Whether its name is WannaCry, Petya or Mirage, ransomware is numerous these days, causing grief, frustration and financial losses wherever it strikes. Hardest hit are smaller organisations that lack a dedicated cybersecurity department.
Setting aside the technical side of ransomware attacks (to be addressed in a future blog-post) these attacks aim to infect backups and hard drives of a target organization with malware that makes data unreadable (encryption) for anybody but the holder of the unique secret decryption key. The hackers then proceed to extort a ransom from the victim in order to have the data restored. However ingenious these viruses may work once they have infected corporate IT systems, they all spread through the same means – peopIe.
Social Engineering Amongst Cyber security professionals, any attempts to trick, scam, defraud and extort people online is referred to as social engineering. The term refers to every instance where mailcious actors use the internet to influence people, usually to steal money from them or gain sensitive information that they can turn into profit.
Most commonly, social engineering takes the form of phishing, whereby individuals faslify emails and send them to unsuspecting victims, who believe the messages to be genuine. Then, the attackers use the trust of the victims to elicit either sensitive information to infiltrate the networks of the targeted organization or attempt to extract money from the victim through wire fraud. This lucrative strategy is used by cybercriminals and corporate spies alike, causing estimated financial losses of over €3 billion worldwide in 2016, with an average cost of up to roughly €3.1 million per incident .
Exploiting Human Psychology The reason that this type of cyberattack is so effective is that it takes advantage of little human flaws. For example, our mind often corrects reality according to patterns we remember from earlier, even if our eyes tell a different story. Thus, misspelled words are often corrected automatically by our brains. For example, did you notice the misspelling of the word “falsify” in the fourth paragraph? Or the word “malicious” in the third paragraph? Did you realize that the word “people” at the very end of the second paragraph was written with a capitalized i instead of an l, which is slightly shorter?
These small tricks are used by hackers to spoof email addresses and domains to imitate legitimate businesses and organizations that usually would be trusted by their targets. When we trust we often refrain from critical thinking and don’t double check the messages we receive, assuming the source is correct. Attackers can abuse this to infect the computer systems and mobile devices of their targets.
The Upside However, simple strategies are available to spot and effectively defend against social engineering attacks. Cyberlight Security was created to help small and medium enterprises face the dangers that lurk online. Throughout our training, such as the Security Highlights workshop, we teach every employee how to spot social engineering attacks and how to avoid falling victim to them.