Why Your Employees Are Falling For Social Engineering Attacks
5 March 2018 00:00
From phoney emails with harmful links to fake calls asking for sensitive information, social engineering attacks are increasingly targeting your employees. But why are they so successful?
Social engineering is nothing new. For as long as people have walked the face of the Earth, con men have crafted new ways of attack through sophisticated social hacking. But there’s one minor difference in how these attacks are delivered in the modern day, and it all comes down to the surge of online communications.
Attackers have a breadth of new ways of exploiting human flaws through technology, and modern-day employees are feeling the brunt of it. But why do social engineering attacks work so well? And why are employees so easily persuaded into parting ways with highly sensitive data?
Well, it all comes down to a combination of human nature and social norms - and there are five psychological factors in particular that make employees an easy picking…
Our curiosity is targeted every single day. Our email inbox is laden with clickbaity subject lines, and so too are the articles and social posts we try hard to scroll past. Social engineering relies on this - and attackers know we’re a sucker to dodge the bait.
Even though employees are becoming increasingly aware of fake websites and harmful downloads waiting on the other side of these links, natural curiosity proves a strong force. After all, if we don’t click the link, how do we really know what the cast of “Saved By The Bell” are up to these days?
Regardless of what you might think after a Monday morning commute, people generally tend to be good and trustworthy in everyday life. This gives businesses a problem.
Most employees don’t come into contact with malicious actors very often, which makes it hard to imagine that the link they’ve received or the request they’ve been sent is of a sinister nature.
#3 Reciprocity/ Social Obligations
Online attackers know that a favour can go a long way, as most of us feel indebted to return the gesture - but that isn’t always a good thing.
As a good example, a study from just a couple years back showed that nearly half of people would give up their password when given a chocolate just before being asked for it. While this same technique is used all the time for social engineering, it’s unlikely you’ll be getting any chocolates in exchange...
Overconfidence is another human trait that social hackers take advantage all the time, and c-level employees are known to be favourites of this type of attack.
Spear phishing, whaling and business email compromise (BEC) attacks are becoming more common, with the experience that execs gather over the years often adding to the false sense of confidence when replying to legitimate-looking requests.
Parallel to the growing use of social media is the growing trait of narcissism. Millennials, especially, are now accustomed to a desire for more friends and a desire to know (and to have known) where everyone is and what they're doing at any given time.
This kind of information is gold for a social engineering attack, with the narcissistic nature of social media often being used as a go-to resource for scoping a target.
So, what can be done do combat employee social engineering?
There’s no denying the difficulty in changing employee behaviour. How do you get your employees to even care about the threat of social engineering? Let alone learn the risks and retain/ use that information.
Building a strong cyber security culture might sound like an impossible task, but there are ways to make this job much less of a dread. Automated security awareness training is an increasingly utilised approach that enables businesses to not only educate and protect their business, but to also achieve this without draining their time and money.
Social engineering is just one of the key threats that awareness programs can cover in depth, and learner progress is often tracked to ensure that this information isn’t just going in one ear and out the other. To get a better idea of how these programs work, get instant free access to the usecure security awareness training platform for a play around (no card details needed).