“I hope this email finds you well. We are implementing some improvements to the security of our systems and we need your collaboration to ensure a smooth transition. As part of this process, we are updating our login protocols to ensure that your personal information and company data are adequately protected. Please follow the link below to update your login credentials.”
The paragraph above could be the beginning of any phishing email; Readers have seen hundreds, if not thousands, of similar messages aimed at their employees with the intention of stealing information or access credentials from an employee of an organization.
Although phishing is the most pressing type of social engineering, it is not the only one, and the topic does not even end in the digital world; an individual posing as an employee or service provider to gain access to restricted buildings or areas is an example of this.
The evolution of social engineering attacks
Attackers need a gateway to launch their attacks against an organization and sometimes the easiest way is not to discover a zero-day vulnerability; is to attack what is between the keyboard and the chair: the collaborator.
Ricardo Silva, Cybersecurity Business Developer at Claranet Portugal, recalls that social engineering is “one of the tactics most used by cybercriminals” which aims “to exploit human trust and behavior to obtain confidential information”. In the digital age, this tactic “continues to evolve as malicious actors adapt to technological changes and the security and cybersecurity practices adopted by organizations.”
Olga Carvalho, Cybersecurity Engineer at Noesis, recalls that social engineering “is an ancient technique that explores and manipulates human psychology” and recalls the Trojan Horse, “perhaps the oldest and most popular social engineering attack in history”. Since then, and even though the objective is the same – to deceive – social engineering attacks “have evolved significantly in terms of techniques, sophistication and reach”.
Artificial Intelligence (AI), for example, came, says Olga Carvalho, “to increase the capacity of tools, such as impersonating the voice of people known to the victims; of the content; and the techniques that cybercriminals use for these attacks”.
For Bruno Castro, Founder and CEO of VisionWare, these attacks are evolving in an “increasingly sophisticated, personalized and targeted way”. Cybercriminals are using more elaborate techniques, “mainly using generative artificial intelligence, through falsifying the image and voice of CEOs, colleagues and customers”.
At the same time, says Bruno Castro, phishing and spear phishing campaigns have also “evolved, becoming increasingly difficult to distinguish”, being “more personalized and containing fewer forms of visual detection”. In addition to “advanced technologies and psychological manipulation”, criminals “have increasingly more means at their disposal to obtain unauthorized access to confidential information”.
The challenges in dealing with attacks
Olga Carvalho recalls that social engineering poses “a great challenge to companies”, since “attacks of this type target human and non-technological vulnerabilities” which are “significantly more difficult to detect”. Therefore, “a good cybersecurity culture with a strong employee education component is the first line of defense against these attacks”.
Test and train (and repeat as many times as necessary)
Carrying out training or courses on the topic and regulatory awareness training – such as phishing simulations – are some of the practices that organizations can and should implement with their employees, shares Bruno Castro. At the same time, it is “essential” to provide “additional training for those who are unsuccessful in the assessments”.
Other practices, says the founder and CEO of VisionWare, include “encouraging the adoption of security measures, such as verifying communication sources before clicking on links or providing confidential information; Basically, promoting a growing adoption of a culture of security and digital hygiene that must necessarily pass through all employees, up to top management, without exception”.
Create a culture of safety
With threats growing, it is important that employees understand the risk that not only they face, but the company itself. The answer is to create a safety culture where employees are aware of the risk.
It is true that employees should be the first line of defense for any organization, but technology is needed for when this first line fails. Therefore, as Olga Carvalho indicates, the first line of defense are sensitized employees; the second is based on technology.
