For cybercriminals, often the easiest and most effective way of targeting a business is to use social engineering methods to manipulate users into breaching security policies or giving away sensitive information. For a social engineering attack to work, the most important stage is the cybercriminal’s research of the target organisation and its employees. This research stage is made simple due to the prolific nature of social media. In this article we will discuss how cybercriminals use social media and social engineering to target organisations, and what you can do to avoid a cyberattack.
3 steps to a successful social engineering attack
Step 1: Identify a target organisation
In the past, the prime targets for cyberattacks were large organisations as the payoff from a data breach or ransomware attack would be greater than that of a smaller business. However, now all businesses are at risk of a cyberattack. For a cybercriminal, often targeting smaller businesses is more profitable as they typically have a weaker security posture, whilst still having access to a significant amount of customer data. Once a cybercriminal has decided on a target organisation, they will then begin to research the employees to formulate an attack.
Step 2: Research employees
LinkedIn is the first port of call for researching employees in a target organisation. Through their name they can also find Facebook, Instagram and Twitter accounts. These social networking platforms give details about hobbies, family members and even locations employees frequent, through geo-tagged posts.
Having this wealth of information makes it easier to deceive the victim and potentially gives answers to password recovery questions, such as ‘What is your mother’s maiden name?’. Similarly, information about hobbies could be used to trigger a phishing attack. For example, if the victim is a keen cyclist, the attacker could send them a link or attachment purporting to be something cycling related. Unless the victim has strong privacy settings on their social media accounts, all this information can be accessed without the victim’s knowledge, as they do not need to be followed or added as a friend.
Step 3: Launch attack
With this information there are many attack vectors that may be effective for a cybercriminal to gain access to a secure business network, or to infect a business with ransomware. One method may be to target the employee’s personal email address with a spear phishing email relating to one of their hobbies or shops they frequent with a malicious link to reset their password on an online account. If the victim resets their password by using their previous password, and that password is the same as their work account, this gives the hacker access to their work account. From here it is simple to launch a ransomware attack or access customer data.
Another method cybercriminals may use is a direct phishing attack to the victim’s work email. Through the prior research a cybercriminal may pose as one of the businesses’ vendors or customers in order to persuade the victim to click a malicious link giving the hacker access to a network or work account. Once they have access to a work account, from the social media research the hacker can easily launch another spear phishing attack from the victim’s email, targeting someone in the organisation with greater access to customer data.
How social engineering impacts business
Both a ransomware attack and a data breach can be devastating for a business. A data breach has short term consequences of potential fines and fees, along with the potential cost of a forensic investigation. More worryingly, is the long-term consequence of eroding customer trust and a loss of reputation, which can be difficult to recover from.
A ransomware attack may be extremely costly if the ransom is paid out to decrypt the data. Sometimes it is possible to decrypt the data without paying the ransom, however this often leads to significant downtime and the potential to lose data.
How to avoid a cyberattack
There are three key takeaways for businesses trying to avoid an attack.
- Employees should be conscious about what information is being shared on social media. This is not to say that individuals should not post on social networking platforms, but they should restrict their privacy settings so only trusted friends and colleagues can view their information and posts.
- Businesses should educate employees on how to spot phishing emails and general cybersecurity awareness. This education and awareness may stop a cyberattack before it is too late.
- Businesses should consider investing in a comprehensive cybersecurity solution that decreases the chance of a ransomware attack or data breach.
If you want to find out more about how you can keep your business safe, get in contact with us today.