Currently, the most common way for cyber attackers to infiltrate organisations is through social engineering. Social engineering isn’t about someone breaking code over their glowing keyboard in a dark room. It relies on an individual’s vulnerabilities. They prey on human nature to trick people into letting these attackers in.
Identifying soft spots
While most people may believe they would never fall for such attacks, the truth is, we can all become more prone than others at different times. Anyone experiencing heightened emotions can easily be tricked into making security mistakes, providing unauthorised access to sensitive information, or even giving away the sensitive information themselves.
Take Valentine’s Day for example. Within the Middle East, we have seen this day become a catalyst for cyberattacks – with attackers trying out new ways to target victims, such as phishing emails pretending to be a florist or sharing links to Valentine’s gift offers on social media. Like romance itself, these scams are not limited to February 14th – but that’s when victims can be most vulnerable.
Even those with a special someone can experience heightened emotions around Valentine’s Day. If you’re excited about celebrating a milestone in your relationship, or you’re expecting to receive a surprise, you may be more likely to click on that Gift Card offer without first checking that it’s from a legitimate source.
While love, loneliness and excitement are easily recognisable emotions to take advantage of, anything affecting someone’s emotional life can make them vulnerable. Recently, for example, criminals within the region have been preying on the vulnerabilities of the unemployed and we have seen an increase in those posing as fake job recruiters, or fraudulent ads being placed online.
Controlling the risk
Organisations can defend against these attacks in a number of ways. The risk inevitably increases with the use of non-business apps on corporate devices, so some may choose policies that completely block access to personal apps on business devices. The recent rise in AI, for example, has seen many enterprises contemplate blocking ChatGPT and generative AI tools on their systems. However, outright blocking of all non-business apps can create a stifling culture, limit innovation, and portray a lack of trust in the workforce.
Enterprises can instead implement a light touch method that relies on intelligent tools, along with security teams routinely scanning HTTP/HTTPS traffic, with a more agile approach that moves to the cloud, in a single-pass architecture. Multiple security controls can be used, such as cloud access security broker (CASB), secure web gateway (SWG), threat and data loss prevention (DLP).
They should also focus on education and raising awareness, coaching users to be alert in the moments before they click a link or access an unauthorised application. To help people understand their personal vulnerability, it’s important for personal risks to be highlighted, not just the impact on the business. Using examples of how attacks can impact – and stem from – people’s personal lives can help them better understand how they might be targeted.
Encouraging partnership
Whatever an organisation chooses to do, it’s impossible to prevent employees from ever clicking a nefarious link, and the biggest risk is often when users hide cyber incidents, especially those resulting from social engineering attacks where they might feel personally responsible.
If you’re compromised, reducing the time taken to mitigate the attack is crucial, so blaming victims of attacks is the wrong way to go. The key is to foster a culture of collaboration where the workforce is part of the process, rather than instilling a culture of fear. Educating employees in a climate of partnership can go a long way to reduce the risk of cyber criminals taking advantage of human vulnerability, helping to avoid heartbreak this Valentine’s Day and beyond.
To find out more about Netskope Threat Labs research into cloud threats like social engineering read our latest Cloud and Threat Report “2023 Year in Review.”
Discussion about this post