authentication (MFA) security measures to gain access in this way, they then locate the company’s most-sensitive data and use it to extort the company. Senior VP at Palo Alto threat intelligence firm Unit 42, Wendy Whitemore says: “They are much more sophisticated than many cybercriminal actors.”
- In this case, the hacker group has claimed that they tricked help desk personnel to reset the MFA used by some highly privileged users. This enabled them to assign higher privileges or delete 2FA for other accounts they controlled. They were even initially able to circumvent an interception by MGM once the breach was discovered. Overall, the hack lasted for an eye-watering 10 days.
- MGM Resorts’ systems were shut down for three whole days and its shares naturally fell in value. The latest news includes employees reporting delayed paychecks, throttled HR systems and slot machines, and hotel guests lining up to check out using old-school pens and paper.
- MGM has remained quiet on the issue, stating simply that they had shut down some of their systems to contain the “cybersecurity issue” and were still investigating.
- The FBI is also still investigating both the Caesars Entertainment and MGM attacks.
A later article from The Wall Street Journal added more detail:
- According to this report, MGM ResortsInternational refused to pay the ransom demand. It describes why, “MGM’s decision not to pay hackers is in line with guidance from the Federal Bureau of Investigation, which doesn’t support paying ransom. Doing so doesn’t guarantee that a company will recover its data, but does reward hackers and encourage bad actors to target more victims, the FBI’s website says.”
- They also reported that, “Service disruptions from the attack and efforts to resolve the issue will cost the company more than $100 million in the third quarter, MGM said in a regulatory filing Thursday [October 5, 2023].” However, the paper reports that the costs won’t end there. “MGM said service disruptions would have a $100 million negative impact on adjusted property earnings…. The cost of remedial technology consulting, legal and advisory services was less than $10 million.” In addition, “The incident took a toll on occupancy of its resorts, the company said in the filing, with occupancy down to 88% in September from 93% a year earlier.” MGM noted that they have cybersecurity insurance to cover the financial losses.
- But the impact didn’t stop there. Chief ExecutiveBill Hornbuckle said in a letter to customers that hackers stole customer information including names, phone numbers, addresses, dates of birth, and driver’s license numbers—as well as a “limited number of customers’ social security and passport numbers.”
What Happens When You’re Hacked and How You Can Limit the Damage
Here is a quick summary of four fiduciary and legal responsibilities that are set out in international data-security standards and local data-protection legislation.
- The latest rules from the U.S. Securities and Exchange Commission (SEC) from July 2023 state that publicly traded companies must publicize details of hacks within four days. Other countries’ regulations require declarations between 24 hours (China, Singapore) and 72 hours (E.U., U.K., Canada, South Africa, Australia).
- You must inform affected users individually about what has happened and provide them with instructions of what they should do right away (for example, you may log out all affected users and force a password reset, advise them to change their password and log out on all devices, or configure multi-factor authentication).
- You are required to state how to contact your organization if they suspect someone has accessed their account, or if they have any questions.
- Finally, you need to announce what you are doing now and what you intend to do next, including further hardening measures for your networks, endpoints, website applications, and other company collateral.
Examples of Failed Social Engineering Hacks
The news is not all bad! Let’s look at a few infamous social engineering hack attempts that were repelled.
World Health Organization–During the Covid 19 Pandemic of 2019-22
- The World Health Organization (WHO), announced that an attempt had been made to steal user passwords. It was representative of many hack attempts that were made on hospitals and other health organizations during this time—capitalizing on the heightened emotions and other stresses of the period.
- No information was leaked in this attempt.
- The WHO had already informed staff about bad actors who had been impersonating staff, and using phishing emails and websites. Forewarned is forearmed.
Coinbase 2023–Not the First Hack
- Coinbase announced that they were the subject of a malicious hack, one of several in the last few years.
- Ultimately, customer data and funds remain unaffected, though the hackers were able to extract some contact data belonging to staff. Attackers had managed to get the login credentials of a single employee, following a phishing message sent via SMS, prompting several engineers to log in to their company accounts to read a message.
- The company reported that their security protocols—in this case, multi-factor authentication and a phone-call directly to the employee in question within 10 minutes of the system alerting another employee—prevented further loss.
- The company has been open about how they countered the hackers’ methods.
What Can You Do To Repel Social Engineering Marauders?
Hackers don’t need your team’s passwords. They can sidestep your technical security measures using the social engineering tactics of influence observed by Cialdini.
Informed and Armed Leaders
While the big hacks that hit the news are often large-scale and financially devastating, small firms are also at risk.
- Is your management team familiar with the latest social engineering hacking methods?
- Is your staff aware of the ways hackers operate, or are they blinkered by the misleading hacker-in-a-hoodie cliché?
- Is a program in place to run an IT audit and conduct regular vulnerability testing?
- What are the latest defense methods? Do you have a schedule to ensure they’re implemented soon?
Deployment of a Cybersecurity Framework
- Have you studied the recommendations and your obligations under the law from NIST CSF, ISO/IEC 27001, CIS CSC, GDPR (EU) and similar organizations?
- Do you have a written set of guidelines?
- Have you identified and prioritized your security risks?
- Do you have a program to work on closing the gaps?
For further information, see The Importance of Cybersecurity Frameworks for Businesses.
Watchful Cybersecurity Culture
Further action includes ensuring your new written guidelines are reinforced with a management-led, security-first culture:
- Are your guidelines written down and updates communicated to staff?
- Do you operate with the Zero Trust or Principle of Least Privilege models?
- Are you planning to run persuasive simulated phishing exercises?
- Do staff members know what to do and how to report suspected hack attempts?
- Are the responsible people ready to act?
Researchers think that the Caesars Entertainment hack was carried out through a third-party vendor. Do your suppliers’ policies or Service Level Agreements explain how they keep their clients’ data secure? Does everybody at your organization know they should maintain a healthy skepticism when receiving phone calls, texts, and emails in case someone is pretending to be one of these partners?
Bad actors will target the less-well-informed members of your team (as well as the system administrators who have the most access). Staff training is right at the top of the list of defensive tactics—everyone from marketing and sales, to admin and accounts.
Book a Compliance Audit to Reinforce Your Perimeter’s Security Posture
In the conscience-free zone inhabited by those whose design is to gain unauthorized access, steal, or otherwise hold your company data to ransom, your next action is to get your strike in first.
Contact us today to get started with a comprehensive IT Audit, and training for your team, to set you up with a proactive stance that will withstand the next attack.