In the 21 st century, a large number of businesses and individuals have moved their operations online. As a result, the United States Government has consistently sought to maintain a steady and resilient cyberspace. This notwithstanding, the underlying infrastructure of the country`s cyberspace has witnessed a series of attacks owing to its vulnerability. Various cyber actors infiltrate the cyberspace with an intention of accessing vital information and finances or incapacitating essential services. Concurrently, the government has turned its attention to hackers who debilitate the cyberspace to their advantage, since it is fast becoming a popular method of launching terrorism attacks and also pilfering resources from companies. One of the task forces authorized to deal with cyberattacks include the Cybersecurity and Infrastructure Security Agency (CISA) whose mandate involves defending the country against any form of cyber-attack and also developing critical infrastructure necessary to deal with such an occurrence. In the event that a terrorism cyber-attack is launched, the department of Homeland Security steps in to ascertain the safety of the nation. It is fundamental to note that hackers pose cyber security threats through ways such as Ransomware, DDOS attacks, social engineering and third party software. The launch of malicious attacks via human interaction is currently America`s greatest Cyber threat in 2021.
Background
Social Engineering involves the psychological manipulation of individuals to perform actions or divulge crucial information ( Laguerre, 2020 ). In 2020, a third of cyber security attacks in the United States originated from social engineering ( Bullée & Junger, 2020 ). This is partly due to the COVID-19 pandemic which led many employees to work from home. Equally, many other activities turned towards virtual interfaces in order to sustain various engagements. For instance, with the emergence of Zoom as a popular interface that facilitates communication via virtual networks, it became quite easy for businesses to operate in a bid to mitigate the effects of the pandemic. According to industry analysts, internet usage increased by up to 47 percent between March and May in 2020 ( Bullée & Junger, 2020 ). It is for this reason that the criminals have maintained their vigilance by taking advantage of the increased use of the cyber space.
Delegate your assignment to our experts and they will do the rest.
Transmission
The current information age has forced almost every business to store information and finances on virtual systems; which has in turn led criminals to device novel mechanisms of stealing via such interfaces. According to Laguerre (2020 ), Cyber threats occur when someone gains unauthorized access to an organization`s system device or data communication pathway. Prior to the occurrence of a social engineering attack, the perpetrator undertakes a thorough investigation on their intended victim in order to get some crucial information which may enable them to strike a rapport. Next, the criminal moves to gain the client`s trust by stimulating them to provide critical information which may enable them to infiltrate the targeted system. A social engineering attack is extremely dangerous since unlike other forms of cyber-attacks which depend on system susceptibilities, it relies on the error made by individuals ( Nadikattu, 2020 ). It is often hard to predict the mistakes made by people, and as a result, it becomes difficult to secure systems from subsequent attacks. Besides, humans are prone to error unlike the systems which can be set in such a way that they can hinder unauthorized access to hackers. Social Engineering attacks can occur through various means such as: Phishing, Malware attacks, Baiting, Pretexting, Diversion Theft, Honey trap, Quid pro Quo, Tailgating, Scareware and Water-Holing.
Phishing can be undertaken by individuals or small groups in an attempt to acquire other people`s identity for financial gain. For instance, in 2020, many cyber attackers masqueraded as pandemic officials working for the World Health Organization. Currently, phishing is undertaken through email or websites. The attackers assume the identities of recognized brands, and utilize their trademarks. For example, company logos are used to come up with websites that appear legitimate ( Tapia, Spengler & Goessling-Reisemann, 2017 ). The hackers then utilize the sites to send email to unsuspecting individuals requiring them to provide crucial details such as passwords and bank details. It is perplexing to note that Google alone blocks 100 million phishing emails on a daily basis ( Nadikattu, 2020 ). Alternatively, Microsoft has revealed that most of their clients experience three main forms of phishing attacks, namely: Business email, credential phishing or both combined together ( Nadikattu, 2020 ). In 2020, for example, phishing was utilized through the representation of taglines such as Corona virus updates; hence, making it easy to lure individuals.
Malware, on the other hand, encompasses a variety of malicious software variants which are introduced into a computer system ( Bullée & Junger, 2020 ). In this case, they comprise of codes which cyber attackers come up with in order to take control of data as well as get unauthorized access. It has been reported that 25% of malware attacks target banks and financial institution, making them the most vulnerable to this type of social engineering ( Bullée & Junger, 2020 ). The malware can be sent as a link, email, or file. Once the user clicks on it, they execute the malware, hence, replicating information into their computer system unknowingly. Since the advent of Creeper virus in the 1970s, malwares have become some of the most common tools used by cyber attackers ( Bullée & Junger, 2020 ). Also, the malware can come in form of a virus which spreads quickly corrupting the files present in a computer system. Alternatively, it could be a worm which replicates information to other connected computer interfaces. Besides, in some scenarios, the malware can be a spyware which spies on what someone is doing.
Baiting is just as its name suggests, and occurs where the victim`s greed is elevated by offering them false promises. The technique manages to lure unwary people into offering confidential details unknowingly, thus, making it possible for the attacker to initiate an unprecedented malware. In most cases, attackers utilize physical media to disperse a malware ( Tapia, Spengler & Goessling-Reisemann, 2017 ). For instance, they may leave a flash drive in a public place where they are certain that it will easily be seen and picked up by someone. Once the drive is hand-picked by a passerby, and inserted into their office or home computer, it disbands the malware into the interface. Afterwards, the attacker gains access to sensitive information on the computer that they have managed to bait. It is important to note that baiting can also happen online. An enticing advert can, for example, appear on a victim`s screen prompting them to click on it, after which they are led to a malicious website which emboldens them to download a compromised application ( Tapia, Spengler & Goessling-Reisemann, 2017 ).
Pretexting is yet another common social engineering technique used by the perpetrator. It mainly involves the utilization of well-crafted lies in order to gain the user`s trust ( Nadikattu, 2020 ). It is initiated where the criminal pretends that they need some crucial details from the victim in order for them to be in a position to undertake something of utmost importance. In most cases, the hackers who use the technique impersonate senior people such as bank officials or customer care personnel who ask a series of questions necessary in order for the victim to affirm their identity. When such details are provided, the hacker uses them to gain access to the provider`s account. Some of the particulars asked for may involve: Bank records, phone details, and even the vacation dates for staff ( Bullée & Junger, 2020 ). Since most employees have become aware of this social engineering tool, the perpetrators are coming up with more convincing ways of gaining the victims trust.
Concurrently, diversion theft is one of the most novel forms of social engineering is, which is fast becoming popular. It began offline whereby the perpetrator would trick the courier to pick a package or drop it at the wrong location ( Bullée & Junger, 2020 ). As a result, the mal-actor can access the real package or have their false package delivered to their intended location. This technique first originated from East End London and is spreading fast to other nations. Things became even more serious when the mal-actors turned to technology. Through virtual networks, they divert delivery of goods either by intercepting them or sending the courier to the wrong address. In order for this to be achieved, the perpetrator can prompt the buyer to send wrong details so that they can access the package. Moreover, there are instances where the mal-actor poses as the courier company and requests the client to send confidential information such as bank details, when seeking to have a package delivering to them.
The Honey trap is consistently becoming one of the most commonly used spyware tools for hackers in the 21 st century. It is apparent that most people are in mind-numbing relationships, and, therefore, the perpetrators use this to their advantage. Through this technique, they pretend that they are romantically or sexually interested in the victim in order to keep them engaged ( Nadikattu, 2020 ). Using this technique, the hacker sends some convincing message to initiate a conversation with the user. Usually, they include an attractive image on their profile, or they may choose to send their intended victim a sexually appealing photo in order to spark their curiosity. After consistently conversing with the user, the perpetrator convinces them to send crucial bank details and personal information which they use to their advantage. The honey trap is mostly used for monetary gain, and has become a popular tool used especially against widows or divorced females ( Bullée & Junger, 2020 ). The hacker, nevertheless, conducts a prior study by visiting the victim`s social media platforms in order to identify the most vulnerable person to contact.
Quid pro Quo acts in an almost similar manner to baiting since the user is asked to send particulars by the perpetrator in exchange for a service ( Bullée & Junger, 2020 ). For instance, the hacker may pose as a technology expert of an IT company and tell the intended victim about some product or service that their company is offering. Afterwards, they may require them to provide important login credentials which they will use to their advantage. Conversely, the hacker may tell the victim that they work for a research firm and they would require them to send some specific details such as authorization logins for a company in exchange for a predetermined fee ( Tapia, Spengler & Goessling-Reisemann, 2017 ). In such a case, the mal-actor is depending on the individual`s greed in order to gain access to their own personal information or that of the company that they work for. In some instances, the hacker requires the unsuspecting victim to temporarily disable some software in order for them to install a malicious application. Alternatively, Tailgating could be used to bypass a company`s security protocols. Concurrently, Tailgating occurs where the attacker seeks to gain entry in a restricted area without having proper authentication ( Tapia, Spengler & Goessling-Reisemann, 2017 ). The technique is also popularly known as piggybacking. For example, the attacker may simply wait to walk behind someone who is authorized to access some defined area. In other instances, they may bypass the security system by asking the employee to hold the door for them while posing as people in a similar position in the company.
The scareware attack occurs where the victim is bombarded with alarming threats ( Chen, Dojen, & Jurcut, 2021 ). In this case, the user is duped to think that the system or computer they are using is infected by a virus, hence, stimulating them to install the recommended software, which ends up benefiting the perpetrator. Other names used for scare ware are, fraudware, rogue scanner software and deception software ( Bullée & Junger, 2020 ). It might be easy to detect this social engineering tool since it mostly appears in form of pop up ads on the computer`s interface indicating that a person`s computer could be infected. Upon clicking on it, the user is transferred to a malicious site which belongs to the attacker.
The name Water-Holing was derived from the technique used by predators, where they wait for their prey at Watering holes before they attack. The technique is not new, and is often used to target individuals who use a specific site dutifully. It is a common method whereby a malicious code is injected into the website of a company that their intended victim visits ( Tapia, Spengler & Goessling-Reisemann, 2017 ). For example, if the hacker intends to access financial details of a company, they may target the site visited by the finance representative of the business and install some malicious application or link, which upon clicking allows them to gain access to the company`s system unnoticed. In 2020, 21% of businesses in the United States reported a Water-holing attack ( Laguerre, 2020 ). Usually, a backdoor Trojan is normally installed on the computer, which the hacker can use repeatedly until they finish accessing all the crucial information they require, or pilfering the business` funds. The 2017 NotPetya infection which infected the Ukrainian government website, hence, spreading in the infrastructure of the country is an example of such an attack ( Laguerre, 2020 ). Based on the occurrence, it is clear that water-holing is indeed one of the hardest Social Engineering tools to manage.
Effect
One of the most apparent effects of Social Engineering is the financial losses that the targeted company or individual is likely to experience. It is estimated that globally, financial losses resulting from Social Engineering totaled $ I trillion in 2020, especially since Covid-19 presented new opportunities for hackers ( Bullée & Junger, 2020 ). The amount of money depends on the size of the business and the hacker`s greed. It is, nevertheless, apparent that such attacks affect small businesses more compared to large ones. Some companies are not able to recuperate from the financial losses incurred due to a social engineering, and are, therefore, forced to close down. Usually, financial losses may range from thousands of dollars to millions. Likewise, individuals are also affected by hacking incidents. For instance, in 2020, “Classiscam” a Russian based cybercrime operation resulted in the theft of up to $6.5 million from American and European nationals ( Bullée & Junger, 2020 ). According to Tapia, Spengler & Goessling-Reisemann, (2017 ), companies which take a casual stance towards protecting their systems are likely to be put out of business.
In the United States, data protection legislation is necessary to mitigate the impact emanating from cyber-attacks. Companies which fail to comply with the laid out regulations, are, therefore, likely to encounter more than just financial losses in the event of an attack. There is a possibility that they will be fined for non-compliance, especially when their clients` data is put at risk. Some places such as Europe have put in place several draconian measures, for example, the 20 million euros fine for non-compliance, in a bid to ensure that businesses are rid of the risk of hacking attacks.
The damage associated with Social Engineering is extremely big. An attack on a business is likely to damage its reputation. Global measurement firm Nielsen reported that 84% of consumers trust the recommendations made to them by their families and friends ( Tapia, Spengler & Goessling-Reisemann, 2017 ). In the event that a cyber incident occurs, and one of the clients notifies those who are close to them, it is likely that the affected business will lose consumers` trust. A data breach in the modern era where a company`s website is compromised is likely to force google to blacklist the said firm. Usually, Google manages to attract 95% of search traffic which implies that if it blacklists a business, there is a possibility that prospective clients will not manage to view it upon conducting a search on it’s the search engine ( Bullée & Junger, 2020 ). Moreover, clients are always on the lookout to see how the business they have invested in will respond to a cyber-attack incidence.
One can also not overlook the loss of production that occurs due to a cyber-attack. Successful attacks end up disrupting normal operations in the affected company. In the event of a social engineering attack, the department of Information Technology in such firms is forced to deal with the breach first before partaking in other important tasks that warrant their immediate attention ( Laguerre, 2020 ). Moreover, the company is usually focused on taking precautions to prevent another attack from occurring in future. Similarly, the cost of recovering from a cyber-attack is often too great for some companies to bear. For instance, the affected firm may be forced to hire a response team or even buy expensive software ( Bullée & Junger, 2020 ). Besides, the situation worsens in the event that some clients` data was compromised.
Action
First, businesses should adopt a multifactor authentication requirement for their systems. Credentials are often necessary in order for the attacker to gain access to a company`s system. Using many authentication steps may discourage the mal-actor`s efforts (Nadikattu, 2020) . This is incentive is likely to identify individuals who are potential targets for attackers and take the required measures to reinforce their security. Second, a robust detection control infrastructure is a necessary incentive for businesses to adopt ( Nadikattu, 2020 ). Prevention centric mechanisms will be necessary to minimize the time of detection, so that the business can manage to avert any impending social engineering attack. As part of the company`s security infrastructure, it will be necessary, therefore, for companies to ensure that they have a “well-tuned SIEM/SOAPA/SOAR infrastructure ( Nadikattu, 2020 ).
Third, segmentation and Egress Filtering will be necessary to protect a business` system. Introduction of a malware does not essentially mean that it should be allowed to spread. Organizations often overlook the idea of limiting communication inside and outside a company`s network by introducing firewall policies, yet this will be necessary for them to prevent an attack from spreading ( Nadikattu, 2020 ). Fourth, patching and updating systems constantly will be obligatory. It is necessary for both businesses and individuals to obtain content from reliable sources and also to update their software regularly. For instance, someone should ensure that they do not connect to a Wi-Fi network that belongs to another person since this may expose them to the risk of an attack. According to Nadikattu (2020 ), hacks are often encountered by individuals whose software is not up to date. Besides, it is necessary for someone to pay attention to what they are doing online. A fifth course of action that can be taken is by implementing Zero Standing Privileges. The incentive implies that a user is offered access privileges for a detailed task which is meant to last for a specified duration. In the event that an attack occurs and the hacker gains access to crucial credentials, they will, therefore, not be in a position to access sensitive data stored in the company`s internal systems ( Nadikattu, 2020 ).
Conclusion
To sum it up, Social Engineering is currently America`s greatest threat. In 2020, the Covid 19 pandemic presented an opportunity for hackers to incapacitate various businesses especially due to the increased number of internet users. Social Engineering attacks can occur through various means such as: Phishing, Malware attacks, Baiting, Pretexting, Diversion Theft, Honey trap, Quid pro Quo, Tailgating, Scareware and Water-Holing. Mainly the perpetrators gain access to a company`s system by sending emails to unsuspecting employees which upon opening offer them access to company data. Equally, the hackers may also decide to leave a flash drive which upon installation into a computer network gathers all the data necessary. In addition, the hacker may choose to dupe the victim that they work for some reputable service provider, hence, prompting them to offer them access to their own personal details. 21 st century hackers are consistently becoming more cunning, and adopting more advanced methods of deceiving their target victims. As a result, organizations have made significantly large losses; an aspect that has even put some companies out of business. The need to adopt better techniques of dealing with hacking incidences such as robust detection control infrastructure, as well as segmentation and Egress filtering have, therefore, emerged, however, it is possible that even after such action has been taken, hackers will still find ways of bypassing the system. Finally, the government should come up with regulations that seek to protect the confidentiality of individuals` information, as well as establish stringent measures to deal with the likelihood of a cyberattack.
References
Bullée, J. W., & Junger, M. (2020). Social Engineering. The Palgrave Handbook of International Cybercrime and Cyberdeviance , 849-875.
Chen, J., Dojen, R., & Jurcut, A. (2021). Detection and Prevention of New Attacks for ID-based Authentication Protocols. arXiv preprint arXiv: 2101.12604 .
Laguerre, C. (2020). Social Engineering Strategies within the Financial Industry through Online Banking (Doctoral dissertation, Utica College).
Nadikattu, R. R. (2020). New Ways of Implementing Cyber Security to Help in Protecting America. Journal of Xidian University , 14 (5), 6004-6015.
Tapia, M., Spengler, M., & Goessling-Reisemann, S. (2017). Cybersecurity Vulnerability Assessment of Smart Grids. In International ETG Congress 2017 (pp. 1-7). VDE.
