It shouldn’t be news to anyone that people sharing information online are concerned about the safety of their data. Imperva recently conducted a study with YouGov plc regarding consumers’ attitudes towards data, whether they feel in control of their personal data, and if they trust the organizations tasked with protecting this sensitive information. Three trends emerged from this study.
- Most consumers (64 percent) believe they have no choice about sharing data online. If they want to use specific online services, they are more or less obligated to do so as part of a “quid pro quo”. At the same time, consumers share data so frequently they’ve lost track of it. In fact, a significant minority gave up caring altogether – 27 percent report not having bothered to change passwords that they know are compromised.
- The vast majority of consumers (86 percent) worry about data theft and its consequences. The main (58 percent) concern being hackers stealing their money and never getting it back. A majority (74 percent) say their faith in digital service providers’ willingness to keep personal data secure has dropped, or at best remained unchanged, over the past five years. It doesn’t seem like stricter data privacy rules have moved the faith needle at all.
- In spite of the lack of faith in digital service providers, many consumers continue to overshare personal information online. Two-fifths (40 percent) of consumers have used cloud messaging services to discuss something they’d prefer to keep private, even though 47 percent say doing so would ruin relationships if the conversation was leaked. More concerning, one-in-ten worry they could have their children taken away if these private discussions were exposed.
For digital organizations, protecting sensitive data is a fundamentally good business decision. There are dozens of tactics that organizations can use to make it harder for bad actors to breach architectures; some are simple and cheap, and others are complex and more costly. Ideally, these tactics are part of an overall application and data security strategy that protects the entire enterprise. That said, just like the perfect building security system cannot keep thieves out if they have the keys and alarm codes, the most well-conceived and efficient cybersecurity program on Earth will not keep cybercriminals from compromising your organization and stealing your data if employees and consumers are simply giving them the information they need to get in.
Strong organizational security practices are essential, but they are only part of the solution. Cybercriminals have figured out that it’s often easier to get employees and consumers to give them legitimate sensitive data enabling them to access personal accounts and enterprise architectures than it is to engineer complex schemes to sneak in. Once they are in, that’s when they can do real damage. Organizations must familiarize both their employees and consumers of their products and services with the tactics cybercriminals use to get them to do things that are not in their or the organization’s best interest.
Social engineering refers to a broad range of malicious activities that cybercriminals accomplish using human interactions. They use psychological manipulation to trick people into making security mistakes or giving away sensitive information. Social engineering attacks happen in one or more steps. A perpetrator first investigates the intended victim to gather necessary background information, such as potential points of entry and weak security protocols, needed to proceed with the attack. Then, the attacker moves to gain the victim’s trust and provide stimuli for subsequent actions that break security practices, such as revealing sensitive information or granting access to critical resources. There are many social engineering tactics; these include phishing, spear phishing, smishing, and vishing.
Phishing and smishing
Cybercriminals use phishing to steal user data, including login credentials and credit card numbers. An attacker, masquerading as a trusted entity, tricks a recipient into opening an email, instant message, or text message (smishing). Then they trick the recipient into clicking a malicious link in the body of the message, which can lead to the installation of malware, the freezing of the system as part of a ransomware attack or the revealing of sensitive information. For individuals, this includes unauthorized purchases, the stealing of funds, or identity theft.
Spear phishing is a more targeted and personalized phishing attack that refers to a specific individual, group, or organization to which the recipient belongs. In a spear-phishing attack, the attacker looks beyond points of entry and weak security protocols to focus the attempt on personal information that the victim has shared in a public space like LinkedIn, Facebook, Twitter, Snapchat, Instagram, etc. For example, a phishing email might spoof Amazon with the understanding that the majority of potential victims have Amazon accounts and may be duped. A spear-phishing attack could reference your employer, your town, your alma mater, your marital or parental status – anything that differentiates you. Most people don’t think of the many ways to get this information but frankly, spending five minutes on a social media site would suggest it’s not that hard.
In a vishing (short for voice phishing) attack, a cybercriminal uses the phone to steal personal information from their targets. Cybercriminals use social engineering tactics to persuade victims to provide personal information, typically with the goal of accessing financial accounts. Like traditional phishing or smishing, the vishing attacker must convince the victim that they are doing the right thing by cooperating with the cybercriminal. The attacker might pretend to represent the police, government, tax department, bank, or the victim’s employer.
How enterprises and consumers can mitigate social engineering
The best defense: make yourself a hard target. Here are some specific easy practices to stop yourself, your employees, and your consumers from making a bad decision and falling victim to attack:
- Don’t open emails and attachments from suspicious sources.
If you don’t know the sender in question, you don’t need to answer an email. Even if you do know them and are suspicious about their message, cross-check and confirm the news from other sources, such as via telephone or directly from a service provider’s site. Remember that email addresses are spoofed all of the time; even an email purportedly coming from a trusted source may have actually been initiated by an attacker.
- Be wary of tempting offers.
If an offer sounds too enticing, think twice before accepting it as fact. Googling the topic can help you quickly determine whether you’re dealing with a legitimate offer or a trap.
- Keep your antivirus/antimalware software updated
Make sure automatic updates are engaged, or make it a habit to download the latest signatures first thing each day. Periodically check to make sure that the updates have been applied, and scan your system for possible infections.
- Get and give training in cybersecurity best practices
Ensure your employees and the consumers of your digital services have sufficient training to identify social engineering scams and know what to do when they present themselves.
Try Imperva for Free
Protect your business for 30 days on Imperva.