Social engineering, the antivirus is not enough

By Miguel Gonzalez, 17/01/2021

Advances in technology have contributed heavily in the improvement of different business areas like customer service, manufacturing, data analysis, and communication. These improvements allow us to monitor and automate several processes, decreasing the human error and increasing the productivity by focusing our efforts on our area of expertise instead of more repetitive simple tasks.

The deal with technology is that we are delegating a great part of our processes to some software or digital system and that itself becomes a vital part in our daily tasks. As a result it also becomes an area of interest for anyone who wants to harm our company. We are not only vulnerable to physical attacks anymore, like a break-in or thievery, but now we have to protect our back in a more abstract way, from IT attacks, as being hacked out of our system or having a data breach.

With that in mind we can take several precautions to protect our business from these threats. For example, there is a whole battery of software applications and systems that are used to reduce vulnerabilities and protect you from different attacks. Some of the most used are access control tools, antivirus software and firewalls. These are really great to protect our systems against viruses, unauthorized access, and other types of attacks, but one of the few aspects of the system they do not protect is the user’s behavior.

This is exactly what a social engineering attack targets, the user’s behaviour. To make it understandable, this type of attack is achieved with human interaction. It’s not like in a software attack where you could have a malicious file that on the first use starts to replicate and infect your computer, or the existence of a vulnerability on an application that allows unauthorized actions. In this case, the goal of the attacker is to manipulate an unsuspecting user into giving sensitive information or influencing the user into downloading malware that affects the whole business.

It may appear that the ones that fall into these types of attacks are really naive, but it’s not like that. The preparation and process that requires a credible social engineering attack is impressive. Generally speaking, the attackers prepare beforehand by investigating all they can about their victim, such as where they work, who they work with, current position, etc. Using that information it is possible for them to build a credible scenario where the unsuspecting victim can easily be cheated on.

A good example of this attack is Toyota’s 2019 attack in which the money lost was around USD 37 million. The attack consisted in a hacker posing as a business partner convincing members of the finance and accounting department to change the recipient’s bank account information in a wire transfer.

Now that there is precedence of many successful attacks on either small or big companies we need to take some security measures to protect our companies. On this type of attack, as we discussed before, an antivirus software is not enough. The best way to prevent it is protecting your privacy and security, especially when online communication is often used.
Some examples to do so would be the use of multi-factor authentication, using strong passwords, limiting the amount of information you share on social media, use of VPN, staying up to date with software updates, and not leaving your unlocked laptop or phone unattended. For a company it would be better to establish and enforce privacy and security policies to avoid employees easily falling on these attacks.

Bibliography

CPO Magazine. (2019, September 20). Toyota Subsidiary Loses $37 Million Due to BEC Scam. https://www.cpomagazine.com/cyber-security/toyota-subsidiary-loses-37-million-due-to-bec-scam/

Kaspersky. (n.d.). What is Social Engineering? Kaspersky. Retrieved 01 15, 2020, from https://www.kaspersky.com/resource-center/definitions/what-is-social-engineering